How to Protect Your Website from Hackers 101
You hear it in the news almost daily now – another giant corporation’s website has been hacked. But even a small website can be at risk of becoming compromised, sometimes sadly. even more so than larger sites.
Since August of 1991 the amount of websites on the internet has grown from one, the ‘World Wide Web Project’, to 984,051,955 as of today. Almost 1 billion websites are currently live, and that means there are almost 1 billion potential targets for a hacker. Online hacks can happen for a plethora of reasons; a recent media snafu, a bored teenager, or a Blackhat SEO attempting to make profit by infecting users computers with malware and siphoning their bank accounts, steal identities or worse. Out of the 984 million websites that are currently available on the web, an estimated 2%-5% of those sites’ security has been compromised. While this might sound small but even at 2% that’s 1.9 million infected websites!
Most web users entertain the notion that only large companies, organizations, and web celebrities have to worry about being hacked. In fact it is quite the opposite, the larger sites are typically more difficult to break into as they already have the resources to secure their online properties. A small business WordPress or Joomla website, hosted through an inexpensive shared hosting environment, can make an easy target if the business has lacked in its upkeep, maintenance and security.
In this edition of the Clever Robot Small Business Newsletter, we are going to reveal how modern websites have become vulnerable to attack, examine some of the more common exploits and discuss solutions and how to ensure your website is protected.
Case Study: Meet Linda
Linda is seeing a dramatic increase in her Facebook traffic so she decides to create a small site with links to her social media to provide a resource hub for her DIY YouTube videos. Her Facebook account and her YouTube accounts are protected by their respective firewalls and security. She purchases her domain name and hosting through a subscription based online web service such as GoDaddy, Fat Cow, or Hostgator, and goes to work creating a small brochure site on her own. She has no experience building websites, but is able to create a small site using help features, and the semi-automation of Joomla. Once she has reached the end of what she can accomplish, she pays a family friend to give the site some artistic finesse. After only spending a week working on the site she launches it, and a month later traffic begins to jump. Linda starts posting more content on her site, and asks a friend to check out what she’s posted. Little to her knowledge, her site has been infected with malware. Her friend downloads a program that is listed as “Recommended by Linda”, which records their keystrokes, supplies the hacker with their bank information, and drains Linda’s friend’s bank account.*
While that example may seem a little dramatic, the truth is attacks like these happen to thousands of websites a day. The hack lead to different outcomes, but the results are the same. Your stronghold has been breached.
USER FRIENDLY Does Not Always mean Security-Friendly
When building a simple website using a content management tool like Wordpress, Joomla, or any of the other myriad of site builders, the initial installation process has become more and more automated, making it easier to deploy for the novice. Unfortunately, while this may reduce costs for web development, you could be exposing your site to risk. Without the proper security patches, security settings, and security measures in place, you are leaving your back door wide open. The benefits of slighting the budget when building a website are never outweighed by the benefits of preparing for an unwelcome intruder. Choosing to “auto-install” a site and wing it provides the following:
- A large exposure
- Reduced overhead
- Tools for all users regardless of skills
- Exponentially higher odds for success.
Now reread that list with the mindset of a malicious intruder.
There will be a large audience for the attack. Even if your site has low traffic, there are still millions of potential users to infect. The hacker can easily embed malware into your website, then redirect traffic to your infected site. Once the bug has leaked onto one users computer, it WILL in turn infect other computers associated with the “patient zero”. With the reduced overhead and minimal incorporated security, the attack will be easier. Your website has no real firewall – no binary brigade is going to ride in to the rescue. Easier attack requires a less skilled intruder, making it more accessible to more intruders.
We’ve detailed some of the most common techniques hackers will use when hacking a website below.
Most Common Types of Online Hacking
Injection Attacking means there is a weakness in your SQL Database, SQL libraries, or even the operating system of the server itself. Typically its caused when a worker inside a network opens a files with hidden commands, known as “injections”, unknowingly.
With access to the databases, hackers could gain unauthorized access to sensitive, private data such as social credit card numbers, security numbers, or other financial data.
Cross Site Script
Cross scripting makes users believes that the compromised webpage is secure. For example, the user might see a pop up window asking for their credit card info or for them to reaffirm their password. Since there are no signs eluding to a hacked website, the user will then enter the information into the box assuming it is a new security protocol from the site. In actuality, the pop up window is controlled by a hacker that is looking to retrieve data from unsuspecting users.
This method of hacking is done by inadvertently installing malware either to a personal computer or a website. The malware allows the hacker to have a semi-remote access to their website or the users web traffic. From there, the hacker will install a script creating false dialogue boxes for the unsuspecting victim(s).
Clickjacking or UI Redress, is similar to a Cross Script hack in that the user believes they are secure. Clickjacking, however, is different in that the user does not see an additional dialogue or pop up box and the website appears completely normal. Hackers use layers of photo-shopped images, spreadsheets, and invisible boxes to re-layer or re-dress the website. When the user believes they are entering their password into the handy login box provided by the website, they are actually entering the information into a separate box invisible to them that the hacker can see. This is a scary one that has popularized as of late, and was even done to Twitter recently. With the externally added frames that are invisible to the user, it can be tricky to perceive this hack.
Social engineering hacks occur when you give pertinent information to a product, person, or service that you believe to be legitimate. One of the top known examples is the fake Microsoft Support tech hack. What happens is a person will call you and talk to you about your current experience with Microsoft or tell you your computer is infected with a huge virus that they are monitoring and willing to remove for a price. Once they have ensured you believe they are legitimate they will ask you for personal information that they deem important for them to provide their services. This can range from your full name, address, telephone number, email address, current Microsoft Windows product key number, to your credit card number.
Another prime example of social engineering hacking are FaceBook quizes. We’ve all seen and probably done a few of these in the past. Answer 10 questions to find out your future, What should you name your cat? What type of personality do you have? While most of these quizes may be harmless. If any of the questions ask information such as the following list, log out immidiately, go change your password recovery questions, and any passwords affiliated with ANY of your online accounts.
- Where was your mother born?
- What was your high school mascot?
- What street did you grow up on?
- What’s a childhood nickname?
- What’s the family name of your grandmother?
The questions asked in these social engineered hacks via things like quizmonkey or Quizilla are some of the most common password recovery questions. You have already probably given the hacker your email address and a first/last name, and now you’ve given them the spare key to your internet fortress.
Distributed Denial of Service hacks are some of the scariest hacks. Why? Anyone with an internet connection and 15 minutes of free time can do one. There are, sadly, hundreds of websites floating around the internet that allow users to input an IP address and allow the user to take down a website in minutes. Higher traffic and larger websites normally have preventative measures to ensure this never happens to them, however no security is 100%.
In recent news, Planned Parenthood’s website was completely flatlined by DDOS hackers. In just the course of a few hours their website went from being the top resource for reproductive services and information in sexually transmitted diseases, to being a blank homepage.
How does it work? The hacker creates a horde of requests to the website intentionally overloading the website’s capabilities of effectively directing traffic. While some DDOS attacks will subside after a few minutes to a few hours, some will continue on for days. While the website is being overloaded, the administrator more often than not is unable to login to their site to debug or fix it.
A note to anyone wanting to try this at home, don’t. The Internet Architecture Board’s Internet proper use policy specifically outlines that performing or assisting in a DDOS attack is not only a violation for their policy, but also a violation of nearly every internet service provider’s policies. Just because it’s easy, does not make it legal.
Broken Authentication and Session Management
When the user authentication system of a website is not strong, hackers are able to take advantage of the weakness and exploit it.
Authentications such as passwords, session IDs, cookies, and key management are designed to provide security. However if your metaphorical fences are weak, the hackers are able to access your information from any computer.
If you security options are exploited, the hacker can assume a user’s identity and reak havoc.
- Are your session ID’s shown in the URL?
- Are your passwords something that can be easily guessed or re-written from subpar account management options (ie, recover password and change password)
- Do your session ID’s timeout and can the user log out?
- Are your user credentials easily compromised? (are they stored somewhere that is encrypted)
Prevention & What to Do When Your Site Has Been Hacked
Update Code: Plug-Ins, Scripts, etc.
The first thing to do is make sure your website’s code is up to date. If you’re using a platform such as WordPress, or Joomla make sure your current scripts, core files, and plug-ins are up to date. Keeping older versions of those items makes you more susceptible to outside intrusion.
Backups, backups, backups…
Let this be your mantra while running a website. You should be backing up your entire website on a consistent basis. Having a recent backup is essentially keeping a restore point. The backup will allow you to practically turn back time, and restore anything that may have been lost or remove anything that was added. Please note that not every hacking instance can be instantly solved by using your backup files of your website. Some intrusions are more complex, and require professional help. We personally recommend using Sucuri or WordFence. Both companies offer security solutions, lifeboats if you will, to help you reclaim your website, restore its content, and prevent against future attacks.
Sucuri is one of, if not the top, internet resource for sitechecking and security. They offer a few free tools to help you assess your security needs such as their SiteCheck, where you can type in your existing website’s URL and find out if there are any immediate security issues. If you prefer to research every type of malware that is known to man, they have the knowledge labs and help databases. Their current pricing for a years supply of basic web security, prevention tools, and recovery systems starts at $199.99. See table below for further pricing details.
- Malware Removal and Clean Up Unlimited Pages
- Automatic Scans for Malware and Hacks
- Blacklist Scanning and Monitoring
- Block Hackers with Website Firewall
- Advanced Denial of Service Protection
- SSL and PCI Compliance
- Customer Support
“WordFence is the only WordPress security plugin that provides this kind of real-time distributed protection as it learns from other sites that are attacked. It’s part of what makes us the best WordPress security plugin in the business.”
-WordFence About Us
WordFence is a specialized security option strictly for WordPress created content. They offer bulk options for buying their product keys and allow you to try a free version of their software to allow you to familiarize yourself with the product before purchase. The product keys for the premium version start at $39.00for one product key good for a term of one year. However, there are bulk incentives for web developers for purchasing large quantities of product keys for mass distribution.
- Remote Scans
- Frequent Scans
- Scheduled Scans
- Advanced Comment Spam Filter
- Premium Support
- Check if Site is Spamvertized
- Check if Site IP is Generating Spam
- Cell Phone Sign In
- Country Blocking
- Audit Existing Password
Linda was distraught after learning her friend was hacked via her website. How could it be? Why would someone target her? The answer; it was easy. All of the user friendly integration that led to her being able to quickly, cheaply, and easily generate a website, led to an even easier hack. After a website has been hacked, there lays a potential that the site could be blacklisted by search engines. What this means is even if your site used to be at the top of the search rankings, after being blacklisted, you will be buried in the bottom of the search results. 90% of all websites that are blacklisted never recover from the hack. An estimated 10,000 websites are filtered out of “circulation” by Google on a daily basis.
In Case of Emergency:
In short, it is not a matter of IF your website will be hacked, it is all a matter of WHEN. Prevention is the best answer for online threats. The more walls you put up between malicious intruders and the back end of your website, the better the odds of you not being frequently targeted by “small gig” hackers. Granted, no prevention or protection is ever 100%, so having a backup plan of what to do WHEN your site is attacked is just as imperative to your online presence as your existing security.
If you are concerned about your own website’s integrity, maybe had some security questions, or just wanted to reach out and say “Hey!”, please click here to Contact The Clever Robot. We are here to help!