Website security has become a major concern for business web sites. It doesn’t matter the size of the web site or of the business. It doesn’t matter what type of business or industry. Any and all business web sites are at risk – and no security is foolproof. Even the Pentagon has been hacked.
According to Wordfence™, the total attacks on just WordPress® web sites in April 2017 was 137 million and that increased to 144 million in May. That’s a lot of web sites – and many belonged to businesses.
Let’s look at how a web site can be hacked.
Hackers use a cocktail of methods via software bots and spiders to hack web sites and typically attack those that give them the least amount of resistance.
Most of today’s sites are built with a database system, such as WordPress or Joomla!®. These systems are easy for business owners to use to update product or service changes, notices to customers and so on; but they also employ plugins. Plugins add features without any programming knowledge and enhance the web site experience for site visitors. At the time of writing this article, there were 40,000 different plugins for WordPress and 8,000 for Joomla!.
Unfortunately, some plugins:
- Are not updated regularly by their creators or were abandoned all together, leaving the plugins with security holes,
- Are not updated by the web site owner,
- May be outdated for your version of the database system, or
- Were downloaded from a non-reputable site with hacking holes, malware or viruses built into them.
Plugins represent more than 56 percent of the known entry points for security breaches, bugs and viruses. According to Wordfence™, there were 21,495,690 attacks just in May 2017 alone on only 25 of the most attacked WordPress plugins; that’s only 25 of the 40,000 plugins available and only for one month!
Plugins must be kept up to date! Just know that those email notices you receive are telling you only that an update is available – you must still install it. And don’t count on a plugin that does updates automatically either – some updates can break your web site when an update clashes with the core database system or another plugin. It’s best to install each one manually.
2. Brute Force
This hacker method attacks the login to the core database system. Once they gain access through the login, they have 100 percent control of your web site. The hacker can then plant malware or viruses that your web site users will unknowingly download each time they access your site. This will – not “can” but “WILL” – lead to your web site being blacklisted on the Internet.
For html web sites, hackers try to use the login pages to access web sites at the hosting level.
In either case, the attacker must identify both the user ID and the password. Many web site owners use the default username of “admin” that first came with the database system setup. Most people believe that as long as a hacker doesn’t have their password, they’re safe and “admin” is easy to remember. Hackers use software to discover your password that can figure out any dictionary word, or combination of words and numbers, inside of three minutes.
The graphic above shows the attempted brute force hacks of my own site, Webmaster for Hire, for just one week! Look at those attempts for the default “admin” login – 129 hack attempts in just one week.
According to Wordfence, brute force made up 72 percent of all WordPress attacks in May 2017 with 68 percent in April – these hack attempts are increasing each month.
3. The Core Database System
Hacker attacks on the core are done using backdoor entries. That means the hacker has found a way to enter the core without using the login page.
They create backdoors in various ways, typically using an automated browser script or software to access known locations of files that have the web site access permissions in them, such as the wp-config.php. The script just keeps changing the file name and/or location directory until it locates the desired file.
Another method is to use software that attacks a web site in phases. The first is the surveillance phase, just to see what is there – like a theft casing are bank to be robbed. The second phase is to see if there are any access holes in the site. If an access opening is found, the hacker can then tailor what to steal and how to do it, based on the information available from the hack. Phase three steals the data, leaving the backdoor open for future hacks.
SSL Certificates. You may believe that having your information in a Secure Socket Layer (SSL) – when you see the locked padlock in your browser and the https:// at the beginning of the URL – will secure your data. Not so. An SSL gives protection only during a transaction, when information passes between your site and the customer. It gives no protection whatsoever for the stored data at the web site itself.
The best way to protect the core is to install all updates, many of which eliminate newly-discovered security holes.
One of the marvelous advantages of database system web sites is themes. Themes enhance your site by adding a level of attractiveness via colors and graphics, as well as preset content features, such as tables and navigation.
Like plugins and the core, themes have updates that need to be installed. These especially can conflict with plugins and should be installed manually.
According to Wordfence, the top 25 theme creators were attacked 13,671,494 in March 2017 with an increase to 15,816,955 in May.
5. Hosting & Server
A hosting provider who provides weak security protocol actually can bring your site unwanted attention from hackers. Once it’s discovered that it’s easy to attack a hosting provider’s shared server, a hacker will spend the time necessary to hack any of the sites with vulnerabilities. Considering one shared server can host thousands of web sites, the chances of finding vulnerable sites are quite high.
Additionally, when one site on a shared server has been hacked, it can be used to hack other web sites on the same shared server. This is true even with good hosting security protocols in place. It’s called cross-site contamination.
6. File Permissions
File permissions tell the system who can and cannot access each file or directory. If not set correctly, it’s like leaving the door to the bank vault open for anyone to walk right in and steal its contents.
Permissions should be set at the time of installation of the database system (or html system), as well as each time you add new files or directories.
Setting the wrong permissions or leaving the defaults can be fatal to your web site, creating major security holes and giving access to your web site.
If you create a new directory either within a database system or sitting outside of it, an index.html file must be in that directory or anyone can just list the URL path to that directory and see a listing of all of its contents. From there, they can backtrack to see the entire web site. No password is required.
You can disable such access and not use index files by creating an .htaccess file to protect the entire web site. An .htacccess file disallows the listing of directory contents. It gives instead a forbidden access error message. Not having an .htaccess file invites hackers, since it’s easy to forget to include an index.html file with each new directory.
8. Employee Errors
These are the hacker methods we most hear about in the news and on the Internet. They are the ones we face daily on our computers. They include:
- Password theft because you or an employee gave the web site access login to an unauthorized person,
- Workstation access, when someone in your business left their work area with the computer logged into the web site and an unauthorized person (i.e. hacker) uses it to quickly create a backdoor entry for later use, and
- Phishing is the biggest problem, where you or an employee clicks on a link in an email that places malware or a virus into your business computers in order to obtain web site logins or access locally stored data.
All of these methods can give a hacker access to your web site, where they hope to gain financial or salable information or to just wreck havoc with your site and business. You truly need to limit Internet access only to those employees who truly need it, as well as to establish security protocols for using emails on company computers.
The last type of hack has been gaining popularity in the past few years, especially at companies that deal with sensitive information. That is the hacker who actually works for you – think Edward Snowden. They may steal sensitive emails or database information on clients or customers. It may be financial, proprietary or classified. It may be information stored in your business computer system or at the web site level.
Background checks on potential employees may help keep such people out of your company; however, the Snowdens of this world didn’t take the job with the intent to hack the company system. This is where having good IT monitoring and control is essential.
Backups. One thing that should be done for all web sites is to back up the entire site on a regular and frequent basis, especially after any updates to the software or changes to the web site.
Keep the backups off site. It will not do any good to back up the site and keep it on the server with the web site. A hacker will just destroy the backup.
By keeping a backup off site, you can get a hacked site up and running faster.
You’ve Been Hacked. A database system can be very difficult and time consuming to clean up. Even though you may wish to spend the time doing it yourself, remember that hackers create backdoors that give them re-entry even after your cleanup efforts. They also install malware and viruses that you may not recognize as such. It is best to leave the cleanup to a professional who knows what they are doing.
No Amount of Security Is Foolproof. Hackers are developing new methods of hacking web sites every day. The best defense is:
- Regular monitoring of your web site and its components,
- Installed security safeguards,
- Regular updates to the core system, plugins and themes, and
- Regular backups of the entire site.
Hiring a professional monitoring service that also fixes any problems with your web site due to hacks or update breaks as part of their service is your best option. It’s much cheaper in the long run than the cost of thousands of dollars to fix these problems because of the hundreds of man hours required after a major hack or update break occurs.
Call Webmaster for Hire today to discuss your website monitoring needs!