Rich's Web Design - Nov. Newsletter
Hacking of a Web Site - Types? Why? Protection?
Since October was CYBERSECURITY AWARENESS MONTH, here is a similar topic that we all need to learn about -> Web Security. Website security is any action taken to ensure website data is not exposed to cybercriminals or to prevent exploitation of the website in any way. These actions help to protect sensitive data, hardware, and software within a website from the various types of attacks that currently exist.

What are some types of web hacks?

1. Cross Site Hacks (Scripting XSS) - Cross site hacks occur when someone injects malicious Javascript code into your website using one of the website user’s browsers. A hacker will gain access through your insecure WordPress admin area or more likely via your insecure host account / FTP and take control of the website or spread malware.

1a. Inserting a Script (Similar to Cross Site Hacks) - A hacker will insert a script that will allow them to spoof organic search results. Whenever the host site is hit the hacker’s site receives the credit. 

2. SQL / Code Injection - (Most common technique) Hackers utilizes malicious SQL code to gain access to your website’s backend. This could include customer information, phone #s, credit card info, etc.

3. DNS Spoofing - Domain Name System includes taking a user’s search to a dangerous website instead of the intended website. It is often used to send traffic from legitimate websites to malicious websites that contain malware. This can occur if your PW to GoDaddy / Network Solutions is insecure.

4. Business Reputation Damage - Cyber attacks resulting in severe damage to your business’s reputation or an extended period of traffic loss can seriously hurt your profits.

5. DOS ( Denial of Service ) - A denial of service attack floods a website with a huge amount of Internet traffic, causing its servers to become overwhelmed and crash.

6. Phishing or Baiting or Pretexting - These are techniques used in emails that can easily do MANY bad things to your computer, but not usually your web site. Education is the answer!

7. WordPress Plugin Vulnerabilities - These are tools w/in WordPress with many variations. Plugins are considered as the most vulnerable parts of a website. Any outdated or unsecured third-party plugins can be exploited by attackers to take control of your website or bring it down altogether.

8. Brute Force Attacks - With a brute force attack, hackers try a variety of passwords in hopes they can get one that lets them inside. 
Why do people hack web sites? Make $$, FUN, Boredom ... The reason why hackers are hacking websites is still a mystery for a lot of people. Cybercriminals and web hackers can make money with your compromised website by distributing malicious malware. Vandals who are doing ill-intentioned actions for fun. Quite a few high profile cyberattacks were carried out for no other reason than the perpetrator wanted to know if they were capable of pulling it off. Some hackers break into a website just to prove they can.

Information - Websites often collect/steal personal information from visitors. Hackers are ready to take advantage of a possible exploitation without taking into consideration your type of business, who you service, or how well your website is doing.

What to do if you receive a randsome email? These are mostly an annoyance and are geared to scare people. The best thing to do is SECURE ALL PWs, as explained above, and NOT to communicate with these randsome individuals.
What to do to Prevent Hacking? - Make sure ALL of your passwords are secure. They should be at least 8 characters in length, have random UPPER / lowercase letters, include some numbers and include at least 1-2 special characters (@%$!, etc.). As listed above ALL PWs include your FTP accounts, your WordPress admin accounts, your web host account, and your Domain Registrar account (GoDaddy, Network Solutions, etc.).  

Not only should you make sure YOUR accounts have secure PWs, but make sure no-one has added their own FTP login or WordPress admin account. You can have the best PW for your own account, but if someone has added their own account, they have an open door. 

WordPress has special plugins / tools that can protect even further your web site for unauthorized login attempts. They are WordFence and iThemes and can block many hackers even before they try to login. 

Keep your plugins and software updated, especially w/in WordPress.
Think of your house front door access -> Don't leave your keys to allow anyone to COPY your keys - Don't leave your keys under a ROCK - Don't leave a side door open for your easy access! Locks are designed to keep out honest people, but you can make it VERY DIFFICULT for the professional hacker!

** I wrote this article due to 2 former clients ( one is back to being a current client ) contacting me as their sites had been hacked / compromised. They had very poor passwords in the areas discussed above - FTP access, domain registrar access, etc. One we were able to fix, the other is still not showing properly.