There has been a significant increase in hacking attempts on websites over the last few months with many major companies having their websites compromised. Just this week Living Social had to contact its 50 million members to notify them that their customer database has been compromised.
Many clients have been asking us why websites get targeted and what they can do to try and ensure their websites are not compromised.
So why do hackers target websites? Ultimately it comes down to money, whether it be direct or indirect.
A hacker will target a website in order to do one of the following (among other things):
Apart from the last point these ultimately are all about being able to earn money or influence of some type.
We often get asked whether the hacking attempts are personal. Whilst this can sometimes be the case it is very unlikely.
The sad fact is a large number of hacking attempts on websites are not even completed by a human. 'Bots" or automated / scripted programs are setup to scour the web looking for vulnerable websites and will them perform a set of known actions to exploit a specific weakness.
With the increase of the number of websites using some form of content management system it has become much easier for hackers to gain access to the back end of websites.
Often the content management systems will not be up-to-date and will have known exploits that are widely known on the Internet which would allow someone with the right knowledge to gain access to and even full control of a website. Unfortunately most websites are not regularly updated to ensure they are using the latest secure version of the content management system and the 'plugins' or 'modules' available for it.
Most popular content management systems have a wide range of free 'plugins' or 'modules' which are made available by third party suppliers which can introduce security holes even if the main content management system is up-to-date and secure. Often website owners do not realise these plugins are not developed by the content management system provider and often do not undergo the same rigorous testing.
It can take less than 10 minutes for modern approaches to crack a lowercase password of 6 character or less. Add in a few uppercase letters and numbers and this jumps to 3 years.
Weak passwords are one of the most common issues in any website. In the last month there has been a wide ranging 'brute force' hacking attempt on thousands of websites which was using the default username and then a 'dictionary style" brute force login approach. This essentially involves an automated process of using a massive dictionary of passwords to repeatedly try logging into a website. Unfortunately many people do not change the default admin username and use a common or weak password which meant the hackers got easy access to the back end of the website.
Even if a website does not have a content management system coding issues and bad server configuration can also allow hackers easy access to a website using injection and cross site scripting techniques. For example this could be where user input (say via a search form or input form) is not correctly 'sanitised" allowing a hacker to 'inject' server commands and for these to be processed and completed.
There are some key things to do to help protect your website and ensure business continuity:
Keep your content management system up-to-date - if you don't know how to do this ask your development company how to do it, or get them to do it for you
Don't install plugins or modules without researching them first - are they regularly updated? Do they have good reviews? Can you contact the developer if required for support?
Use strong passwords - and we mean REALLY strong passwords. Ideally 15 characters long including a mix of upper and lower case letters, numbers and punctuation. You can use a service like http://www.strongpasswordgenerator.com to help.
Use an experienced and reliable development company - make sure your development company REALLY understands how to setup and secure your website. Ask questions, do research and be informed about the issues and what they will do to protect your site
Backup, everything and often - even with the best practices something might still happen to your site so backup, everything and often. Make sure you backup all your site files and database (if relevant) to a location not on the same server. There are good 'cloud' based services or you can store it on your local computer. This way you can quickly restore the site to your last saved version prior to the issue rather than spending thousands trying to find and fix the hack.
If you have all of this in place you are in a good position to protect yourself and should something happen recover quickly from the issue with minimum impact on your business. If you would like to discuss any of these issues or to find out how we can help you secure your website please get in touch, call us on 1300 77 3569.
