Top 5 Ways Hackers Take Over Websites
Thousands of websites get hacked everyday. There are a lot of reasons websites get hacked. Sometimes the hacker is trying to get credit card information. Other times they want to use your web server to send out spam or DDOS attacks. Sometimes hackers compromise websites simply because they can. Whatever the motivation, having your website hacked can cause you stress, embarrassment and if it is a business website, it can cost you your living.
One thing you should know is that hackers are lazy. A hacker is only going to hack the easiest targets. There are millions of websites on the Internet, and if your website or web server are not easy to hack into, then the hackers will move on to another website that is easy to take over. They are not going to waste their time and energy trying to find a security hole is a random website when there are tons of other websites that already have security holes in them.
This is a list of the five most common ways hackers use to compromise a website. If you avoid these five things, your website is almost always going to be safe from hackers.
Out Of Date WordPress/Joomla/Whatever
Content management systems (CMS) like WordPress and Joomla make publishing a website easy. So easy that my grandmother is able to run her own little knitting website. These CMS's are also the number one source of hacked websites. You cannot create a WordPress website and then just let it sit on the Internet without ever logging in. If you do that it will simply be a matter of time before someone hacks your website and starts sending out spam from your web server (or worse!)
Computer programs are updated on a regular basis. This is because sometimes someone finds a bug or error in the program that was missed when the computer program was first created and tested. Another reason might be that a security flaw was found that was not noticed when the program was first created. So the original authors of the computer program fix these bugs or security issues and then put out a 'patch' or new version of their computer program. Users download and upgrade that program and those bugs are no longer there. However, if a user fails to upgrade the program, then those bugs continue to exist.
WordPress, Joomla and other CMS programs are just computer programs that run websites. Like any other computer program, over time new bugs are found. Once these bugs become well known, hackers end up scanning the whole Internet, looking for websites that have out of date versions of CMS software which can then be exploited.
Luckly, Updating WordPress and other CMS programs is easy. Learn to do it, and do it on a regular basis. Even if you are not updating your website, be sure to log in every once in a while and make sure your CMS is up to date.
Out Of Date/Unsupported WordPress Plugin
This is similar to the first point. Hackers not only look for out of date WordPress installations. They also love to look for security holes in popular WordPress plugins.
WordPress plugins are great because they allow users to do all kinds of cool things without having to write their own code or scripts. Plugins make websites interactive and allow a lot more functionality than just a simple blogging platform.
But like WordPress and other CMS software, these plugins can have security vulnerabilities that need to be patched and updated over time. Failure to update these plugins can lead to your website getting hacked.
The biggest difference between WordPress, Joomla, etc. and their plugins is that plugins can be abandoned by their developers. While WordPress, Joomla and other large software projects have a team of software engineers writing and updating their code, plugins might only have one person who updates the code whenever they feel like it. A plugin can be a little side hobby that is not regularly updated.
This means that even if you log into your CMS on a regular basis and update all your plugins, your website might still be vulnerable to hackers. A security bug might become well known, but the person responsible for updating your plugin fails to do so. Failing to update the code of your plugin, and releasing a new version or a patch of that plugin to you will lead to your website getting hacked.
The solution is to make sure you are updating all your plugins whenever a new version becomes available. But you must also make sure that your plugins are actively being updated and developed. You can usually look at plugin information to see when the plugin was last updated. You will also be smart to avoid small, unpopular plugins. These might not be developed on a regular basis. Unpopular plugins might also have security holes simply because there are not many software engineers working on those plugins.
Be smart about your plugins. Keep them up to date and only install plugins that have a solid software team keeping them up to date. When in doubt, ask around the WordPress (or other CMS) community and see what people think about a plugin you want to use.
Poorly Coded/Out Of Date Email Form
You might be noticing a pattern here. Out of date software that is running a website is the most common way a hacker will get access to a website. Email forms are an especially inviting target for hackers. Email forms might not always allow a hacker to take over the whole website, but they can allow the hacker to send his own emails.
A hacker who finds an insecure email form will use that form to send out hundreds of thousands of spam emails. If a hacker is using your website to send out spam, you are in trouble. Email providers (hotmail, gmail, etc.) are going to ban your IP address. What this means is that if your email form is used to send out spam, your legitimate emails will soon be blacklisted by email providers. If your emails are blacklisted, you will not be able to get your email through to anyone. In effect, you will be unable to reach anyone you know through email. This includes your friends, your customers, or anyone else you might be trying to reach through email.
If the hacker is using a form to send out large amounts of spam, processing all this spam might take up all the resources on the server, slowing down all other actions that the web server is supposed to be doing, like loading your website. Sending out spam is going to make the computer so busy it won't be able to efficiently do anything else. Your website and other websites on that server are going to slow down to a crawl, or sometimes not render at all.
If you have a email form on your website make sure the software is up to date. You might also want to make sure that you use some sort of CAPTCHA software to stop bots from being able to use the form. A CAPTCHA is a way for humans to be the only ones to access something like an email form.
Remembering passwords can be hard. A good password does not necessarily need a bunch of numbers and weird characters. A good password is one that will not be found through random checks.
The way hackers access accounts with bad passwords is simple. They take a special dictionary, and try every combination or words in that dictionary. This dictionary includes all the most common passwords. So a good password must be unique, and uncommon enough that it will not be found in a dictionary. The longer a password is, the better.
"thisisareallygreatpassword" is actually stronger than "2%$fW2". It would take a computer a lot longer to guess the first password than the second one. Long passwords are good. Think of an unique phrase that you will remember, and use that as your password. "MyGrandmotherIsNamedLucy" is another great password. It's unique, I capitalized the first letter of each word, and it's long enough that it would take a computer forever to guess if the computer was just trying random letter combinations.
It does not matter how secure and up to date your website and software are. If a hacker can guess your password, you will be hacked. Use difficult passwords. And absolutely avoid the following:
They are the most common passwords used in 2015. They are all simple to guess, and will be included in any hacker dictionary. As you can see, using a pattern on your keyboard is not a good idea for creating a password.
Your password is your key to everything. If your password is easy to guess, then you have no security.
Finally, the last method that hackers commonly use to access websites and other information is called social engineering. Many times, the weakest link in a system is not the computer or the software, but the person using the computer. That's right, hackers love to take advantage of fellow humans.
If a computer is programmed to not give out a password, it will not give out the password. A human is different. If you give a human a convincing enough story, they will give you their password without even realizing it.
Companies spend millions of dollars hiring security contractors to test and train their employees in computer security. This is usually simple things like not giving your password or account names to someone who called you. Even if someone calling claims to be from Microsoft and they know your name, etc. A company will never call you and ask for your password.
Now, it's different if you looked up a company and called them. If you are the one making the call, then you an usually be safe in knowing that the person on the other side really is who they claim to be.
More common than phone calls are hacker emails. These emails are meant to look like some kind of official notice. The user is usually told to click on a link. Once they click on the link they are taken to a website which infects their computer with a virus, or they are taken to a fake website which asks them for their password.
These are called phishing emails and phishing websites. They are made to look like legitimate websites and emails. A phishing email and website can be made to look almost exactly like a bank website. The difference is going to be in the address bar. If the address bar is not the correct website name for the real bank, then it might be a hacker website trying to steal your information.
Do not open attachments from emails you do not know. This is usually a virus.
Do no click on links from emails you do not know. They might be harmful.
When logging into a website that you got to from an email link, make sure that the address bar actually shows the correct website URL.
Hackers love to prey on the computer illiterate. They use every tool they can get to gain your password and other account information. To protect your website from being hacked, you must protect your passwords.
Having your website hacked can lead to many headaches and problems. It can be expensive to fix. Failing to fix the hack can also lead to your web hosting company terminating your account and deleting all your data. If your website is hacked, you might completely loose your website and all its data. This is a reason why you should always make backups of your website and all your important data.
If you avoid these five common security mistakes you are likely going to be safe from hackers. If your website was hacked, think about all of these items. Maybe you were a victim of one of the exploits. `