One of the biggest problems in the web security industry is that most small business website owners are not aware of how and why their website is valuable to hackers. Due to lack of awareness or a lack of priority and the thought that “My website is not very popular, it is only an information website about my small business, or my own personal site and it has few visitors - why would hackers be interested in it?” a website often becomes valuable for hackers.
- (*The term hacker is being used loosely – meaning criminals who abuse the functionality of your website for malicious purposes)
Hackers are interested in it because small business owners think that it is not important and hence are not giving it the attention it is due. If a website is considered as a one-off development and then all but “forgotten” – except for some content updates here and there - it is highly likely to become vulnerable. If you want to know more about Data Security and how to improve it, Biz Epic has a great infographic blog post about it.
Vulnerable you say? Did my developer not do a good job?
Not necessarily – but websites may still be vulnerable. Let’s just go through how this happens. Many websites are developed on software platforms – aka CMS or Content Management Systems – which is essentially a piece of software which can be used to easily update the content of your website. A few of the most popular platforms are Wordpress, Drupal, Joomla!, vBullettin and DotNetNuke.
This software – just like all software is prone to bugs. Big deal – you might say – everything has obscure bugs, it’s rare that these will impair your software.
Well some of these bugs in CMSes are critical enough to allow hackers to manipulate the contents of a vulnerable website without the owner's knowledge. If the website has not been updated to the latest versions of the software – there are very good chances that it might be vulnerable and subsequently exploited. There are literally millions of websites which contain vulnerable code. To make this problem worse, if a website is using additional extensions (as happens very often) on top of the website the problem is even larger because the critical bugs might be in these 3rd party extensions too. To give a very simple scenario: if your website is on Joomla 2.5.3 and has not been updated to the latest versions – then chances are it will be hacked. If you are on WordPress versions 3.5 to 3.9 - a security vulnerability has been found, if not patched - chances are your website will be hacked.
But how is my website found and hacked?
Once a vulnerability becomes known – then it is fairly easy for a website to get “hacked” or exploited. It is a question of sending a well crafted message to your website – but this is trivial stuff once your website has been found.
To find vulnerable websites is also a relatively simple job. Programs are written which "spider" the web and visit hundreds of thousands of websites a day and testing the website for specific vulnerabilities. Once this script hits the jackpot – then the website can be hacked and exploited for malicious purposes. The sheer number of people running these tools makes it a question of how quickly a vulnerability will be found – rather than if.
What do they do to my website? And why?
There are many things which can be done to a vulnerable website – none of them are pleasant. Most times hackers are financially motivated - they are earning money in some way or another thanks to each hacked website. The owner of the hacked site will many times be left unaware that the site is hacked, and hence it takes a very long time for the malicious content is removed - and hence the effect of the hack is longer and better. Some of the ways a website could be used
- Deface the website – for embarrassment purposes or used it to send a political or other message.
- Install content which is invisible and which infects visitors to the website with malicious software. But it's not very popular - so not many people will be effected you may think. Not really - the website will be part of a larger organization and users will be forwarded to the malicious part of the website
- The website can be used to send useless traffic as part of an attack to overwhelm another website
- The website can be used to send SPAM
- The website can be used to steal usernames and passwords from unsuspecting users (phishing)
There are many side-effects to the above besides the embarrassment and loss of reputation of a hacked website. The website can rack up large bandwidth and CPU usage bills and potentially gets the owner kicked off their hosting server, the website could get blacklisted on web filtering directories as malicious, the server IP could get listed as a SPAM source and also get blacklisted from sending regular emails and lots of other costly issues.
What can I do?
Keep your website updated - always to the latest versions which are regularly issued by the CMS. Would you consider not updating your antivirus - of course not. Same goes for your website. If you are not able to do this yourself – you can employ the developer of your website to make sure the website is kepy regularly updated. You can also choose a host such as InMotion who performs automatic updates on CMSes such as WordPress and Joomla and who is on the ball in taking proactive action to block vulnerable websites. That goes a long way to prevent your website from getting hacked.
The one thing you should not do - is forget about the health and security of your website. If your site has already been hacked - don't panic. There's probably ways and means to fix it. Here's an article on what you should do if your website is hacked.
What else can I do?
Switch your web hosting to InMotion. The offer automatic updates to ensure your website is not left unprotected and also proactive protection of your website. If a vulnerability exists which is actively being targeted - InMotion will protect your website through their own security mechanisms