+353 86 226 9670 colin@cubecreative.ie

1. Compromise Credentials

Let’s start with the really easy methods of hacking a website, and that typically means praying on easy to guess, short or simple passwords, or you re-use passwords on multiple sites.

Re-using passwords on multiple sites is incredibly dangerous. Let’s assume that you’re the CEO of a company. You receive a phishing email which asks you to sign up for golf discounts, and you sign up with your corporate password. Now the hackers have your username and password to your corporate email, unbelievable – it happened in 2020 to the CEO of a large spanish corporation, and in fact its happening all the time. Never, ever re-use a password, use a password manager. Firefox and Chrome have built-in password managers or you can use 1password or dashlane. 

Let’s assume you have a wordpress website, and that either you or the web developer has chosen to leave the administrator username as the default (admin), an attacker has half the credentials they need to get into your account, alternatively the domain name is karenxxxxxx.com and you have chosen karen as the admin user, the same applies.

So now all we need is the password. If we have a six character password, and that word is in the dictionary there are only 15,222 combinations, at a rate of 1000 attempts per second, it would take an attacker just over 15 seconds to gain access to your account. If it’s not in the dictionary then there are 266 combinations of a single c+++ase word, which makes it slightly more difficult.

Hackers typically use many compromised webservers to attempt password cracking all generating co-ordinated attacks at a rate of 1000s of attempts per second. It’s best to use at least a 10 character phrase with numbers, upper and lower case and symbols. Also if you implement a Captcha in the login form, it makes brute force attacks much less likely to succeed. 

2. Outdated Versions of Software

If your website uses a content management system (CMS) such as WordPress, Joomla, or Drupal, or a ecommerce platform such as Opencart or Magento, it is open source – that means that the source programming code is available to view for free.

Unfortunately that also means that the bad guys can look through the source code and find potential methods of attack. Once they have found one, its a simple enough job to write a bit of code to trawl through the internet looking for vulnerable sites, and voila your website is compromised.

Chances are that the CMS or ecommerce platform didn’t do everything that you wanted it to do out of the box, so the web designer installed a few plugins to enhance the functionality of the site (we have seen sites with more than 50 plugins).

Some of these plugins are written by a late night coder, so the quality might not be up to the task of fending off the latest hacking method. So its imperative you keep plugins up to date, this is also not as easy as it seems, because plugins might become obsolete and not compatible with the latest version of your core CMS or E-Commerce platform.

Make sure that your CMS and plugins are up to date, and check out the CMS/E-Commerce home page and follow the links to the plugin directory and check to make sure that the plugins get a great rating and are still maintained. 

3. SQL Injection Attack

The only language that databases understand is a simple language called SQL – or structured query language. It contains INSERT, SELECT, DELETE and UPDATE commands.

Filtering products, blog posts may generate urls like www.cubecreative.ie?catid=1 in the address bar, we could add an apostrophe to the url and see if we get back an SQL error, if so then the website is vulnerable to a SQL injection attack – which might allow a hacker to change the admin password, or inject malicious code into the database or changing the programs. You would think that at this stage, these would have all been protected against, and that’s true; except that the bad guys are an ingenious bunch. 

4. Cross Site Scripting Attack

Cross site scripting attacks use a compromised website to transfer malicious code to a unsuspecting users browser and thus compromise their machine. Let’s assume that you have a form on your website. The data from the form is displayed somewhere (lets for argument sake say a comment). A hacker could enter some malicious javascript into one of the fields on the form, if the results of that form submission are displayed anywhere on the site, then the malicious code is delivered to the browser, and a compromise occurs. It should be noted that properly written code checks for such attacks, and where a vulnerability becomes know the author normally issues an update to the plugin which must be applied as soon as they are released. In the period between the atfacker finding a vulnerability, the author becoming aware, and the web administrator patching the site, many thousands of sites could be compromised.

 

5. Denial of Service Attacks – Webserver/Operating System Compromises

Websites are typically run on a computer running some flavour of Linux, or Windows machines. These run programs which serve up the content called web servers.

The most popular webservers are Apache, Nginx, lightpd, Node.js and Microsoft IIS, although there are others. Hackers can target the web server, or the operating system. If there are 1500 or so websites running on a single machine such as in a shared hosting scenario, then attacking the web server or computer operating system would enable all the websites on that platform to be compromised in single attack. 

Nearly every day sometimes more than once a day, we receive notifications about operating system and webserver vulnerabilities, so it’s imperative that your hosting provider keeps the server software up to date.

 

6. Zero Day Attacks

Zero day attacks are types of vulnerabilities that no-one knows about, so there is no defence until someone spots the consequences, works out how to spot the attack, defend against it, and finally how to recover from such an attack. Since these exist there can be no guarantee that a site will not be compromised.

 

What can be done to minimise the risk of being hacked?

  • Enforce strong passwords on your site, and implement 2 factor authentication;
  • Never ever re-use passwords;
  • Change the admin username to something obscure;
  • Implement captcha on the login pages;
  • Cheap hosting is never ever a good idea;
  • Regularly review the users on your site to ensure that people who are nolonger involved are deleted.
  • Ensure that the web developer only uses plugins which are updated regularly (at least in the last 2-3 months);
  • Implement a proxy such as cloudflare to filter traffic before it even gets to your website.
  • Update CMS/Ecommerce platforms and all plugins as soon as the update is published;
  • Take Regular Backups of your Site, and it’s content, and store them in different locations.