Posts

Why Websites Get Hacked

I spend a fair amount of time working on new websites as well as fixing websites that have been hacked and this question always comes up:

Why would anyone ever hack my website? I’m just a small business owner.

Depending on who you are, websites get hacked for different reasons, but there are a few specific explanations.

Automation is key

Websites attacks that target small businesses and smaller websites are fully automated. The benefits of automated attacks provide hackers the following benefits:

  • Mass exposure
  • Reduction in overhead
  • Tools for everyone regardless of skill
  • Dramatically increases the odds of success (for the hacker)

The majority of these attacks are automated and follow a specific sequence:

  1. Reconnaissance
  2. Identification
  3. Exploitation
  4. Sustainment

While thinking about how these attacks occur, it’s important to address the two types of attacks: attacks of opportunity and targeted attacks.

Attack of Opportunity

Almost all small business website attacks are attacks of opportunity. This means that it’s not one individual or group that is trying to hack into your specific website, but rather a coincidence. Something about your site was caught in the trailing net as they crawl the internet looking for hacking opportunities. It could have been something simple like having a known plugin installed, or maybe displaying the version of a platform (displaying the fact that you’re using an outdated version of WordPress, for example).

According to Sucuri, a website security company, it takes about 40 days for a new website with no content or audience to be identified and added to a bot crawler. Once added, the attacks can begin immediately without any real rhyme or reason. It can be any website; the only commonality is that they are all connected to the internet.

These web crawlers then begin to look for identifying markers. Is the website running WordPress, Joomla, Drupal? If so, is the website running any software with known vulnerabilities or bugs in the code? If the answer is yes, the site will be marked for the next phase of attack, exploitation.

The sequence of events can happen in a matter of minutes, days, or months. It’s not a singular event; it’s ongoing and occurs continuously as the bot crawlers are scanning for vulnerabilities. Once your website is on the list, it will just keep on trying until it succeeds. This is why it is so critical to have someone actively managing your website and – at a bare minimum – updating software.

Targeted Attack

Targeted attacks are often reserved for big businesses, but not always. Think of the NBC hack in 2013 or the Forbes hack in 2014. There are many examples of these attacks lately but it’s obvious why there’s an uptick in this trend. Even though it requires much greater hacking skill, the payoff to the hacker can be huge. A very common type of targeted attack is called a Denial of Service attack in which the attacker works to bring down the availability of your site by overloading it with traffic.

Hacking Motivations & Drivers

Now that you have a better understanding of how these attacks happen, let me unpack some reasons why websites get hacked.

Economic Gains

The most obvious reason why websites get hacked is for economic gain. These are attempts to make money by your audience, either by getting them to click on something or download something.

Drive-by Downloads

A drive-by download is the act of injecting your website with malware and hoping to infect as many website visitors as possible. Think of someone visiting your website and then calling you because they installed a fake piece of software that you supposedly recommended on your website. Then their bank accounts were drained. Scary and very real and devastating.

Black Hat SEO

The other type of strategy are black hat SEO campaigns. These are not as devastating, but can be more lucrative for the hackers. This is the game of abusing your audience by redirecting them to pages that generate affiliate revenue.

System Resources

The business of farming system resources is a huge motivator for hacking groups. Botnets are nothing more than interconnected systems across the internet; these can be desktops, tablets, and even servers and they can be tethered together to perform tasks like Denial of Service attacks simultaneously. These attacks that target your system resources are dangerous because they can happen completely behind the scenes without you knowing what’s going on until you get a notice from your host – or worse, a huge bill – exceeding bandwidth.

Hacktivism

The point of these website attacks often comes down to awareness and frequently consists of a hacker defacing your homepage. This form of attack can be combined with others, but more often than not they are somewhat benign and create more embarrassment to the site owner rather than affecting their site visitors.

Pure Boredom

Unfortunately boredom seems to come into play and often there is no real reason why websites get hacked.

Conclusion – Your Best Defense is Knowledge

It is easy to be overwhelmed by all of this, but we believe that your best defense is knowledge and if there’s any real take-away here, it is that you should

  1. hire someone to manage and maintain your website
  2. update whenever updates are available

Remember, security is not about the elimination of risk. Security is risk reduction. Take what you know and use it to lower your chances of getting hacked.

WordPress Hosting With Connect4 Consulting – Your Website Bodyguard, Handyman, and Paramedic

WordPress is now used by nearly 80% of all websites. One of the drivers of that recent growth is ease of installation, maintenance, and low cost. After all, a Google search for wordpress hosting reveals hosting plans for as little as $3.99/month. So why would you want to pay Connect4 Consulting $50/month for hosting?

godaddy hosting plans

Imagine that you’ve just built your dream house. You have spent thousands of hours of time pouring your heart into every detail. Paying $3.99/month for hosting is like setting that dream house in a bad neighborhood and leaving the door ajar while you sleep inside. Sure, you’re saving $46.01/month, but you have to clean, maintain, fix, and protect the house yourself 24 hours a day. This leaves you with very little time to enjoy your dream house and requires that you are both the bodyguard, the handyman, and the paramedic.

Hosting plans at Connect4 Consulting start at $50 per month because we are your website bodyguard, handyman, and paramedic.

Connect4 Consulting actively monitors activity on your website to protect it from hackers. More than 30,000 websites a day were hacked in 2013. There are different methods of attack, but one is via simple guesswork and attempting to log in. If an IP fails at log in repeatedly, we will block that IP address. However, the most successful method of prevention and protection is via updates. WordPress sites rely on a variety of smaller programs and plugins in addition to the WordPress code itself. Whenever updates are available, we test them and then update sites immediately. Most plugin and wordpress core updates include security updates.

Many people believe that viruses are distributed from adult and gambling sites, but in reality the majority of these 30,000 websites are legitimate small businesses that are unwittingly distributing malicious code for the cyber criminals. These cyber criminals have automated scanning tools that scour the web looking for unsecure websites to infect and deploy their malicious code. This is another reason why it’s important to have someone actively monitoring and maintaining your website.

You might be thinking “Couldn’t I update the plugins myself?”

Well you could, and most of the time you would be fine, but every once in a while one update doesn’t get along with another update. As an example, the most recent update to WordPress rendered the Go Portfolio plugin invisible. There’s nothing quite as useless as a sorting portfolio plugin that doesn’t display any photos. When something like this happens, we need to figure out what’s causing the problem. Is it a problem specific to the plugin, the wordpress update, or something else? Is there an update for the plugin? If not, is it safe not to update WordPress (the answer is no)? Do we have to find and configure another plugin with the same functionality? If one doesn’t exist, do we have to create our own custom plugin? What do we do in the meantime so that website visitors see pictures in their portfolio? Connect4 Consulting answers these questions so you don’t have to. Most of the time all of this is going on behind the scenes and you don’t know about it. If you know about it, we aren’t doing a good enough job.

Unless you are intimately familiar with backup processes, restores, php tables, etc., you are probably not your website’s best paramedic.

Even with ongoing proactive maintenance, sometimes bad things happen and you go to check your website and all you see is just a blank page or an error message. With that $3.99/month plan, you are out of luck and will likely be scrambling to find someone to fix your site for you. You will need to be able to tell that person what you think is causing the problem and you will need all of the various administrative usernames and passwords. That person is going to charge a hefty hourly fee and you could easily spend more than a thousand dollars restoring or fixing your website.

Hosting your website at Connect4 Consulting means that you get expert assistance if bad things happen to your web site. We can immediately address your problem and roll back your website to a previous update while we figure out exactly what caused the problem in the first place. We can do this because we have an ongoing relationship with you and your website. We are your website bodyguard, handyman, and paramedic.