Top Menu

How to Prevent your Website from being Hacked

It may not be obvious but there is a war going on all over the World Wide Web. There are three sides in this war. The first group is the website owners-whether they own their own servers, lease space on a server, or build web pages or accounts on free web services. The second group is composed of the users-people who visit the websites published by the website owners. The third and last group, the bad guys, is the hackers. These are the people who use a variety of sophisticated tools to compromise the security of web pages owned by the first group so that they can install malicious that is then targeted to the second group which is the end users.

The main goal of a typical hacker is really a win-lose-lose proposition. Both the end users and the website owners lose out because not only do they get their web pages and computers’ security compromised, but the hackers also make money by doing so. This actually creates a very explosive situation. One way to look at the current state of online security is it is an arms race. Security companies, hosting companies, and online security groups come up with new security measure and hackers evolve their methods to eventually defeat these methods. The process starts again when the good guys come up with newer anti-hacking measures and the hackers evolve accordingly. There is an evolutionary armed conflict happening behind the scenes.

Sadly, while headlines only publicize the most egregious and widespread security breaches, there are many isolated cases that go unreported and are just handled locally. It is particularly devastating when it is your own website or computer that is compromised. Often times, the personal tragedies of hacking are lost to most people because of mainstream media’s tendency to highlight hacking stories involving only large groups of people. It is like a car accident. It is only tragedy in the media’s view if it is a massive pile up. However, it can only take a single car accident involving a loved one to make it a tragedy for both you and your family. The same analysis should apply when considering website hacking incidents and security breaches online. One is simply too much because that single breach could be you.

There is Money in Hacking

Like the old saying goes, “money makes the world go round” and money is the mother’s milk of hacking. It hasn’t always been like this. Back before the internet became popular, worms, viruses and Trojans were already being created but nowhere near today’s scale. What happened? Previously, hacking groups would create viruses, Trojans and malware in general as a way to test new security technology. Many of them use these software as live tests instead of laboratory tests. Others use it as a way to establish “street credibility” among other hacking groups. It is just a glorified form of bragging and stroking the ego.

The rise of the internet during 1995 to 1996 changed the game. While before, hacking was done for purely personal and non-commercial reasons, the amount of money online commerce makes possible and has awaken many hacking groups to the commercial applications of hacking.

Types of Commercial Hacking

1. Getting Financial Information

While the variations in commercial hacking are almost unlimited, they are classified into three large, rough categorizations. The first type of hacking is direct hacking-breaking into a computer system usually subscription websites, e-commerce websites, payment processing websites and any other websites that store financial information. This type of hacking is quite straight forward. You hack in, get the database of credit card details and sell the credit card information to other hacking groups so that they can create fake purchases online and dump the products through a drop ship scheme.

There are many variations to this scam. The only limit is your imagination. While it seems straight forward, the large number of variations makes it a really tough challenge for e-commerce businesses, finance websites and other stakeholders.

2. Taking Control of Computers

The second type of hacking involves compromising websites to spread malware. In this type of hacking scenario, hackers would run sophisticated software that would scour thousands of websites every day looking for tell tale signs of security vulnerabilities. Once they have identified the websites that would show these security soft spots, they would then run differing software packages to hack in. Once they are able to gain publishing access to these websites, they would then install malicious codes that would turn these websites into distributors of malware. So, if somebody is a frequent visitor of such an infected website, the visit that the user makes after the website is infected will result in the user loading the malware unto their computer. Their computer is then turned into a zombie computer which can be controlled by the hacker group remotely. Through this type of hacking, hacker groups are able to recruit and unwitting army of millions of computers all over the world.

2a. Spamming

There are two ways that the hacking groups make money through this type of hacking. The first way is through spamming. The zombie computers would download a spam program that would turn each of these computers into a spam sending machine. This makes it harder for anti-spam organizations and security companies to beat because the spam is coming from so many different IP addresses and locations. This has also increased in sophistication because the spam is now being sent using email addresses from respectable domains like yahoomail and others.

2b. DDOS Attacks

The second way for this type of hacking is creating botnets for distributed denial of service (DDOS) attacks. Unlike spamming hackers, these hackers make their money through extortion. They would contact target website and ask that website to pay up or else the servers will be crushed. If the target website doesn’t bow to their threats. The hacking group would remote trigger their zombie computer network to start requesting pages from the server of the target website. Since a server or server network can only serve so many pages in a given number of time, if the zombie computer network or botnet is large enough, it can easily cripple even the biggest server network. A quick note regarding this type of hacking activity, most of the time, distributed denial of service extortion schemes aren’t done directly. Most of the time, DDOS attacks take place when a hacking group is paid by a third party to launch an attack on a target website.

3. Antivirus Extortion Schemes

The third category of hacking schemes and activities online involves anti-virus or anti-malware extortions schemes. This method borrows heavily from the second grouping discussed above. The hackers infect vulnerable websites using automatic download scripts. Users who visit these infected sites unwittingly download and install this malware, but the similarity ends there. Instead of turning the poor user’s computers to a zombie computer network., this type of hacking scheme involves scaring the end users into buying specific types of antivirus software. The computer would load up and start displaying scary messages, just enough to freak out the end user and have them buy anti-malware software that is supposed to remove the “infection”. While all the activities discussed above are highly illegal, this extortion scheme is especially despicable because completely preys on the fear of the end user and really erodes trust on the internet.

Protecting Yourself from Hacking Schemes

Given the high stakes discussed above which results in a serious loss of time, money, and productivity, not to mention the wasted effort and unneeded headaches you might suffer from due to hacking attacks, there are certain steps you could take to prevent yourself from becoming a victim. Whether you rent a server and run custom installations for your websites, you have a custom website, or you use a free hosting service like blogger or wordpress that is managed by a free web tool provider, you could benefit from these following tips. Of course, if you are just using free tools online, a lot of the security concerns are shouldered by the operators of the free service that you are using. However, there are still some security tips could be applicable to you.

1. Make sure that your software and scripts are updated

One of the one common ways hackers build up their bot networks and spread malware is through finding vulnerable installations of very popular web platform packages. These packages include wordpress, phpBB, SMF, joomla, drupal and many others. There are many open source packages available that help website owners to manage their content online. These are called CMS software (Content Management Systems). When they have determined that the installation is old, they would then look for security vulnerabilities based on that version. WordPress for example, had many security vulnerabilities with its older versions. If the version that you have installed for your website is a vulnerable version and hasn’t updated it yet, be aware that there are hackers who are constantly monitoring the internet, looking for websites such as yours. These are basically like magnets or open windows that are tempting hackers all over the world.

How bad can it get? Well, it can get really bad. Not only can it rewrite parts of your website, it can also turn your website into a distribution center for malware. The common ways they do this is to either redirect users from your website to the actual site that launches the attack which involves the user downloading the malware. The other method which is less common is the user visiting your site and downloads the malware directly from it.

To fix the vulnerability above, you have to find a web hosting that either reminds you to update your platform software frequently or they give you tools to make update a matter of a few clicks. Many webhosting companies use cpanel and direct admin and other website and server management packages to make installations of WordPress and other CMS packages quick and easy. With that being said, even if your host gives you all the tolls you need to make sure that your website is up-to-date, it still requires time and effort on your part to make sure that you update regularly. Make sure you find the time to periodically check you CMS dashboard to see if there are any updates and use your host’s easy installation and update tool to update your platform. This can make a big difference between losing a lot of money and time and having peace of mind.

2. Always make sure to use trusted plug-ins, modules and add-ons

Most open-sourced CMS packages like joomla, drupal and wordpress have a large installed base of add-ons, plug-ins and themes. The great thing about open sourced packages is the ability of the developer community all over the world can collaborate and come up with their own little programs to plug-in into these platforms, giving these platforms added functionality. The same goes with graphic designers the world over, creating differing looks and themes for these sites.

As great as all this may sound, there is a downside with it. While the platform version tends to be quite secure due to the huge global community that uses platforms like wordpress acting as a crowd-sourced quality control system that quickly ferrets out bugs and security vulnerabilities, not all plug-ins and add-ons enjoy this type of distributed quality control. By their nature, add-ons and plug-ins don’t all share the same market. Some plug-ins have millions of users while most have smaller followings. This becomes a serious problem for the users of these less popular plug-ins, add-ons and modules. Why? Unlike the popular plug-ins which give its developer a monetary incentive to continuously improve its code and make sure it is free from security vulnerabilities, the smaller plug-ins are updated less because they are developed on a purely voluntary basis. Oftentimes, these smaller plug-ins are no longer updated when the developer decides to move on. While you may have updated you main platform, if you have plug-ins that are not updated, hackers may figure out security vulnerabilities using those plug-ins. They may not be able to go through the front door of the CMS platform but they can hit your hard by exploiting holes in your plug-ins.

One good way to fix this problem is to always update your modules, add-ons and plug-ins. If the developer is no longer supporting his work and doesn’t release updates anymore, try to find a similar package from another developer don’t be afraid to pay because paid plug-ins are usually get updated more. There is an added benefit of increased security if you pay for plug-ins instead of using free ones.

3. Protect your passwords

You would be surprised of how many website owners and computer users use the password “password”. Incredible isn’t it? While that may seem ridiculous to many people, they shouldn’t get a false sense of security with their own passwords. The truth of the matter is, most people use easy password codes that can be cracked by a sophisticated password cracking tools. Using word or names and numbers are usually not enough. To truly boost your password strength, use random combinations of alpha numeric characters and special characters. If special characters are allowed by the software package that you are using or your server, please do so. Store your password in a secure location and make copies of it so that you won’t forget. Also, you may want to use longer passwords. The longer the password, the longer the time it would take for the hacker’s tool to work for it to crack the password. The more it tries, the higher the chance it would be detected. Don’t make the hacker’s job easy. Make them work hard for they craft by using very long and complicated passwords.

Similarly, if you are using software to log in to your server, do not make yourself vulnerable to key loggers’ software by having your FTP software use unencrypted and unhidden password codes to access your server. Key loggers are frequently used by hackers to get you passwords from your computers. They record key strokes as well as the information you send to the internet. Also, if you use a finger swipe technology to access websites and to log-in to your online accounts, use the advice above regarding FTP software. Make sure that you password is always set to hidden mode and that the software you are using has an encryption scheme.

4. Get Rid of Server Clutter

If you have installed a plug-in for your website and you no longer see the benefit of it, or you are no longer using it, make sure you disable it. The best case scenario however, is to delete it completely. Since plug-ins on the whole are less updated than the main CMS platform that you are using, make sure that whatever plug-ins, add-ons or special software that you use is truly needed and is up to date. It is already a hassle to update plug-ins that you use especially if you have a busy schedule, what more with the material that you aren’t using anymore or doesn’t add value to you website.

You don’t even have to run a CMS to benefit from this advice. You could be running a static website that doesn’t use a CMS but you use a specialized software scripts on your site to collect emails, handle responses and process information on your site. This advice still holds whatever scripts you are using, make sure they are up-to-date. You analyze them well, especially if you benefit from them and if not, deactivate and delete those scripts. The vulnerability here comes from two sources – code vulnerability of the script, add-on, plug-in or module and vulnerability created when you do not have the time to check for updates or do necessary housekeeping.

5. Do not be afraid to invest in your website

If you are running custom installations in CMS platforms like wordpress, drupal, and joomla, consider paid add-ons, modules and script customizations as an investment in your online publishing business. The more you invest, usually, the better results you get. But in terms with security, there is an added advantage. Since these are paid software packages, the developers have a greater incentive to keep their add-ons, modules, plug-ins and scripts free from security vulnerabilities. They have the financial incentive to keep their codes clean. So, whatever money you are paying to invest in a script, add-on or module, not only pays for itself on terms of the added functionality it gives you website, but it also comes with an added peace of mind to gain and opportunity cost you could encounter in the future.

6. Always remember to back up

It is already a standard mantra for any computer or internet user to always back up their computer. This is also true if you are running a server online or you are managing a website. Even if you using a free website tools like yahoo groups to manage and create a mailing list, you should always back up. You can back up you email list by downloading a local copy. Thankfully, when it comes to websites, most hosts do automatic backups. The only problem is differing hosts approach backups differently. Bigger companies can afford to do more frequent backups, smaller hosting operations do them less frequently. This can be a serious problem especially when your website crashes long after the last back up and right before the next scheduled back up. This means that whatever updates posted on your website between those dates have been lost. If you have a slower website that doesn’t generate too many user generated content or you don’t really update your website regularly, slower backups and larger backup date gaps are okay. However, if your website is very dynamic, you have a lot of users or you have constantly updated content, these lapses in backups will really set you back a bit. It is not a joke to reconstruct content and post back up. Also, if you rely on user generated content for the bulk of your website’s content inventory, you’re simply out of luck. That is why backing up your website is essential.

When it comes to backups, always use a triple protection method. Protect yourself three times. First, use your host’s backup system to continuously backup you website on the server level. Second, download a local copy of your files to a local hard disk. Third, make a copy of that hard disk backup of your site on a CD or DVD. This way, you’re backed up on three levels. If you’re really serious in backing up, you might want to look into a fourth backup method which is to use online syncing service like dropbox to make copies of your files. The great thing about dropbox and other sites with similar services is that when you make a copy of your file on your computer, it automatically backs it up in ther centralized server network. So, if you happen to lose your computer, you will still have a copy in the cloud (their server network). This forms the fourth layer of the back up protection.

7. Be careful of security compromises targeting your local software

If you run a website that is managed far away in a home or office computer, why do you have to worry about your local computer? Hackers have become quite sophisticated over the last decade. They would infect local computers using instant messaging and email attachments with Trojans. These Trojans then sniff out the software that is used to interact with your server or hosting account. One they detect this, they crack the software or they trigger a mechanism you local computer mimics your direct input to trigger those local software. It then accesses your server that way. The key take away in this aspect is not to get a false sense of security just because you local computer is not directly connected with your server or host. Hackers would use your computer as their hacking medium into your online accounts and online properties. Protect yourself by running antivirus software and anti-spyware software religiously. Set this software to run constantly. The more frequent you run, the better.

8. Diversify, diversify, diversify

If you are an online publisher, do not put all your websites on one host alone. You can put all your eggs in one basket only if the host you are using is a really large hosting provider with a huge manpower infrastructure that could consistently make sure that its security is up-to-date and its network is completely protected against hacker attacks. Those providers are quite few and are far between. Most website owners tend to pick medium and small sized hosting companies. If you are going this route, make sure you use differing hosting companies because they have differing security schemes. This is reflected both in terms of their training, their internal processes and procedures, as well as their business philosophies. Protect yourself by finding legitimate and credible hosting companies and distributing your websites evenly among them. The hope is that they don’t all crash at the same time, or worst, all get hacked at the same time. This feel-safe mechanism works to make sure that at least parts of your website network are still up in the event of hacking attacks.

The Bottom Line

The harsh reality is that there is a war going on all over the World Wide Web. There is a lot of money on the table and waiting for hackers to snatch. Don’t become yet another sorry statistic by letting your guard down and letting your websites become compromised. Be proactive in constantly monitoring your sites and enlisting the aid of your free web tool provider or web hosting company in making sure that your websites are safe from being attacked. Vigilance is the key to preventing your website from being hacked. As we mentioned above, while most media reports tend to focus on hacking attacks that compromise thousands of websites, the greatest tragedy is actually when a single attack is pointed towards you. That is when it becomes personal and for most people, that is the only moment when they finally see that it is real. So, use the reports of massive hack attacks as a cautionary tale to get your own digital home in order.

, , , , ,

  • Fred Jacobs

    For the average webmaster, the ones who are in the most danger of being hacked are those with WordPress blogs. If you wish to be a blogger, take the time to learn how to secure your WordPress installations. Start by learning how to install the platform manually and do not use the one-click installers like Fantastico. Those installers are like putting a sign on your front page saying “hack me”, just like the “kick me” signs on the backs of the poor, hapless nerds back in school.