“How did my website get hacked” is often a question you’ll be able to answer as you work through the process of cleaning up the damage. In fact, you’ll often figure out that it was actually something frustratingly simple, which could easily have been prevented.
How did my website get hacked
The most common reasons why websites get hacked are passwords, access controls, allowing users too much freedom with your website, issues with software, third-party integrations, and accessing your website over an insecure connection.
Passwords
Login formats are often easy to guess or discover. Passwords, however, should be both strong and unique. These days, however, we have passwords for everything and they’re all supposed to be strong and unique.
Of course, there’s a limit to how many genuinely strong and genuinely unique passwords the average person can remember and this limit is often much lower than the number of accounts for which a person is supposed to create a strong and unique password. This is a recognized problem and efforts are being made to address it.
For the time being the most pragmatic approach is to implement two-factor authentication if at all possible. Remember this is not hacker-proof (and certainly not social-engineering proof), but it is much stronger than passwords alone. That said, even if you’re using TFA, you should still use a strong and unique password.
Access controls
The principle of least privilege applies to websites too. Always give users the minimum level of access they need to achieve the agreed goal(s). Have a clear process for agreeing what that is and a process for double-checking that administrator privileges are only given to those who really need them.
The average SMB probably only needs one or two people with administrative privileges. Larger ones may need a few more, but administrators should always be the exception rather than the rule. In addition to keeping tabs on who has access, especially administrative access to the website itself, you might want to think about access to your hosting panel and your server.
Remember, regardless of what hosting and content management system to use, it’s painful how often the answer to “How did my website get hacked?” revolves around basic password and user-access management.
Allowing users too much freedom with your website
This is essentially a variation on the issue of access controls, but it refers to end-users rather than employees. In simple terms, the safest websites are those which are designed to be consumed passively. As soon as you start permitting, or even asking, users, to input data, you are opening up a door into the inner workings of your website. You, therefore, need to make sure that the door is well guarded, for example by server-side validation of data.
Issues with software
The most obvious issue with software is a lack of updates. This can be down to a lack of effective management at the user’s side. It can, however, also come down to a lack of interest on the developer’s side, especially, although not exclusively, with free software. WordPress plugins are notorious for this, which is one reason why you need to be very careful about which ones you use.
Another reason why you need to be very careful with WordPress plugins is that they do not necessarily work happily with each other. This tends to cause technical issues rather than security issues, but the former can lead to the latter. For example, if people get too focussed on just getting misbehaving plugins to cooperate, they can forget about the security implications of the actions they take.
Last but not least, some software is either malware or just so poorly designed that it creates a security threat. Again, this is a known issue with WordPress plugins. In fact, when it comes to WordPress, the answer to the question “How did my website get hacked” often involves plugins, with other outdated software following close behind.
Third-party integrations
If you allow third-party access to your website, then you must be very sure that they deserve your trust. Not only do you have to be confident that they have good intentions, but you also have to be confident that they have good judgment. This holds at least double if they’re going to be connecting you with other third parties, such as advertising agencies contracting with advertisers to display adverts on your site.
Not only can a third-party expose your site to hacking, but they can actually use your site as a base from which to launch hacking attacks on other people. For example, they can use your site to host malicious adverts that aim to compromise your visitors’ networks. This does not reflect well on you.
Accessing your website over insecure network connections
There are all kinds of ways hackers can exploit insecure connections such as many public WiFi networks. That is why it’s best to avoid using them if you possibly can and if you absolutely must, use a VPN. This holds true regardless of what you’re doing online as you don’t want to give a hacker so much as a toe-hold in your system.
Please click here now to have your website scanned, for free, by cWatch from Comodo.
How do I find out if a Website is Safe?
