How Do Websites Get Hacked?
As much as the web has grown, surprisingly not a lot has changed in how websites get hacked.
The most important thing you can do in keeping the web – and your own sites and visitors – safe is to understand these unchanging truths and hold them close to heart.
Consider the Scale of Hacked Websites
1.2 billion sites make up today’s World Wide Web. Assuming a 3-second load time, continuous queries, and not a wink of rest, it’d take you over 160 years to just see every site that currently exists.
That’s a colossally large web, and it’s impossibly large to keep watch over. Google’s Safe Browsing attempts to warn users about unsafe websites. It currently delivers around 3 million warnings a day.
Of the sites scanned by our own technology, between 1-2% have some Indicator of Compromise (IoC) that signifies a website attack.
While that percentage may seem small, let’s extrapolate it across the total number of sites. It indicates that somewhere in the neighborhood of 12 million websites are currently hacked or infected. That’s about the size of the populations of New York City and Los Angeles combined.
Websites will always be a target for hackers. And the impact of a hack can be devastating to a business.
The good news? Although the threat is big, persistent and harmful, awareness of how hacks occur goes a long way to ensure your sites stay safe.
So, How Do Websites Get Hacked?
Over decades of web history, we see hacks almost always fall into three categories:
- Access control
- Software vulnerabilities
- Third-party integrations
It doesn’t matter if you’re a Fortune 500 company or a local cupcake bakery, how hackers approach a target looks very similar.
What can vary is how a business let itself become exploitable in the first place:
- For large organizations, I often hear something like, “I thought someone else was handling it.” There’s a fog that can naturally develop in complex organizations.
- For small businesses, it often boils down to, “I don’t understand why anyone would even want to target me.” It’s easy to lose sight of just how much private info can be skimmed from even a simple site.
In both cases, hackers have the tools and incentives to act in areas where vigilance isn’t high.
A Website Environment Has a Lot Going On
Before we dig into the specifics of each form of hack, let’s set an important foundational point for how the web itself works:
Every website relies on a series of interconnected systems working in unison.
There are components like the Domain Name System (DNS) – the thing that tells requests where to go. There’s the actual web server, which houses various website files and processes requests. And there’s the infrastructure that houses various web servers and networks them to the internet.
As simple as it all ends up looking for users these days, the ecosystem underneath is still fairly complex.
Many of the individual nodes are provided by specialized service providers. And even if you’re getting a number of them provided by a single provider, there are still numerous parts that function uniquely. It’s similar to how a modern car looks streamlined and solid on the outside, but has all kinds of moving pieces making it run underneath the hood.
While I won’t dive into too many details about the threats that these particular elements introduce, please understand that every component has an impact on your overall security posture. They all potentially contribute to how your website gets hacked.
Access control speaks specifically to the process of authentication and authorization; simply put, how you log in.
When I say that, I mean more than just your website’s user login. Like we established in the previous section, there are a number of interconnected logins tied together behind the scenes.
Here are a few areas to think about when assessing access control:
- How do you log into your hosting panel?
- How do you log into your server? (i.e., FTP, SFTP, SSH)
- How do you log into your website? (i.e., WordPress, Drupal, Magento)
- How do you log into your computer?
- How do you log into your social media forums?
- How do you store your credentials for all these things?
Access control is easy to overlook, but each point can offer access to the whole system. Think of it like the person that locks their front door but leaves windows unlatched and the patio door unlocked. A secure front door won’t matter much if someone wants to get in.
Hackers also utilize a number of tactics to obtain access to insecure login points. To continue the analogy of home security: This looks like a thief checking all the potential entrances and sneaking – or straight-up conning – copies of your keys and passcodes.
- Brute force attacks are the simplest – but can still be simply effective. The attacker attempts to guess the possible username and password combinations in an effort to log in as the user.
- Social engineering attempts are growing in prevalence. Hackers build phishing pages designed to trick someone into entering an ID/username and password combination.
- Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF) attacks entail intercepting user credentials via their own browser.
- Man in the Middle (MITM) attacks are also fairly common, where your username and password are intercepted as you work via insecure networks.
- Keyloggers and other monitoring malware track user inputs and report them back to the source of the infection.
Regardless of the style of attack, the goal is the same: Get direct access via logins.
Based on the typical site owner, I’d argue that 95% are unable to address today’s software vulnerabilities unless a security patch is recommended to them. Even everyday developers rarely account for the threats their own code introduces.
There’s an inherent philosophical disconnect between people who build sites and those that hack them. Builders – and honestly, most people – use things the way they’re designed to be used. But a hacker’s perspective looks for the ways to use things beyond how they’re designed.
A bug that may not affect the intended user experience in any way can potentially be exploited to make software do something very different than it’s intended. The sharpest hackers read these bugs as vulnerabilities.
The most common forms these take for websites? By using a malformed Uniform Resource Locator (URL) or POST Header, a hacker enacts a number of attacks. A few key examples:
- Remote Code Execution (RCE) allows complete remote takeover of the target system and site.
- Remote / Local File Inclusion (R/LFI) uses user-supplied input fields to upload malicious files into a system.
- SQL Injection (SQLi) manipulates text input fields with malicious code that sends attack sequences to the server. This has been very common lately!
Just like asset control, software vulnerabilities also extend beyond the website itself, though. They can be discovered and exploited in all the interconnected technologies a site relies on (i.e. web server, infrastructure, and even web browsers). Most modern sites use a mix of third-party extensions – like themes and plugins. Every one of those should be considered a potential point of intrusion.
Think of it this way: All systems contain potential software vulnerabilities waiting to be exploited.
Third-Party Integrations / Services
Last but not least, we see exploits through third-party integrations/services.
Most prominently, these take form as ads via ad networks that lead to malvertising attacks.
These can involve services that you use specifically with your site and its hosting, including things like Content Distribution Networks (CDN) – as in a major Washington Post hack.
Third-party integrations and services themselves provide efficient interconnection between parts of your site-management experience – it’s one thing people love about highly extensible Content Management Systems (CMS) like WordPress, Joomla!, and Drupal. But there’s that tricky word again! Those points of interconnectedness also provide an additional point for hackers to exploit.
A big problem in the exploitation of third-party integrations and services is that they’re beyond the website owner’s ability to control. As a site manager or builder, you put a lot of trust in a third-party provider when you utilize a service integration. And many work diligently to secure the integration.
But like everything else, there’s an inherent risk here – and one that hackers have an eye on.
How to Protect Your Website
Feeling overwhelmed? Like it’s all hopeless?
Remember that half of the website security battle is awareness and education.
Just reading this post sets you up to better secure your sites. And I’m glad we were able to get this far together!
There are next steps, though. And our goal at Sucuri is to help you achieve those next steps. Unfortunately, it’s often only after someone feels the pain of a compromise that they diligently protect their sites and visitors.
So, I highly encourage you to get ahead of that pain and make these next points a checklist going forth.
My core recommendations to prevent hacks to your site:
- Employ Defense in Depth principles. This means building layers of security like an onion: Each security practice makes it harder for hackers to get a clear shot into your system.
- Leverage the Least Privileged best practice. Limit what each user login can access to only what it needs.
- Establish Multi-Factor and Two-Factor Authentication wherever possible. This further secures those user access points.
- Use a Website Firewall. This works wonders in limiting the exploitation of software vulnerabilities. (Focus on Known and Unknown Attacks.)
- Schedule regular Backups. Try to have at least 60 days available, so you can safely “rewind” in case your site is compromised.
- Get perspective from search engines. Google Search Console and Bing Webmaster Tools both provide reports on their view on your site’s security.
I always tell website owners that security is about risk reduction not risk elimination.
Understand that there’s no such thing as a 100% solution to staying secure. Almost all the tools you employ within your environment aim to reduce your overall risk posture – whether it’s continuous scanning or a more proactive approach such as mitigating incoming attacks.
Security is not a singular event or action, but rather a series of actions. It begins with good posture, and that responsibility ends with you.
Now that you know the How, you will inevitably come across one of the scenarios I described above. But recognizing those attempts will help you prevent and remediate them.
Thanks for reading!