| Estimated reading time: 5min 36 secs |
We are often saying to our clients – “it’s important to constantly maintain your website from a technical point of view to prevent it getting hacked” and it’s sometimes taken for granted that people know what hacking actually is!
So let’s explore that in this post so you can see why it’s important to help reduce the risk of your website being hacked.
So, what is Hacking?
Hacking can come in a variety of shapes and forms, but overall I would say that hacking could be described as:
To obtain control of one or more of a website/domain features without the consent of the owner for a purpose other than that intended by the owner.
Because the form of the hack can come in such a variety of ways, it’s difficult to be more specific than that in this instance.
I think the best thing we can do is to provide some small anecdotes of the types of outcome hackers are generally looking to achieve.
You can generally categorize these ‘incidents’ into two categories – Malicious and Non-Malicious although it could be argued that all types of hacking are malicious in context, we are trying to convey a difference in severity and outcome by using these categories.
- To force access to a website in order to obtain card details or sensitive personal information stored on the website – similar to the recent attacks against TalkTalk
- To gain access to the server that the website is hosted on in order to provide a platform for hacking another site.
- To implement ‘Ransomware’ on your website – take it down until you pay some money to the hackers for the ‘release’ of your website.
- To access your server in order to get to your email system and start sending spammy emails from your
- To take your website down (hide from public view) and put up some kind of advertising / credit for hacking your site – similar to what happened to bluereef.it
Non-Malicious hacks – less severe but still not ideal
- To create posts / pages on your website linking to other sites which helps to build their traffic / backlinks. Often these are to pharmaceutical or porn websites.
- To add adverts to sites you know nothing about to your website
- DDoS attacks
Why would my site get hacked?
Often it’s not really about the target site itself as hackers can automate the process of hacking and send out ‘bots’, little scripts which will go off onto the Internet and hack websites.
Often these bots follow links from the website they are on and then attempt to hack each site they land on. So, it may be a case that an infected website has a link to your website and so a script has been run.
This is the most common situation, but if your website takes payments or stores customer details, then that could cause you to be a target for hacking because of the prospect of getting to those customer details.
What are the side-effects of being hacked?
This totally depends on the type of hack implemented, but they are never a positive thing.
If your website is hacked, you will often be affected for some time after the hack is resolved.
Things such as emails constantly being marked as spam, warnings appearing whenever someone tries to access your website, your hosting company contacting you to advise that your website has been taken down as it’s been hacked and also in the case of a DDoS attack, you will be unable to get to your website.
How can I tell if my site has been hacked?
Because of the diversity of the types of hack that are possible, and the range of platforms which are available it’s difficult to give an exact answer here. But, here are some of the key things to look out for:
- Changes to pages which you didn’t do
- New user accounts being added to your website without your approval/ action
- Website slowing down for some reason
- Your emails suddenly getting marked as ‘junk’
- Google will sometimes add a warning into it’s search results that reads – ‘possibly hacked’
These are some of the most common indicators of attacks but not all of them.
What can I do to combat being hacked?
One of the main things you can do is keep the access to the site secure.
The simplest and most effective measure to secure your website is: Make sure you use strong passwords for your access and NEVER use ‘admin’ as the username.
A strong password is defined as the following:
- Use upper & lowercase characters
- Use at least one special character (!,”,£,$,%,^,&,*,,,.,/,;,’,#,[,]) for example
- Use at least one number
- The password should be at least 12 characters long
The most common attacks against websites are called ‘brute force’ attacks and this is where an attacker will simply attempt a range of usernames and password combinations until they get through.
Often this process is automated by using algorithms – so they use general trends such as capital letters at the beginning, lowercase letters in the middle and numbers / symbols at the end which helps they try the most likely tries at the beginning.
So, by using ‘admin’ as a username, you are making things much much easier for the hackers to brute force attack your website.
The same for the password – we recommend 12 chars at least including a special character and a number. This then removes the password from a simple dictionary search as no words in the dictionary have numbers in it.
It’s difficult to compose strong passwords, let alone remember them which is why we use LastPass. For more information on this, have a look at our LastPass post.
You can and should do the following (at least) too:
- Hide the login page – by making the login page a non-standard URL, you prevent hackers getting to the login form and starting a brute force attack
- Login throttling – this basically means limiting the number of access attempts by a single user (as defined by IP) within a certain timescale. So only allowing 4 attempts in 5 minutes will dramatically slow down a hacker trying brute force attack.
- Remove old code from your website. This could be in the form of templates/ themes, modules and even the base platform itself. Keep these updated.
- Purchase an SSL certificate. This protects the connection between your browser and the Internet to stop hackers intercepting the information as it is transferred between the two.
- Perform regular checks of the site to spot things early.
Not sure if your website has been hacked?
You can give us a call at any time and we are happy to offer some support and advice with a view to getting your website or domain back under your control.