When any individual or business has had their website hacked, apart from the considerable stress, inconvenience, and in some cases, financial loss, that they suffer, there tends to be a question that they all ask. That question is “How did they do it?”. It gets asked with a sense of disbelief as the person asking was under the misconception that their website was 100% secure.
The sad fact is that of the 2 billion websites that exist in the world a large number will not be completely secure from a hacking attack. Worse than that, the lack of security some of them have will be akin to leaving the front door of their home wide open with a sign above it that says, ‘Come on in and take what you like’.
Thankfully, many websites owners have taken the correct approach and have the necessary security in place that will repel most hacking attempts. Hackers will tend to follow the path of least resistance so if they soon find that your website is behind several layers of security then they will move on to a website whose owner has not to be so vigilant.
Website Hacking Methods
When that website does get hacked it will be done by exploiting or overcoming a website’s security in one of three ways. These are 1) Software vulnerability, 2) Access control and 3) Using a third-party integration. Now, it does not matter whether a website is owned by an individual who sells arts and crafts locally, or a global multi-billion dollar company, if their website is hacked, it will be based on one or more of these methods so let us look at each of them in more detail.
When websites are created and published there will be several individual pieces of software and coding that are required to keep the website live. These could perform functions on the website, be responsible for the structure of it, play a part in creating the visual elements, generate some of the interactive elements and so on.
To the owner, and anyone landing on the website, all might seem well, but behind the scenes, there could be a bug or vulnerability that has been created or discovered by hackers. Normally, when this occurs the software developer will issue a fix, usually in the form of an update that will plug the security hole. The problem is that many website owners do not check for updates, nor do they install them, leaving their website open to attack via the software vulnerability.
As the term suggests, this type of hack occurs when the means to log in to your website and in particular the admin or control area is attained by hackers. The point of access can include your hosting account, your hosting cPanel, your admin login for CRMs such as WordPress, social media logins, and even the login for your computer.
There are many ways hackers can obtain logins.
- Brute Force: Multiple attempts to log in using various usernames and password combination
- Social Engineering: Pages are published online that trick a user into entering a username and password
- Keylogging: Software is used to track the individual keys pressed on a keyword when the user is logging in
- ‘Man In The Middle’ (MITM): Caused by using insecure networks where your username and password are easily intercepted
- Ex-Employees: You would be shocked at how many hacks occur due to ex-employee usernames and passwords not being deleted when they leave
If you use any outside companies for services relating to your website, ensure you do your due diligence as to the level of security they incorporate into the services they provide. Whilst you might be all over the security of your website ensuring it is updated regularly, you cannot be sure that a specific third-party is, and if they are integrating with your website in some way, that opens up a security weakness that needs to be avoided.