How do Websites get hacked?

At some time in the future, your website is going to be hacked, constantly monitor for compromises, and have a plan to recover from a hack.

Compromise Credentials

Let's start with the really easy methods of hacking a website, and that typically means praying on easy to guess, short or simple passwords. Let's assume you have a wordpress website, and that either you or the web developer has chosen to leave the administrator username as the default (admin), an attacker has half the credentials they need to get into your account, alternatively the domain name is and you have chosen karen as the admin user, the same applies. So now all we need is the password. If we have a six character password, and that word is in the dictionary there are only 15,222 combinations, at a rate of 1000 attempts per second, it would take an attacker just over 15 seconds to gain access to your account. If it's not in the dictionary then there are 266 combinations of a single c+++ase word, which makes it slightly more difficult. Hackers typically use many compromised webservers to attempt password cracking all generating co-ordinated attacks at a rate of 1000s of attempts per second. It's best to use at least a 10 character phrase with numbers, upper and lower case and symbols. Also if you implement a Captcha in the login form, it makes brute force attacks much less likely to succeed.

Outdated Versions of Software

If your website uses a content management system (CMS) such as Wordpress, Joomla, or Drupal, or a ecommerce platform such as Opencart or Magento, it is open source - that means that the source programming code is available to view for free. Unfortunately that also means that the bad guys can look through the source code and find potential methods of attack. Once they have found one, its a simple enough job to write a bit of code to trawl through the internet looking for vulnerable sites, and voila your website is compromised. Chances are that the CMS or ecommerce platform didn't do everything that you wanted it to do out of the box, so the web designer installed a few plugins to enhance the functionality of the site (we have seen sites with more than 50 plugins). The chances are that at least some of  these plugins are written by a late night coder, so the quality might not be up to the task of fending off the latest hacking method. So its imperative you keep plugins up to date, this is also not as easy as it seems, because plugins might become obsolete and not compatible with the latest version  of your core CMS or E-Commerce platform. So Make sure that your CMS and plugins are up to date, and check out the CMS/E-Commerce home page and follow the links to the plugin directory and check to make sure that the plugins get a great rating and are still maintained.

SQL Injection attack

The only language that databases understand is a simple language called SQL - or structured query language. It contains  INSERT, SELECT, DELETE and UPDATE commands. Filtering products, blog posts may generate urls like in the address bar, we could add an apostrophe to the url and see if we get back an SQL error, if so then the website is vulnerable to a SQL injection attack - which might allow a hacker to  change the admin password, or inject malicious code into the database or changing the programs. You would think that at this stage, these would have all been protected against, and that's true; except that the bad guys are an ingenious bunch.

Cross Site Scripting Attack

Cross site scripting attacks use a compromised website to transfer malicious code to a unsuspecting users browser and thus compromise their machine. Let's assume that you have a form on your website. The data from the form is displayed somewhere (lets for argument sake say a comment). A hacker could enter some malicious javascript into one of the fields on the form, if the results of that form submission are displayed anywhere on the site, then the malicious code is delivered to the browser, and a compromise occurs. It should be noted that properly written code checks for such attacks, and where a vulnerability becomes know the author normally issues an update to the plugin which must be applied as soon as they are released. In the period between the atfacker finding a vulnerability, the author becoming aware, and the web administrator patching the site, many thousands of sites could be compromised.

Denial of Service Attacks

Webserver/Operating System Compromises

Websites are typically run on a computer running some flavour of Linux, or Windows machines. These run programs which serve up the content called web servers. The most popular webservers are Apache, Nginx, lightpd, Node.js and Microsoft IIS, although there are others. Hackers can target the web server, or the operating system. If there are 1500 or so websites running on a single machine such as in a shared hosting scenario, then attacking the web server or computer operating system would enable all the websites on that platform to be compromised in single attack.

Nearly every day sometimes more than once a day, we receive notifications about operating system and webserver vulnerabilities, so it's imperative that your hosting provider keeps the server software up to date.

Zero Day Attacks

Zero day attacks are types of  vulnerabilities that no-one knows about, so there is no defence until someone spots the consequences, works out how to spot the attack, defend against it, and finally how to recover from such an attack. Therefore, since these exist there can be no guarantee that a site will not be compromised.

What can be done to Minimise the Risk of Being Hacked?

1. Enforce strong passwords on your site;

2. Implement captcha on the login pages;

3. If you are really worried implement two factor authentication on your site.

4. Regularly review the users on your site to ensure that people who are nolonger involved are deleted.

5. Ensure that the web developer only uses plugins which are updated regularly (at least in the last 2-3 months);

7. Implement a proxy such as cloudflare to filter traffic before it even gets to your website.

8. Update CMS/Ecommerce platforms and all plugins as soon as the update is published;

9. Take Regular Backups of your Site, and it's content, and store them in different locations.



Help Us
Get Better
Invalid Name Invalid Email Address Invalid Mobile Invalid characters in Messages
Please help us improve, leave some feedback on our site, products, or products you'd need that we don't provide. We promise to respond to all feedback.