Website security is a hot topic. It seems that everyone everywhere is having issues with insecure websites, hosting companies, website developers, hackers and knowing how to interpret it all. This is not a topic that is going to disappear anytime soon, if anything it’s only heating up! Let’s take a closer look at the issues surrounding website security and how they affect you as a website owner.
Why do people hack websites?
When we think of hackers it can be tempting to think of glamorous examples like Anonymous, the self-proclaimed vigilantes who see themselves as a sort of digital band of Robin Hood and his merry men, or maybe evil villains launching virtual attacks against the government as a way to take their missiles offline. The truth is the majority of hacks are not personal. The hackers don’t know you or care about you. They want to hack the server your website is hosted on so they can use it for their benefit. Some of the most common reasons are:
1. To use your site for other attacks or malicious emails
Hackers that want to do broader attacks will create a botnet (a large network of compromised computers or servers) that they can use to attack other sites. Botnets can be harnessed to temporarily take down a website, spread malware or spam, or act as a cog in a more elaborate scheme. A botnet makes it harder for the authorities to detect who is attacking the server and also makes it harder to stop. These botnets can be a broad hacking attempt, or it could be a “Distributed Denial of Service” (DDoS) attack where they try to overwhelm a site with so much traffic that the website and server shuts down.
2. To use your site for downloading malware (eg Trojans, Viruses, and other bad stuff)
Hackers who want to use malware to infect other people’s computers need a site or sites on which to store the dangerous files. They obviously don’t want to use their own servers, which could easily be traced back to them. So, they will hack a site and upload their malware to it. Then, when the hackers send out their spam, the unsuspecting people may actually be downloading the malicious files from your website.
3. To gain information
They hack for information, usually financial information or login information. The hacked website installs a malware program on your computer and sends information back to the hacker about the information they’re after. In other instances, such as phishing, hackers may replace your “pay now” link with a link to their site. The payment pages look the same to the viewer but when the buyer enters their payment information it’s sent to the hacker.
4. For fun or bragging rights
Oftentimes young hackers want to explore and learn about hacking or may just want to say “Hey, look at what I can do.” They will often deface your site so that they can brag to their friends. For instance, they may overwrite your homepage so that it says “Hacked by (fill in the blank).” While this may or may not be dangerous, such incidents certainly can be embarrassing for you and potentially cost you business.
There are other reasons for attacks and sometimes it can be personal, but in our experience the majority of the time it is for one of the 4 reasons above.
Before we begin to discuss what you can or should be doing as a website owner, a little background info is in order.
Websites are software
The first thing to realize is that for all intents and purposes, websites are software. They are created using code and this code needs to be kept updated just like the updates that are done on your windows personal computer or mac. When it comes to building a website, you can build it from scratch using custom code or you can build it using code that already exists using a platform like WordPress, Joomla! or Drupal.
Software can be hacked and exploited
We are all accustomed to windows being updated on our PCs or the operating system on our mac or phones being updated regularly. Some of these updates offer exciting new features or functionality, but almost all of them will include security patches because exploits have been found in the code. Hackers or programmers with malicious intent are always developing new ways to exploit websites to gain access to your server by finding ‘holes’ in the code. Updating your software regularly “patches” these security holes and helps keep your website and server safe.
How your website is built matters
A website is built to meet the requirements of people viewing the website and the people managing the website. It is generally the ongoing website management that complicates things and adds additional costs. A website owner needs to be clear about what their expectations are and weigh out all of the associated costs in order to find the right balance between what they would like, what they actually need and what they can afford so that the website can be properly built with the future in mind.
We tackle this and more in the next blog post in this series which you can read here.