Sucuri Blog

Website Security News

How Do Wesbsites Get Hacked

Website Security: How Do Websites Get Hacked?

In 2014, the total number of websites on the internet reached 1 billion. Today it’s hovering somewhere in the neighborhood of 944 million due to websites going inactive, and it is expected to normalize again at 1 billion sometime in 2015. Let’s take a minute to absorb that number for a moment – 1 billion.

Another surprising statistic is that Google, one of the most popular search engines in the world, quarantines approximately 10,000 websites a day via its Safe Browsing technology. From our own research, out of the millions of websites that push through our scanning technology, roughly 2 – 5% of them have some Indicator of Compromise (IoC) that signifies a website attack. Granted, this might be a bit high, as the websites being scanned are often suspected of having an issue, so to be conservative we would extrapolate that to suggest about 1% of the total websites online are hacked or infected. To put that into perspective, we are talking somewhere in the neighborhood of 9 million websites that are currently hacked or infected.

With this sort of impact, it’s only natural that people are curious how websites keep getting hacked. The challenge is that the answer has been the same for quite some time.

In the past month, I began a series of articles asking various aspects of website hacks and infections:

  1. Why, in Why do Websites get Hacked and the motivations behind them.
  2. What the implications of a hack were to website owners of all calibers in The Impacts of a Hacked Website.
  3. Today, we’ll take a moment to understand the, How.

It is the one question that almost every website security professional gets at some point in their career, and in some cases, repeatedly. As pros, we take for granted the knowledge we have gained over the years and forget what it is like not to know.

Websites get hacked because of three things:

  • Access Control
  • Software Vulnerabilities
  • Third-Party Integrations

The Website Environment

We cannot have a conversation about how websites get hacked without having an open dialog about everything that makes up a website.

There are various elements that make a website function and work in unison. Components like, the Domain Name System (DNS) – the thing that tells requests where to go. The web server houses various website files and the infrastructure houses various web servers. These websites live in a complex ecosystem of interconnected nodes around the internet, but likely something you’ve never given much thought.

Many of these features are provided by a number of service providers that make it very easy for you to create an online presence. They sell you things like domain names, hosting space, and other services designed to make operating your website easy.

While I won’t dive into too many details about the threats that these elements introduce, please understand that every one of the components described above has an impact on your overall security posture and can potentially contribute to how your website gets hacked.

Forensics Versus Remediation

There is a difference between Forensics and Remediation, and it is not as subtle as some might believe it to be.

Forensics has been around for a very long time. It follows a very stringent process of identifying what happened, but more importantly how it happened, and often includes some form of attribution (i.e., who did it?). Remediation however, is the art of cleaning or removing the infections. When it comes to everyday infections, forensics isn’t a necessity. In most cases it is quick to ascertain what happened and how to get it to stop. With that in mind, for complex cases, good remediation cannot be achieved without proper forensics. Here is an example:

When you ask, “How do websites get hacked?” you are essentially asking for forensics. The problem is, true forensics is complex, time consuming and requires a lot of data – data that is often unavailable via most configurations. You can often segment which component is required based on audience. For small business owners with shared hosting environments, forensics is almost impossible because there is limited access. However, for large organizations/enterprises, forensics is required and the necessary data is sometimes more attainable.

A few reasons you might require forensics:

  1. You need to understand what happened and have all associated data elements and access.
  2. You are an Ecommerce website and have to be PCI compliant.
  3. You are an organization that has IR protocols in the event of a compromise.

How Websites Get Hacked

What I find fascinating about website hacks is that they always come down to the same elements regardless of the organization’s size. It does not matter if you are a Fortune 500 or a small business selling cupcakes. The only difference is the why.

In large organizations, it is often because they dropped the ball. They knew exactly what the threat was, but they never thought it would extend to their websites, with the common response being – “I thought someone else was handling it”. When it comes to small businesses, it is often – “Why would anyone want to hack me? I never knew it’d be an issue for me, I’m not Target, I don’t have credit card information”.

Access Control

Access control speaks specifically to the process of authentication and authorization; simply put, how you log in. When I say log in, I mean more than just your website. Here are a few areas to think about when assessing access control:

  • How do you log into your hosting panel?
  • How do you log into your server? (i.e., FTP, SFTP, SSH)
  • How do you log into your website? (i.e., WordPress, Dreamweaver, Joomla!)
  • How do you log into your computer?
  • How do you log into your social media forums?

The reality is that access control is much more important than most give credit. It is like the person that locks their front door but leaves every window unlatched and the alarm system turned off. This begs the question, why did you even lock the door?

Exploitation of access control often comes in the form of a brute force attack, in which the attacker attempts to guess the possible username and password combinations in an effort to log in as the user. You can also see various social engineering attempts of phishing pages designed to capture a user’s ID/username and password combination, or some form of Cross-Site Scripting (XSS) or Cross-Site Request Forgery (CSRF) attack in which the attacker tries to intercept the user credentials via their own browser. There is also the obvious Man in the Middle (MITM) attack, where the attacker intercepts your username and password while working via insecure networks and your credentials are transferred between one point to another via plain text.

Software Vulnerabilities

Software vulnerabilities are not for the faint of heart. I would argue that 95% of website owners are unable to address today’s software vulnerabilities; even everyday developers are unable to account for the threats their own code introduces. The problem, as I see it, is in the way we think. It takes a special person to want to break things. Most of us use things as they are designed.

These software vulnerabilities extend beyond the website itself and easily bleed into the various technologies we discussed above (i.e., web server, infrastructure, etc.). Anywhere there is a system, there’s a potential software vulnerability waiting to be exploited. This can also extend to your browser (i.e., Chrome, Internet Explorer, Firefox, etc.).

Exploitation of software vulnerabilities come in various forms, but for the sake of sanity, we will target a website’s and not the various supporting elements. When it comes to websites, exploitation of a software vulnerability is achieved through a cleverly malformed Uniform Resource Locator (URL) or POST Headers. Via these two methods, an attacker is able to enact a number of attacks; things like Remote Code Execution (RCE), Remote / Local File Inclusion (R/LFI), and SQL Injection (SQLi) attacks. There are a number of other attacks, but these are some of the more common attacks we’re seeing affecting today’s websites.

Third-Party Integrations / Services

Third-party integrations/services are increasingly becoming a problem. The most prominent form are ads via ad networks leading to malvertising attacks. It extends beyond that to services you might use, including things like a Content Distribution Network (CDN) – as in the recent Washington Post hack last week.

Third-party integrations and services have become commonplace in today’s website ecosystem, and are especially popular in the highly extensible Content Management Systems (CMS) like WordPress, Joomla! and Drupal.

The problem with the exploitation of third-party integrations and services is that it is beyond the website owner’s ability to control. We assume when we integrate third-party providers that they are ensuring the service you consume is safe, but like everything else there is always the chance of compromise.

How to Protect Your Website

It is easy to read this article and feel overwhelmed, but understand that half of the website security battle is awareness and education. The problem is that it is almost impossible to get in front of enough people to scale awareness and education. Once you get in front of people, the next battle is getting them to care. It is often only after someone feels the pain of a compromise that they begin to care or realize the harsh effects.

The first thing I always like to tell website owners is that security is about risk reduction not risk elimination. You must get your head around this simple fact because there is no such thing as a 100% solution to staying secure. Almost all the tools you employ within your environment aim to reduce your overall risk posture; whether it’s continuous scanning or a more proactive approach such as mitigating incoming attacks.

Here are the tips I tend to offer everyone that will listen when it comes to managing website security:

  1. Employ Defense in Depth Principles – layers like an onion.
  2. Leverage best practices like Least Privileged – not everyone needs administrative privileges.
  3. Place emphasis on how people access your website, leveraging things like Multi-Factor and Two-Factor Authentication.
  4. Protect yourself against the exploitation of software vulnerabilities through use of a Website Firewall – focus on Known and Unknown Attacks.
  5. Backups are your friends – your safety net – try to have at least 60 days available.
  6. Register your website with Search Engines – Google and Bing have Webmaster Tools, leverage their infrastructure to tell you the health of your website.

Security is not a singular event or action, but rather a series of actions. It begins with good posture and the responsibility begins and ends with you. Realize that if you desire to know the How, you will inevitably cross one of the scenarios I described above, and that’s okay!

Thanks for reading!

– Your Trusted Security Professionals

Reader Interactions

Comments

  1. I would agree with you 100%, Tony. I work on websites for clients and have definitely noticed that a lot of sites do not control their site’s access very well. They also are very lackadaisical with regards to keep the software updated. That alone is one of the easiest things you can do to keep your site secure. Thanks for your research and article above.

    • i had been played and scammed of my money by over 5 people claiming to be hackers, all this changed as soon as i was put in contact with (darknight007@programmer.net) who helped me with my credit score as well as hack into my boss email Started repairing my credit 2 days ago, and already more score has jumped 174 points. Trust me, you wont get results like this doing it yourself – just fast track your results with professionals like this.

  2. Do you need hackers for hire? Do you need to keep an eye on your spouse by gaining access to their emails? As a parent do you want to know what your kids do on a daily basis on social networks ( This includes facebook, twitter , instagram, whatsapp, WeChat and others to make sure they’re not getting into trouble? Whatever it is, Ranging from Bank Jobs, Flipping cash, Criminal records, DMV, Taxes, Name it, We can get the job done. We’re a group of professional hackers with 10 Years+ experience. Contact at leehacks92@gmail.com … Send an email and Its done. Its that easy, try us out today.

  3. Good post; there is also an additonal factor to your number 3 point: Third Party Integrations. Most website owners are distant from the developer who created the site.
    More especially for CMS content sites. That brings about the issue of constant updating. Its easier identifying threats on a CMS site due to the community structure that evolves around them. However a typical website owner has to ensure his software is current with the latest updates. This most owners are guilty of.

  4. Thanks a lot for this awesome post, Tony. It truly resonates with me: I had 3 of my websites hacked and that was a terrible blow to me, because I practically lost everything. Now I’ve learned to be more careful, especially when it comes to backup.

  5. If you need to check on your partner’s sincerity or access someone’s Apple iCloud, employee’s honesty, recover your email passwords, social networks (i.e. facebook, twitter, instagram). Change your school grades, clear your criminal records, gain access to bank accounts, or want to buy viruses. Contact

  6. If you need to check on your partner’s sincerity or access someone’s Apple

    iCloud, employee’s honesty, recover your email passwords, social networks

    (i.e. facebook, twitter, instagram). Change your school grades, clear your

    criminal records, gain access to bank accounts, or want to buy viruses.

    Contact yanjae7@gmail.com

  8. I have seen a lot people post comments of how they were scammed by some online
    fraudsters claiming to be hackers and i keep wondering maybe i got lucky with
    Verenich Fedorov, one of the greatest Russian hackers. He has done several jobs for
    me and not for once has he failed me. If you are here in search of a good hacker
    you should contact Verenich on:

    Email- verenichtech@gmail.com or Kik- Verenichtechnologies

    He hacks facebook,whatsapp,emails,websites,clone’s phones,Clears criminal records,
    changes school grades,bank account hack/transfer,call tracking,retrieval of lost
    documents and so many other services i can’t mention.

  9. Hello everyone, It’s just so unfortunate that there are a lot of scammers when you try to hire a hacker. Luckily for me, my cousin referred me to (blackbutcher.hacker@outlook.com), a hacker she used when she wanted to hack into a website and database. I went on to read reviews about him and he is really remarkable. I hired him to help me hack my husbands phone, email, facebook, and all his social accounts because I suspected him of cheating and I just wanted to prove it. The hacker did an incredible job by cloning my husband’s phone and even giving me access to his social accounts and I could monitor all his activities. Contact (blackbutcher.hacker@outlook.com) for a real and genuine hacker.

  10. Hi, What if a domain is hijacked to a computer user and not a domain or website owner? Is the article related to only website owners and not general users? How some antivirus tools show, domains are hijacked and so your dns is vulnerable to dns hijack please say

  11. In need of any help?
    Its just really hard to get a genuine and trusted hacker but you are lucky if you get to contact :cyberassisant@gmail.com his services includes
    Hacking.
    Tracking.
    Spying.
    Cloning.
    Retrieving of deleted text, pictures and videos.
    Upgrading results, He did a great job for me too.
    You should contact him if you need help

  12. I have a story to tell.the amazing experience i had with…overman tra”” popularly know as :cyberlord231@gmail.com,
    i and my Husband need credit repair, so we contacted this hacker, We explained to him about all the negative items
    on our report (around 25 negative items and 3 positive items) on my report with total debt was around $38,000. He stated to me: Yes!
    I can fix it in 45 days! i was excited! Now my Husband’s credit had 15 negative items and 5 positive items. His total debt was around $19,000.
    After analyzing both credit he stated we can correct both within 45 days! i was like WoW. its been 6 years the last time we had good credit.
    It was hard for me to believe. Well we got around to the cost of credit repair. When i asked he told me our price $3000 but i will receive
    a discount if both (H&W) start credit repair at the same time. i was like: that is a lot of money. he agreed. he asked me: How much total you
    and your husband need to pay off both of your debt? i calculated a total of $57,000 in debt (H&W) he said: Well, you can pay off the $57,000.
    or you can pay me $7000 to correct both credit reports within 45 days. After the 45 days had passed and he provided the finished jobs the least

  13. I contacted a Private investigator who linked me up with Mr Brad (bradhacklord at gmailcom) via email. He understood me well and helped me spy on my cheating wife. He gave me the password to her Gmail and Facebook accounts and linked all her WhatsApp messages and phone conversation to me. I just want to openly say thank you Mr Brad Smith. Contact him godseyeconsult@gmail.com today if you need help, his price is cheap and affordable. Remember to tell him I micheal refer you.godseyeconsult@gmail.com

  15. I saw this link in a blog when i was searching for how to stalk my my boyfriend  ecodatasolution@dr.com ­ like guys i dont know how they did it they helped me access 2 of his devices remotely. I couldn’t believe how they did it. Still confused but they are some type of gigs

  16. I totally wanted an ethical hacker to help me spy on my Husband and served as a personal investigator. Literally, I met him on a dating site and there used to be trust but now, he locks out his WhatsApp, PC and phone. So, there are trust issues. So, I wanted help to bypass his security and test his potency on trust. I got an hacker who helped me bypass his phone and got it cloned. I get access to activities like Facebook, Email, WhatsApp, calls, Skype and others. I’m sure [[someone out there is looking for how to solve his relationship problems, just contact adrianroggers@gmail.com

  17. I have a hacker that I want to introduce to anyone who needs the help of a hacker to contact (bella.russels@mail.ru)

  18. new to all this, and i tried my best to play safe, bu i fell victim of a fake hacker, i needed someone to help me with my medical school exam results as i could not take the risk of failing, darknight007@programmer.net was highly recommended and most forums as well as hacker for hire list of valid hackers, i contacted him and he was very helpful to me, currently his helping my friends with there results, he provides proof of job

  19. i had a minor charge on my record which i did not know about till recently, this led to me loosing a lot of employment opportunities, i read about darknight007@programmer. net on a forum and contacted him for help, after a long discussion with him, we met an agreement and i made some payments, in less than 12 hours, i was called by him telling me the job is done, i did a background check on myself and my name did not come up for an offence, as soon as i get a new job i have plans to change my scores also, i hope the next person is as fortunate as i am

  20. I used the Repair_credit service for about a week. They had 7 items removed, and my credit score from all three bureaus went up over 300 points. Yes, if you have the time and know-how, you can absolutely do this stuff too. I personally don’t have the time, patience, or expertise to do it and have no interest in learning. My time is valuable to me, and the money I spent was well worth it. To top it off, when they got to a point where they didn’t think they could help me anymore…. he called and explained/discussed the results and current situation, and even refunded me my last payment (without me asking) but am more than satisfied with my new score, which is about 735 now, i absolutely recommend Repair_credit@consultant.com or +15188640390, his hacking expertise in credit repair is a blessing*

  21. Hi everyone! I want to use this opportunity to share my experience with you and to use this medium to tell everyone about Loyd Blankenship Hacker. I contacted him to help me erase my driving records and boost my credit score, He help me increase my credit score to 785 and erase all driving records on my credit report within 72hours. Try him and you will be glad you did, Contact him when ever you need to fix your credit score loydblankenshiphacker At Gmail Dot Com

  22. Contact aaronswartzcyberservices At Gmail Dot Com for any hack. He is real and affordable price

  23. Contact hackmania099 at gmail now for all your hacking issues and get them resolved
    He is the best out there now
    He has got my hack done several times

  24. I opened a secured credit card account.I put $1000 of my money down as the security deposit.I used the credit card only one time for $500 and paid it off immediately so I have had a zero balance since then and I have tried for months to get my money back and I have talked to over 20 people and everyone keeps passing me around and no one can help.I assume this is the biggest rip off if not for the hacker a friend review me to,I contact him and was later save from getting rip off.Thanks Dark Web service and i’m proud to review you to the world.Get more details about him on. darkwebcyberservice@ gmail dot (com)

  25. I opened a secured credit card account.I put $1000 of my money down as the security deposit.I used the credit card only one time for $500 and paid it off immediately so I have had a zero balance since then and I have tried for months to get my money back and I have talked to over 20 people and everyone keeps passing me around and no one can help.I assume this is the biggest rip off if not for the hacker a friend review me to,I contact him and was later save from getting rip off.Thanks Dark Web service and i’m proud to review you to the world!! darkwebcyberservice AT GMAIL DOT COM

  26. Just wanted to thank Loyd Blankenship for helping me with my credit score. He help me increase my credit score to 800 excellent plus and delete all negative items on my credit report within 72 hours. Since I signed up with Superb Technologies less than a month ago and my credit score has gone from a 530 to 810. Contact him for your credit issue loydblankenshiphacker At Gmail Dot Com

  27. I would love to introduce you to this real and best credit repair services named Aaron Swartz who have been helping people who think their credit score can never be fixed. He help me increase my credit score and removed all collection on my credit report, also increase my credit limit to $4,500. He is real and affordable price, Contact him for your credit repair service aronswartzcyberservices At Gmail Dot Com