Frankly, no security is 100% secure. As infections continue to surge across the web, and attackers think of more innovative ways to remain undetected, many site owners wonder if they’ll be the next victim. In this article we’ll discuss what to look out for and consider when managing a website, why these hacks may occur, and how to lock down vulnerabilities.
What kind of sites are the most vulnerable?
No site is 100% fully secure because sites are managed by people, and people are fallible. However, some sites are more vulnerable than others, and the goal is not to take these unnecessary risks. How a site is hosted, a shared environment or fully dedicated, makes a difference in its vulnerability.
Additionally, the more control and access a site owner has over their hosting, the more privileges and responsibilities they must be accountable for. This can also lead to errors and increased vulnerability.
Sites built on Godaddy’s website builder, Squarespace, Wix, Weebly, and Managed WordPress manage the core parts on behalf of their customers.
With any website builder service you essentially don’t have to worry about patching or updating anything. Despite having limited access to the server contents themselves however, there can still be an issue of weak passwords.
If you’re using the same predictable password across many sites on the web and those sites experience a data breach, your password could be sold on the black market and used to gain access to your website builder account.
It’s important to check data breach databases regularly, use passwords generated via a password manager and enable Multi-factor authentication (MFA) in every website possible.
Overall, you should consider how much access you need as a site owner, and if all the additional bells and whistles are truly needed. The answer might be different for the startup company versus the large scale corporation.
Having more access/capabilities means you need to dedicate more time to properly manage everything as well as having more responsibility. That is the big trade-off when comparing with website builder scenarios where you almost only have to worry about the content itself.
Why websites get hacked
Site owners always wonder why an infection occurred in the first place, or if they were specifically targeted. Usually attacks are automated when vulnerabilities are found however.
Very rarely is it the site owner being personally targeted, unless a large payout is at stake for the attacker. Generally hacks occur through access control, software vulnerabilities, or third-party integrations. In my previous post, How malware gets on your site, I go over specific details how an infection can end up on a website.
It’s also good practice to get familiar with OWASP Top Security Risks & Vulnerabilities.
Although Sucuri doesn’t provide forensic services to directly answer this, there are tools and services across the web at your disposal which we’ll touch on further.
How to check if a website is hackable
Often businesses will attempt to hack their own site, or hire white hat hackers to hack it for them to determine exactly where vulnerabilities lie. When sites become more complex, there are more points of entry for attackers to take advantage of.
Website vulnerability scanner tools such as WPScan or Out-of-Band Application Security Testing (OAST) are useful additions to any security arsenal.
Hackers will usually attempt to determine the web server type, software, and OS (Operating System) used. Making sure to update any default server configurations is important, as well as checking for unrestricted access to server folders, and any open ports.
It’s also important to consider the level of privileges each user has. You want to implement the privilege of least privilege. Limiting what each user can access to only what they need will minimize the risk of a breach through an account, where eventually an attacker can take advantage of escalated privileges.
If you think you’ve discovered an infection, you can reference our guide on cleaning a hacked site, or have our remediation team handle the cleanup for you.
At the end of the day, hackers don’t think like the rest of us. They will destroy a database or crash a site without batting an eye. In addition to regular testing for site vulnerabilities, site owners should always take extra precautions to ensure their site is as secure as possible.
While handling a site can feel overwhelming, there’s many options and tools you can use to alleviate some of the load. Having a scanner in place will regularly check the site for modifications or malicious scripts. Configuring a Web Application Firewall will ensure any malicious requests don’t reach the site or any content within it that shouldn’t be publicly accessible.
Stay alert for unusual traffic, multiple failed login attempts, and unknown admin accounts, because despite working hard to keep your site as secure as possible, hackers are working just as hard to find new ways in.