Security of websites has always been important, but in recent years it has become a much bigger issue due to the complexity of websites and the infrastructure that serves them. On average 30,000 new websites are hacked every day. (Source: Forbes)
There are many high-profile examples of websites being hacked in recent times. Myspace, Facebook, Twitter, MyFitnesspal, eBay, and Uber are just some of the biggest names who have fallen victim to data breaches via their websites. If you own a website, there is a question that may come to mind when reading that list of names:
Hackers have a reason to target a large well-known website, why would they target my small website?
This is one of the biggest misconceptions for owners of small websites, and the simple answer is that you can be hacked without being targeted at all. Most hackling incidents of websites are not targeted at high profile websites where the hackers are after something specific, the vast majority are opportunistic where hackers are not after anything specific and will hack into a website simply because the opportunity is there due to a vulnerability. The most common way websites get hacked is by automated tools. Hacking websites with automatic tools is popular because hackers can cast a wide net with little effort. They are not targeting you specifically, but as long as your website is publicly accessible on the internet, they can find your website and exploit any security issues it may have.
There are security vulnerabilities found every day in all of the popular content management systems like Wordpress, Joomla, Drupal etc. These vulnerabilities are normally in modules/plugins/addons as opposed to the CMS itself. Wordpress has a much higher volume of vulnerabilities compared to other CMS’s, and because Wordpress accounts for around 40% of all websites on the internet, that’s a lot of vulnerable websites out there. Hackers simply run automated scripts that look for known vulnerabilities and when they find them, they target your website.
What about completely custom-built websites that don’t use a popular CMS? Surely if its not a well-known platform then hackers won’t know about any vulnerabilities? This kind of thinking is a big mistake, its known as “security by obscurity” and is almost always a false sense of security. If you have a completely custom-built website that doesn’t use a CMS like Wordpress etc then it will have been developed by a very small number of people and will receive nowhere near the same scrutiny that more well-known systems do. Drupal for example has an entire security team that spend their time testing and looking for security flaws. The chances are there could be numerous security flaws in a custom-built website that the developers aren’t aware of, because there aren’t enough eyes on the code. As for the hackers not knowing about the vulnerabilities, their arsenal of automated tools are not limited to looking for known and published vulnerabilities in the likes of Wordpress etc. They have tools that can seek out flaws in generic website code and hosting platforms, and because there are no security teams or hundreds of developers looking out for issues, your custom-built website could easily be hacked and you may never know.
The security of the server your website is hosted on can also be an entry point for a hacker. Your website itself could be completely secure, but if there are flaws in the security of the server then a hacker could obtain full access to your website. If you are on shared hosting with any of the well known hosting companies you also increase the risk of another website on the server being vulnerable and leading to the whole server being compromised.
What kind of damage can the hacker do?
If you have an ecommerce website the consequences are obvious. A hacker could obtain payment details from your customers, or gain access to your own payment systems or merchant account. Even if you don’t have an ecommerce site, there can be severe consequences if you store any kind of data provided by users. With the advent of GDPR data protection laws, any breach of data could result in big fines for your business. Even if you don’t sell anything online or store any kind of data, a hack can still result in lost business or damage to your reputation if the hacker redirects your website to another address or simply defaces your website displaying offensive material.
So, what can you do to prevent your website from being hacked?
- Build your website on a system that is known for robust security, like Drupal.
- Ensure that your website is kept up to date with any security patches that are released, if you don’t have the skills to do this yourself hire someone to do it for you, or set up a maintenance & support plan.
- Don’t host your website on a shared server with other unknown websites provided by a large web host, instead hire a managed dedicated server or purchase a managed web hosting service from a web design company that can control what is on the server.