How Was My Website Compromised?
In this tutorial, we will look at several methods that are used to compromise a website. In today's world, websites use multiple procedures that represent the core functions of a modern business. Whether you have an eCommerce site or a business card site, a website is essential for driving business growth. We can safely state that a website is a unique image of your respective business.
As technology advances, it also brings a rise in new threats and exploits. Specific individuals or groups can exploit business owners to wreak havoc or financial gain. With so many websites, there is a real possibility that a business can quickly become the target of malicious individuals. This article will provide insight into how a site is breached and what you can do to prevent it.
Imagine a scenario where you wake up and go to your website, and find nothing there. Or, you see a message saying that you need to pay money to get your data back. Scary stuff indeed, so where did it go wrong?
A False Sense of Security
This one is pretty straightforward. We often read about hackers targeting governments and big companies. You may think, “I'm too small to get hacked.” Well, that is wrong. In 2019, 43% of attacks conducted were targeted on small businesses, not just in the United States, but worldwide.
The logic behind this is simple: big companies and governments tend to invest a lot more in cybersecurity. They have an entire IT security team continually monitoring the site. They continuously keep up on new exploits that are out there. So, when looking at a situation like that, hackers need a lot less effort to break into smaller companies and steal login credentials, card numbers, or install ransomware. So, in conclusion, no business is too small to get hacked potentially.
Local Computer Infections
When a breach happens, people tend to look at the servers. This seems logical, but servers are not easy to breach if appropriately secured. People often forget about the possibility of compromises, which occur if a random link of unknown origin in an email is clicked. This action can compromise a computer and allow malicious party access to an entire website.
To prevent this from happening, ensure that you are only accessing files from trusted sources. Keep your Antivirus software up to date and run regular scans on your local computer. To prevent infections of smartphones, laptops, and other wireless devices, use only trusted wireless networks. Limit personal info sent over an open network used in airports or coffee shops. Employ a VPN for any connection you are unsure of. Open networks like this present a genuine danger of being intercepted if it traverses an insecure network. This brings us to another possible attack vector called "Man-in-the-middle" attack.
Man in the Middle Attack
A “Man-in-the-middle” attack vector is considered one of the oldest means to obtain information surreptitiously. This approach consists of an attacker eavesdropping on a manipulated connection between two computers. This attack vector gathers login information transferred between a user and a non-SSL protected website. There are multiple SSL solutions available to secure and encrypt data, which aids in preventing this type of attack.
Content Management Systems (CMS) allow us to manage multiple aspects of your website. There are numerous CMS systems like WordPress, Magento, Joomla, Drupal, and WooCommerce, which should be updated regularly. These updates correct many security issues, so keeping your CMS up to date is critical.
Another attack vector is via compromised or poorly written plugins. While plugins can improve a website’s overall functionality and appearance, they need to come from trusted sources. Private individuals or small companies that create free plugins often do not have the core developer support like the paid plugins. Additionally, many free plugins can be downloaded and modified by a malicious individual. They then re-upload it back to the web where unsuspecting users place it on their sites only to be compromised. We are not advocating for using only paid plugins. We are saying that plugins need to be installed from a trusted source. To defend against this type of threat, make sure that your CMS, themes, and plugins come from a trusted source and are up to date.
Brute Force Attack
This attack vector consists of a rapid trial and error method to gain access to a site. Brute force relies on weak usernames and passwords to gain access to a site. A hacker uses an automated script to try out various combinations of usernames and passwords. An example of this would be when using WordPress as your CMS. The default username is admin, and if that option is not modified, hackers can guess the username and then try different passwords.
The most effective way to prevent brute force attacks is to limit the maximum number of login attempts. Using strong passwords that are 12-16 characters is mandatory. Passwords should also be a combination of upper and lower case letters, numbers, and special symbols. There are many strong password generators on the web that you can use. Lastly, NIST has approved the use of a password manager to store passwords securely.
Using form auto-fill is very convenient for the users, but this can pose a security risk. If a user’s local computer is infected, an auto-fill form can be used to access a website without issue. Best practice indicates that we should remove those and have users input their usernames and passwords manually.
Remote Code Execution
Remote code execution is an attack vector where hackers can run an unknown malicious code, injecting the site and potentially the server. Until now, this remains one of the more common attack vectors. To simplify, malicious code is presented as valid to the server, which then runs it and grants or raises privileges allowing someone to get access. There are multiple methods of code injection that are exploitable. The best way to defend against this kind of attack is to keep your services up to date.
Cross-Site Scripting (XSS)
When the users run the code, it can compromise their interaction with the website or web application, allowing the attacker to gather sensitive data, inject malware, or impersonate the user. This attack can be particularly nasty to defend against. Still, there are ways to improve our defenses. We can filter input data on arrival, use appropriate response headers, apply content security policy, and encode data on output. In case you are using WordPress, the Liquid Web KB provides a guide on preventing secusame-originevent XSS attacks.
DNS Spoofing (DNS Cache Poisoning)
This type of attack consists of injecting corrupt DNS data into a resolver. The poisoned resolver then sends traffic from a legitimate site to a malicious website. At first glance, this does not seem to be related to a website compromise. Still, a legitimate user who enters his credentials in a malicious website will open an access route to the website for the attacker. While not common, many small websites will use custom resolvers as a defense against this issue. They set a short TTL time and then clear the cache regularly.
Social engineering techniques
Sometimes the most vulnerable element is the human factor, and as such, the attacker will try to exploit that to get access to sensitive data. While this technique is not very technical, it does pose a real threat to security. Typical attack types are:
- Phishing: This method consists of the attacker sending out emails that look like they came from a trusted source. It infects the victim’s computer or tricks the user into providing credentials. There are automated solutions to gather large amounts of email addresses from social networks or business networks like LinkedIn. Once an attacker has a large enough database of potential victims, he will send out emails until one of them gets caught.
- Baiting: This is an “old school” technique but still quite effective. It consists of an attacker leaving an infected USB device in a public location. If someone picks it up and plugs that device into a local computer, it will transfer malware to a local machine. This malware grants access to the attacker. This type of attack is mostly targeted at larger companies, but it is good to know of its existence.
- Pretexting: While this attack is the least tech-savvy of the three, it can still come as a surprise. An attacker will contact you or your employees under the pretext of being someone else and merely asks for information.
The best defense from social engineering attacks is educating everyone involved in your day to day business interactions about these types of attacks.
Non-Targeted Website Attacks
This assault relates to the first step in this article. Your website may not be a direct target, but it can fall victim to the vulnerable software it uses. Attackers can create and utilize software that will search the internet for specific vulnerabilities in a plugin, theme, or CMS. Since these types of incursions are developed explicitly for a pointed strike, your site can be targeted for that hit. Again the best defense is to have your CMS, plugins, and themes up to date and only install reputable software from trusted developers.
While there are many types of attacks and exploits out in the wild, the great majority of them exploit human weakness. Elements that count on updated services may not be updated, therefore allowing for all sorts of exploits. As stated earlier, a website is a reflection of your business, and as such, it is crucial in today’s world, so its security should also be necessary.
Is there a 100% solution to server security? Unfortunately, no. But there are ways of defense that can be introduced. As always, Liquid Web is here for you and your business with our server protection package. In case everything else fails and your website still gets compromised, the most straightforward solution is to restore it. For that reason, backups are a vital part of any hosting plan. These will provide a fail-safe in case of injection. Liquid Web can help you with our wide variety of backup options like cloud server backups or Acronis cyber backups for dedicated servers.
How Can We Help?
We pride ourselves on being The Most Helpful Humans In Hosting™!
Our Support Teams are filled with experienced Linux technicians and talented system administrators who have intimate knowledge of multiple web hosting technologies, especially those discussed in this article.
Should you have any questions regarding this information, we are always available to answer any inquiries with issues related to this article, 24 hours a day, 7 days a week, 365 days a year.
If you are a Fully Managed VPS server, Cloud Dedicated, VMWare Private Cloud, Private Parent server, Managed Cloud Servers, or a Dedicated server owner and you are uncomfortable with performing any of the steps outlined, we can be reached via phone at @800.580.4985, a chat, or support ticket to assisting you with this process.
- How to Force HTTPS For Your Domain
- 2 Methods of Checking Apache Version
- How to Install Adminer MySQL Database Management Tool on AlmaLinux
- How to Edit the PHP Memory for Your WordPress Site via WP Toolkit
- 4 Methods for How to Install Yarn on Windows Server
- How to Install Bpytop Resource Monitoring Tool on AlmaLinux
About the Author: Danny Jensen
I am a 29 years old Linux admin, techie and nature lover who loves solving puzzles. When I am not behind the keyboard you can find me in the woods but I will still probably be thinking about that server or that ticket I saw today.
Our Sales and Support teams are available 24 hours by phone or e-mail to assist.
How to Force HTTPS For Your DomainRead Article
What is CGI-Bin and What Does it Do?Read Article
Top 10 Password Security StandardsRead Article
Top 10 Password Security StandardsRead Article
How to Use the WP Toolkit to Secure and Update WordPressRead Article