This originally appeared as part of the article “Typewriters and Lint Balls and Ice Cream, Oh My!” Novelty Many of us worked in fast...
I’ve long considered these evil hacker folks to be pirates, sneaking in and stealing the booty of your lovely website and leaving disaster in their wake.
To protect your site against hackers, it’s important to understand why they do what they do and how they perform their trade. We’ve gone so far as attempting to hack our own sites to better understand the minds of our opponents. In our Zen journey to become one with the hackers, we’ve learned a few tricks.
Hackers are usually out for more than just kicks.
They want information. They hack to gain financial or login information. If a hacker is phishing, he or she may replace your “pay now” link with another that directs to his or her website. The payment pages look the same to the viewer, but the information is sent to the hacker instead.
They want to promote their website. Hackers may add links to your site to try to boost SEO for their own site. They often do this by gaining access to your site via your admin portal.
They want to distribute an email message. Many servers and website development platforms have the capability to send email. Hackers harness this ability to send SPAM to promote products and spread malware or viruses.
They want to make a statement.
Some hackers are just kids breaking into sites for attention and bragging rights, while others organize into groups and break into sites to make a social or political statement.
This is the most common approach for many platforms. The hacker attempts to log in to your website admin section using a combination of usernames and passwords. After he or she successfully logs in, the hacker modifies your site or site code, usually by adding links to existing content.
Hackers run scripts to automate Web server login attempts, trying alternate usernames and passwords until they identify a successful combination. Then they can log in and add files or make changes to your website code to execute a hack, sending emails or spreading malware.
Most development platforms offer a way to extend the functionality of the core program using plugins. Some hackers target commonly used weak plugins to exploit a specific vulnerability to gain access to your hosting space.
1. You’re running an outdated version of your website software. Each new release of open-source software is accompanied by an announcement and noted in a change log, telling the public, hackers included, what was modified in each version. The list gives hackers insight into the vulnerabilities of older versions of the software, like a road map telling them where to attack for best results.
2. Your login ID is “admin.” One of the most common ways to hack a site is running a script against the username ADMIN to find a corresponding password. If you don’t have the username ADMIN, the hacker has to guess both the username and password, so it’s twice as hard to get in.
3. You have outdated or unused plugins. Outdated plugins pose the same risk as running outdated software, especially if the plugin you’re using is popular. These commonly used plugins are targeted because they grant hackers a larger audience by allowing them to easily replicate the hack on sites running outdated versions. Also, consider deleting any plugins you don’t use. This requires less time to keep the plugins up to date and keeps the site tidy.
5. Your domain name accidentally spells something naughty. Hackers aren’t the most wholesome bunch; they do make their livings causing others grief. The sites they choose to target must be found somehow, and those sites with unknowingly naughty names, however wholesome the actual company, may be at greater risk for hacking than others.
6. Your password is your pet’s name or your daughter’s name. The most common passwords are those including 123, abc, pets’ and children’s names. Build a strong password that’s not easy to guess. Include an uppercase and lowercase letter, number and symbol.