“Why would hackers attack my website?” is the question I asked myself when I saw a huge spike in malicious activity. My site is relatively small, and although I’d like to say I get hundreds of page views a day, I (at the time of writing) don’t. Much of the attacks are clearly automated, but occasionally there’s an attempt to breach my site that appears to be a manual attack. So what’s going on?
Why do hackers try to hack websites?
Although there are occasionally news headlines of a major website hack, such as the Talk Talk hack where customer data was stolen, there’s actually a number of reasons why hackers hack websites, and the reasons shed light on why even small sites can be targeted.
1. Just because they can
A number of hackers will simply try to hone their skills by attempting to access websites. These people probably aren’t after information, just bragging rights. They’ll probably deface your website, but these breaches could be costly to you as may lose website data and have to recreate part or all of your site.
2. To steal data and information
I’ll refer to the Talk Talk hack once more. The hackers took a wealth of customer data, and although they may or may not have used this information themselves, what they did do was make the information available for sale. Scammers then bought this data and used it scam people. Some Talk Talk customers reported receiving calls from people purporting to be from Talk Talk, who then tried to get those people to disclose credit card details.
3. Hosting objectionable or illegal content
Rather than paying for a hosting service which may leave the hacker easily traceable, they may want to use your site to host the content instead. That way they can’t be traced.
4. Search Engine Optimisation
Having other sites with links pointing back to your site is good for SEO, so hackers may attempt to inject links in order to fool search engines. Links often lead to sites that offer counterfeit goods, or illegal services. They could also point to malicious websites that download viruses onto the visitors computer.
Maybe instead of trying to get visitors to visit a malicious websites, hackers could insert malware into your site so that your site infects visitors’ computers. Needless to say, your website will soon be flagged up as malicious, doing your reputation harm.
6. Sending Spam
Servers which send out lots of spam are usually soon blacklisted, so in order to keep sending out spam, hackers can compromise your site and then use your server to email out their crap. This will get your site IP blacklisted, and if you use shared hosting, lots of other sites can be affected, meaning the site owners and your hosting provider will suffer.
7. Creating a botnet
If hackers gain access to your site, it can be used as part of a greater botnet that can then be used to carry out malicious actions against other sites, such as a distributed denial-of-service (DDoS) attack. Botnets make malicious activity harder to stop, and harder to trace.
8. Renting out our server
Rather than using your compromised site to carry out malicious activities, hackers may rent out your server to people who do want to use it for sending out spam etc.
Why do hackers target WordPress?
The short answer is because WordPress is very popular. It’s easy for hackers to create a bot which can then be used to target a large number of sites. Other content management systems (CMS) are also targeted, so it’s not just WordPress.
How do I protect my website?
It’s important to take steps to protect your website and server. Here are some important pointers.
Use strong passwords
Even now, many people fall victim to brute force attacks (where hackers will simply keep guessing passwords) because they use weak passwords, such as ‘123456’ or even ‘password’. Ideally passwords should be longer than 10 characters, user upper and lowercase letters, include numbers, and also special characters like exclamation marks. Some experts argue that passwords based on phrases or made up of multiple words, for example ‘railroad consolidation network’, are more secure than random strings of characters, as well as being easier for you to remember.
Keep your CMS, themes and plugins up-to-date
It’s not just aesthetic and functional changes applied during updates, security holes are also patched up, that’s why it’s important to keep everything up-to-date so that hackers can’t exploit them.
It’s equally important to keep unused item up-to-date, or better yet, remove them completely if you’re not using them. They can still prove to be a weakness if they’re installed.
Avoid default usernames
Hackers will try to exploit default information where possible, so if your username is ‘admin’ you’re leaving yourself wide open. Custom usernames can still be found by those who really want to, but simply changing the default username will stop some bot attacks.
Rename or move your login page
Some CMS (e.g Prestashop) demand that you create a unique URL for your login page, with WordPress, you’ll have to use a plugin. As with usernames, this isn’t the one thing that will protect your site, but it just makes things a little more difficult for hackers.
Stop brute force attacks
Some hosting providers already have systems in place to stop brute force attacks, but not all. When I was with my previous provider there was a brute force attack on their website and someone managed to access my email. The hackers sent a few spam emails before I caught on and changed my passwords. Fortunately no real damage was done. It’s an increase of brute force attacks on my website which prompted the writing on this article. Over the past few days I’ve had an increase of attempts to access my site made by people in Brazil, Russia, China, USA, Ukraine, Czech Republic and France. Some of these are obviously just bots, but some have been manual attacks.
I use Wordfence to protect my website, and recommend it to other WordPress users. The free version of the plugin is extremely good. It’s useful to stop all kinds of malicious activity.
Another useful way to stop against attacks is to use a system that stops automated submissions. Google’s Recaptcha is very good at this. Not only does it stop bots, it slows down manual hack attempts too.
It might surprise you that nearly everything on the internet is under attack pretty much all the time. (I’ve just checked the live traffic to my site this minute to see someone from Poland access my login page and attempt to gain access.)
Most attempts are just probing for weaknesses, or are pretty basic, but you should take website security very seriously. It’s better to protect against it rather than try and cleanup afterwards.