Why Did My Website Get Hacked?
I got the idea to write this article from a question I came across in an online forum where a user was asking, ” Can somebody please tell me how is my website getting hacked?”
Apparently, the user’s website was getting hacked way too often and he/she wanted to find out how it was happening. The service provider was of no use or unresponsive and that made them turn to the forum.
I would like that in addition to this question to also consider, the WHY!
So, why would a website get hacked?
Indeed there are many reasons, these are some I could think of in general:
- Most hacking happens because hackers are after information stored in the website, particularly credit card information. Hackers obtain credit card numbers to go on an online shopping spree using your card numbers for online payments until all the funds are exhausted. Something else they may do is to clone your card and go do the same on a physical store with the same devastating effects. They may also sell it to other groups that specialize in this type of crime.
- They may also be after passwords to your online services such as email, online social media accounts and any other passwords that may be stored online for various other uses. For this reason never have the same password for all your services and change it from time to time*.
Sometimes though, the target may not be your website per se. Sorry to bust your bubble, but your website may not be so valuable as to be an attractive target to “professional” hackers. The target may be your hosting provider which means everyone they host is a potential target.
Not all hacking is done by criminal syndicates though…
You may have also become a victim of a middle school kid who just stumbled on an article that perhaps irresponsibly teaches low level hacking to anyone who just happened to find themselves there. They may also be trying show how to spot vulnerabilities on a typical website to teach people how to avoid getting hacked while inadvertently teaching the bored kid how to cause trouble to pass up their time. Welcome to the digital age where you should be alert at all times!
So now then, how could this poor fellow be getting hacked so much?
The number of ways are innumerable to tell you the truth, as I will show you next!
- The website may be missing the index file, as ridiculous as it may sound (I’ve come across plenty, yes!). This file is aptly named index.php, index.html,whatever the extension it will start with index . If this file is missing, the web server will show the entire directory, all the folders in its index. While that may not be all that dangerous, it may be a gateway to some other file that may give out more information to the “curious” web surfer/hacker on what your website files and folders contain. As in the case of a CMS like WordPress or Joomla!, the config.php file contains a lot of information about sensitive configuration information and it is right there in the root folder of the hosting server. So make sure that your website has the index.php file in the root folder of your hosting.
Sorry, but a typo on the file name is the same as not having the file in there at all as far as the web server is concerned. Make sure it is there and it is working by visiting the website as a normal person would.
Why don’t you also go ahead and put a blank index.html in every folder as well to prevent someone typing an address to that folder directly and exposing what is in there. That will cause them to get a blank page if they tried to explore your folders directly and not following your pre-selected link structure.
- Another way is if the install folder was not deleted from the server after script installation, be careful you DIY’ers out there. Again most scripts provided by hosting providers are automated they delete or prompt you to rename this folder after installation. If you happened to install a script from a source other than your hosting provider by yourself, pay attention to the configuration messages that prompt you to delete or rename this folder once script installation is complete, this is absolutely critical. No running off to do some last minute shopping before installation is complete, the safety of your website depends on it.
- This should be a no-brainer but here goes. Forms that don’t validate user input and have no captcha (check a form that validates and has captcha in the image above). This is an absolute no-no. Everyday I see the tendency for some websites to ignore having these two must haves. My friend, you are inviting exactly the reckless would be hacker by breaking those essential form prerequisites. Often this happens because of some free theme downloaded online to save costs. Users out there need to keep in mind that no one will slave for ours to build a theme and only to give it away completely free. Know this, a free theme is likely very basic and lacks the complete features of a commercial theme, like security features, you guessed it! Those forms don’t authenticate and there is no captcha. Check what the price is for a commercial version if you like the theme, it may be very affordable and may also come with free updates.
As I said, there may be many reasons a website is getting hacked, some of the reasons are within your control and some are not. The basic tenet is that if it’s online it needs to have proper security built in and up to date .
Another that just came to mind is watch out for disgruntled and vindictive secret I.T guru you fired sometime ago. Change your passwords and revoke privileges of ex-employees immediately after letting them go and screen your potential employees properly before hiring them, okay!
Lastly, it may be smart to spend a little money to have piece of mind that a least your theme has no vulnerabilities and receives the necessary security patches. While this information explains some weaknesses in websites that may lead to them getting hacked and how to get them fixed, the list is not exhaustive. Please consult a professional if you have some genuine concerns about getting hacked and notify your hosting provider.