How and Why Do Websites Get Hacked and How You Can Stop It
Your business website is probably one of the most important marketing assets that you have online. It tells visitors what you do, the services or products you offer and how to engage with you.
A well-designed website should enhance your reputation and send signals that you are a business worth engaging with. Unfortunately, your website is also part of the internet and that means it is potentially vulnerable to cyberattacks.
The problem is that many businesses, particularly smaller ones, don’t take the potential for hacking seriously enough – they do the basics but they often don’t put together a full and coherent strategy for keeping their website safe.
According to the stats for 2022:
- Websites are involved in around 43% of cybersecurity breaches.
- A study of 7 million websites found that, on average, they experienced 94 attacks a day.
- More than 12 million sites worldwide are infected with some kind of malware.
If you are hacked, criminals can access your data, change your website content and even close your site down. Hacking not only puts customer data at risk but can also seriously damage your reputation, making people reluctant to engage with you once news gets out that your site is not secure.
Why Do Websites Get Hacked?
There are several reasons why a website might be targeted. You are more likely to be the victim of cybercriminals looking for personal gain. They might, for example, destroy, modify or steal the data you have on your site or even hold your business to ransom by denying access to your pages.
There are also ethical hackers and hacktivists, people who disagree with what your business stands for and want to disrupt it. There may be disgruntled past employees who want to get their own back.
While a few businesses might be the victim of a direct hacking attempt by an individual for personal or ethical reasons, the biggest threat is from bots that crawl the internet looking for weaknesses in sites and exploiting them. If you are a small business, you may not even know that you have been hacked and that someone else is accessing your information or using your site for nefarious purposes.
How Do Websites Get Hacked?
Here are just a couple of scenarios:
- Your website is hacked. The hacker gains access and changes some links on your website, redirecting traffic to a phishing site or one that is designed to get your customers to spend money. You remain unaware of this but you start losing customers and revenue. Your reputation also becomes severely damaged.
- Your website is hacked and closed down. Customers can’t access it and neither can your staff. A ransom is issued telling you to pay a certain amount to get the website released. You have no choice to pay. In the meantime, the news gets out that your website has been hacked, making customers reticent about doing business with you.
There are lots of different ways to hack a website and most will cause major problems for your business. A hacker might get into your site and simply replace links, redirecting them to other products or sites that the individual benefits from.
In some cases, a hacker may change the design of your site and insert unsavoury images. Another approach is called denial of service where they stop the server from being used which means you can’t carry out any business online and customers can’t access your site.
Methods of access include brute force attacks which sound violent but just mean that a bot or individual tries to guess the login details for the site.
Most websites have some form of vulnerability which is why we have virus protection to help mitigate this. These weaknesses can be found everywhere including in the web development frameworks, content management system, and server infrastructure.
Using shared hosting, though cheap for small businesses, does increase your vulnerability to hacking as you share the space with lots of other websites. Adding plugins to your site can also increase your risk of being attacked. Picking the wrong host that doesn’t have robust security measures in place can also cause problems.
One of the most common types of hacking is through the use of ransomware. This gets into your website infrastructure and means no one can access it until your business pays up a ransom to release it. It’s no surprise that these types of attacks have increased dramatically during the pandemic with many people working from home.
Are Small Businesses at Risk?
There’s a common misconception that smaller businesses with lower turnovers are not at more risk from hacking compared to larger corporations.
This is a complete fallacy. First of all, most hacking is carried out by software. There probably isn’t some shady individual somewhere trying to get into your website or computer system at all – it’s entirely automated in most cases. These clever bits of software perform hundreds if not thousands of hacking attempts on websites in a second. They target any site where there is a weakness.
Most large corporations have high-level security in place to prevent hacking anyway which makes them less attractive for hackers who are generally looking for an easy win. Of course, the measures that large businesses have in place don’t always work. That’s why we often see them mentioned in the news when, for example, data has been stolen or their website has been crashed. Unfortunately, it also reinforces the lie that larger corporations are more at risk.
Smaller websites, unfortunately, don’t put in all the security measures they need to and are potentially at much greater risk:
- A study by IBM estimates that the average cost of a data breach for small businesses is $2.9 million.
- Another study by Bullguard, suggests that almost 50% of small businesses don’t have a cyber strategy in place to combat hacking.
In short, if you’re an SME and you’re thinking this won’t happen to me, then you are 100% wrong.
Things You Can Do to Prevent Your Website Being Hacked
The sad truth is that hackers are getting ever more sophisticated in their attempts to break into other people’s websites. It’s a constant technological battle to stay ahead of them and ensure that everyone stays safe.
The good news is that, while smaller businesses don’t have the financial capabilities of large corporations, several things can be done to help protect their websites.
1. Choose Your Host Wisely
The first thing you need to consider is the host for your website and the type of hosting package you choose.
Do your due diligence and see what types of businesses are using the service itself and what they say about security. If you can, avoid shared hosting and opt for VPS or a dedicated server instead – it’s more expensive but certainly more secure.
Of course, many starter businesses begin with shared hosting for financial reasons – they only start to look at other, more secure options once they have gotten off the ground. It’s important to bear in mind, however, that there are risks involved and you need to weigh these up carefully.
2. Be Careful of Themes and Plugins
These are created by third parties and, however good they look, they can contain malicious code or weaknesses that make your website vulnerable to cyberattacks. This is why it’s much better to work directly with a web designer who can ensure that your site is fit for purpose and has all the bases covered.
This is especially true when you are setting up your website and if you don’t have design ability on board in your business. Getting things right from the outset can save you a lot of issues later on. Themes are plugins are generally developed as open-source and there are thousands to choose from so it can be pretty confusing for business owners.
3. Install Security Plugins
Depending on what platform you are using, there are various plugins available to provide additional security for your site. These include iThemes Security and Bulletproof Security for WordPress and WatchLog Pro for Magento, the online shopping platform. These plugins are designed to mitigate any inherent vulnerabilities in the platform.
Again, if you are using a website designer, it’s worth talking through the options with them so you get the right level of security for your site.
4. Switching to HTTPS
Do a quick search on the internet and you’ll find sites that start their URL with HTTP and those that start with HTTPS.
The latter is more secure because it has an SSL certificate attached to it. This essentially means that when someone sends information to your website (for example, payment details) it is properly encrypted so that third parties or hackers can’t see it. Even if you don’t take payments or collect data (for example, if you’re a service site like a solicitor or accountant), it pays to have an SSL certificate.
Why? Search engines in recent years have begun to take website security much more seriously which means you are likely to rank higher with HTTPS than HTTP. Irrespective of this, you’ll certainly be more secure and it shows customers that you are a reputable site. The good news is the cost of an SSL certificate is relatively minimal and with many hosting packages, it comes free.
5. Keep Up-to-Date
Whether it’s your home computer or your business website, the mantra should always be to keep your software and website platform up-to-date.
Many tools used in web design are open source and can come with vulnerabilities that we can’t even see. There are generally updates available and you should either make these automated or ensure that you download the new version as soon as it is available. These updates usually contain things like patches that are designed either to improve software performance or update the security.
6. Use Secure Passwords
It sounds so simple but this is a real bugbear of security specialists all around the world. Passwords are the easiest gateway to your site and you need to make sure they are robust enough to withstand the advances of a hacker.
The days of simply typing something like ‘admin123’ are long gone for most businesses but still, we see poor password practice across a range of sectors.
First of all, if several people in your business have access to your website then you need to implement a rigid password policy. According to Avast, these simple steps should make it less easy for hackers to guess your password:
- Make it long – ideally, your password needs to be about 15 characters.
- Use a mix of characters including numbers, capital and small letters and symbols.
- Avoid substituting common numbers for letters such as 8 for B as these are easily guessed.
- Avoid ‘memorable’ keyboard paths, for example using QWERTY as these again are easily guessed.
It’s important to note that one weak password used to access your website can make it 100 times more likely to be hacked.
7. Hire an Experienced Web Designer
Whether you’re a small business or a start-up, getting the building blocks in place for your website is important. Working with an experienced web designer has several advantages, not least providing you with a site that is tailored to your needs and your business goals.
A competent web designer will also be able to implement the appropriate security measures that prevent your site from being hacked. That may include advising on an appropriate host to creating a bespoke site that doesn’t have underlying security issues from the very start. For example, most sites nowadays are connected to some form of database and the role of the designer is to make this process as secure as possible.
Understanding your risk and the potential of your website to be hacked by third parties is critical. It’s important to have a strategy in place and to be aware of the challenges. It’s not simply a case of putting a few elements in place and hoping for the best but a constant ‘battle’ to maintain the integrity of your site.
Speak today to Bristol Web Designer Ben Smith if you have any questions.