Over the past 7 years, we’ve built, maintained and hosted hundreds of sites. Over that time period we spent no more than a day or two each year looking into potential security issues with a client’s website. It simply did not happen much. However, in the past 6 months alone I would estimate we’ve spent 25 days worth of work looking into security issues (site hacks, malware injections, etc). Why the big change? Simple. Brute Force Software. Brute Force Software became easily and readily downloaded by anyone in the world that has any intention of trying to gain access to a site. When most people think about “hackers” they think of a person or a group of people sitting around trying to decide who to target. While that does happen with certain groups, they are going after well known corporations (Target) that typically have sensitive info stored on their sites and servers (credit card info). But that’s 1% of the cases. The other 99% are simply automated efforts where brute force and other bots scan sites all day, everyday. ANY site will do for them. Once it finds an appropriate login page, it can try over and over and over until it gains access. Here’s a good description from InfoSec Institute.
Brute-force attack when an attacker uses a set of predefined values to attack a target and analyze the response until he succeeds. Success depends on the set of predefined values. If it is larger, it will take more time, but there is better probability of success. The most common and easiest to understand example of the brute-force attack is the dictionary attack to crack the password. In this, attacker uses a password dictionary that contains millions of words that can be used as a password. Then the attacker tries these passwords one by one for authentication. If this dictionary contains the correct password, attacker will succeed.
Did you catch the part about dictionary attack? I’ll make it simple. If your website password for wordpress, ftp, cpanel, etc is a regular word, you will have a problem eventually. We use sites like random password generator to set up all of our passwords. At least 16 characters long. Yes, they are impossible to remember but that’s the point. Statistically speaking, they are basically impossible to guess no matter how many attempts are made.
Who Does This?
We install security software on all of our monthly partnership websites. It’s part of what we do, we secure the site and monitor everything. If we see something suspicious, we act quickly, no matter the time of day or night. Let me give you an example. It’s not uncommon at all to see 30 or 40 login attempts from Russia, Eastern European countries or China on ONE site in 10 minutes. 99.9% of the time those attempts fail. In fact, we set our software up to automatically lock out anyone that guesses a password wrong more than 5 times in a row. That IP address is immediately blocked. If you have a website, I can promise you attempts like that are made, you just don’t realize it.
Why Do They Want Into My Site?
That’s probably the most common question I hear. “I’m just a plumber, they don’t care about my site.” It’s not what you do for a living they care about, it’s what your site can do for them. If they gain access to any part of your site, they WILL install malware on the site. If you have malware on your site, it can then potentially spread to anyone that visits your site. So the more sites around the world they have their malware on, the more people that potentially will visit and download the malware to their personal computer. That can give access to your computer (via the malware) to a hacker. Guess what’s on your computer? Credit cards, social security, bank accounts, passwords….you get the picture. They can also send spam emails out from the site as well without you even knowing. I’ve seen as many as 900,000 spam messages go out in one day from a site that was hacked. Not good.
What Can I Do?
By taking a few precautions, you can cut back on the possibility of your site getting hacked.
- Hard passwords. It’s the first and best line of defense. Use a site like passwordgenerator.net to get a good hard password.
- Use that password for any login page. Wordpress, Joomla, etc. Also for hosting like cpanel or FTP accounts.
- If your site has plugins or any software (like wordpress) that needs updating, do it now. It’s the backdoor to your site. Leaving software on your site outdated is a major problem.
- If you think something is strange on your site (weird ads, or pages you didn’t create, etc) call us. The longer it goes the more likely your site will be on a blacklist somewhere. If that’s not resolved, you can get de-listed in search engines like Google. And if you don’t exist on Google, well, you have a problem.