How hackers can tell if your website is a good target

Products mentioned
An ounce of prevention is well worth it

Hacking is big business, earning cybercriminals hundreds of billions of dollars around the world every year. Your website is a constant target.

In Canada, 25% of businesses experienced cyberattacks in 2020.


Five percent of those attacks were successful, according to a report on cybersecurity infrastructure by the Canadian Federation of Independent Businesses (CFIB).

Alarmingly, many Canadian small businesses seem unprepared to protect themselves from hacking incidents, despite the high cost and increased risk of a data breach.

A surprising two-thirds of Canadian businesses invested nothing in cybersecurity in 2020, according to the CFIB report.

Filing cabinet with one drawer open
Doing nothing about website security is like leaving your door unlocked.
Photo: Maksym Kaharlytskyi on Unsplash

While some of those businesses may have already had the IT infrastructure in place to protect themselves, many businesses found themselves too short on cash to consider cybersecurity.

You can’t overestimate the importance of keeping your site updated to protect it from hackers and improve its performance. You need your customers to trust you with their data as you rely on your website more and more to connect with them.

Editor’s Note: Want all-in-one website protection? GoDaddy’s Website Security comes with all you need to keep hackers away, plus automatic website backups and alert notifications for added protection.

3 methods hackers use to identify targets

There are three types of vulnerabilities cybercriminals look for in their targets: client-side, server-side, and direct. Let’s take a look at what those security gaps are and what you can do to protect your website.

1. Client-side attacks

A client-side attack occurs when a server that has been co-opted by hackers attacks client software such as a web browser. These vulnerabilities include:

  • Cross-site Scripting (XSS): This is where a malicious bit of code is injected into an otherwise trusted website. Because web applications believe the script comes from a trusted site, it can access session tokens, cookies, and sensitive information such as banking details that your customers enter into your web pages.
  • Structured Query Language (SQL): This type of injection is one of the most common types of hacking techniques. The attack interferes with database queries, allowing the attacker to view sensitive data such as passwords, credit card information and user information. An attacker can also acquire back door access into an organization’s system.
  • Cross-Site Request Forgery (CSRF): This is where hackers take over a user’s session through a link sent in an email or chat. These attacks are used against administrative accounts to compromise an entire application.

Hackers use a suite of tools to automatically test sites to see if they might be vulnerable to these attacks. Today, there are significant protections against SQL and CSRF, but new vulnerabilities for XSS attacks continue to crop up as web pages become more complex.

Here are a few more popular client-side tricks:

API attacks

Application Programming Interfaces (API) are often targeted by hackers looking to find credentials or access codes. APIs are used to communicate with the backends of websites, and poor security can let hackers gain information about the architecture of your site.

API attacks are predicted to become the most frequent attack leading to data breaches in 2022.

Preventing API abuse requires a strong authentication scheme, potentially involving an external app-authentication service.

Exploiting open-source libraries

Open-source libraries, frameworks, and plug-ins are another major source of vulnerabilities. Hackers can spend far more time looking into libraries available to everyone than the average web developer will. Usually, the flaws in these resources aren’t discovered until one of them successfully uses them to do mischief.

Open-source libraries are sources of code available for anyone in the public to use or modify.

That means hackers have free access to examine the code for potential ways in. Web developers widely use these libraries, but the side effect is that their wide use can expose websites built using them.

Pro tip: Ask your web developer to make sure your site isn’t using open-source code that’s been abandoned. The best defence against open-source vulnerabilities is using plug-ins and frameworks that are still actively fixing vulnerabilities.

2. Server-side vulnerabilities

Cybercriminals may start by identifying your website’s server type, software and operating system. They find this information from web page source code, session cookie names and even social media. Once they know what’s going on behind the scenes, they can exploit open ports, default configurations and access the server folders.

When they’re looking for an easy target, hackers make the most of security misconfigurations such as:

  • Outdated WordPress plug-ins
  • Unnecessary services
  • Websites that still have default keys and passwords in place.

Man in black hoodie looking at computer screens

One way to keep hackers from taking advantage of these vulnerabilities is by using an automated build-and-deploy process that tests your security configurations and stops code from going out with default passwords.

Another way that hackers can identify good targets is open port scanning. Open ports are designed to accept packets, whereas closed ports ignore them.

Ports are how information on the internet is communicated, and open ports can be exploited by malware and social engineering to gain access to sensitive data.

Cybercriminals use tools like Grayhat Warfare to scan for open ports. They can then use open ports to:

  • Learn more information about your network, such as the operating system
  • Exploit out-of-date software, which tends to be rife with well-known vulnerabilities
  • Access unused services with default passwords and distribute content

Closing open ports will reduce your website’s “attack surface,” giving hackers fewer opportunities to find and exploit your website’s vulnerabilities.

Editor’s note: If you’re a web developer with many clients, you can reduce your workload and increase revenue with GoDaddy Pro — and it’s 100% free.

3. Direct cyber-attacks

Direct attacks target either the user or administrator directly, and right now most of these attacks are based on credential stuffing. This is where they automatically inject pairs of stolen username/password data to get access to accounts.

Hackers use data they’ve gained from a server-side breach and stuff them in huge numbers to find existing accounts. If a customer with breached account information has an account on your website, hackers could then hijack that account for their own purposes.

Credential stuffing is a growing threat to both customers and enterprises.


Cybercriminals profit by draining accounts of any value and scraping saved credit card numbers or other personal information. Since so many people reuse the same passwords on the dozens (if not hundreds) of sites and apps they use, credential stuffing can be a highly effective crime.

How to protect against credential stuffing

Credential stuffing is a low-risk, high-reward proposition for cybercriminals. To protect against it, website owners can use techniques like multi-factor authentication. It’s not fool-proof against phishing and account takeovers, but hackers will only be successful with much more resource-intensive attacks than relatively easy credential stuffing.

For organizations that require employees to sign into an app or website regularly for work, encourage good password hygiene. Password managers such as LastPass allow users to generate complex passwords without having to remember them.

A quick note on access tokens

Then there are attacks on access tokens. Access tokens represent the user’s authorization to let an app or website access part of the user’s data. A great example of an authorized token would be using two-factor authentication with your phone.

Hackers will look for ways to steal tokens from cookies or local storage, often through XSS methods. Again, these attacks are made to gain access to accounts.

Keep up with new threats

Hackers are constantly searching for new ways to get their hands on your data.

They have no boundaries, no remorse.


If they crash your databases or website, it’s of no concern to them. It’s not always apparent why hackers want access to your website or device, either.

Apple laptop sitting on desk next to notebook

Look no further than the Silver Sparrow Mac malware that’s now been detected in tens of thousands of devices. It’s a great example of emergent malware being closely watched by cybersecurity experts, while remaining a mystery.

The Silver Sparrow Mac malware is delivered through an Apple Installer package, including JavaScript code in such a way that the code could run before installation had even begun.

Once it downloads the payload, the malware deletes itself. The intention behind the malware remains unknown, and it’s become yet another new threat that businesses relying on Macs need to protect themselves from.

How hacking can hurt your website

If your customers can’t find you, you’re at a big disadvantage. With more and more business being done online, your virtual property is your gateway to the world.

A hacking incident can take your website offline, making your business practically invisible.

If Google detects malicious code such as an SQL injection, your site can wind up being filtered out of results (known as the Google Sandbox effect).

Desktop computer with Google Analytics on screen.

In addition to protecting your website from hacking, you’ll also want to take a look at your site’s speed performance. Faster site load times helps turn web visitors into customers, as sites that load slowly tend to send them elsewhere. Now that Google Web Core Vitals are set to be implemented in 2021, your site’s performance will be a ranking factor.

Businesses need to make sure that their websites are safe, secure, and optimized.

The average small business in Canada spent $11,000 on cybersecurity in 2019; the average medium-sized business budgeted $74,000 annually.

Is your business keeping up with growing cybersecurity threats?

Stay vigilant, stay informed

If you haven’t spent a minute on the security and performance of your website, now is the time. Cybercriminals are using client-side vulnerabilities, server-side vulnerabilities and direct attacks to scrape data and take over user accounts.

Becoming the victim of cybercrime can damage your website’s ranking and performance — not to mention your reputation. As malware continues to evolve, you have to stay up-to-date with the latest defences against cybercrime. By proactively closing security gaps, you can help make sure your website doesn’t become an easy target for hackers.