How hackers can tell if your website is a good target

SecureCategory
16 min read
Paul Teitelman

Hacking is big business, earning cybercriminals hundreds of billions of dollars around the world every year. Your website is a constant target.

In Canada, 25% of businesses experienced cyberattacks in 2020.

Five percent of those attacks were successful, according to a report on cybersecurity infrastructure by the Canadian Federation of Independent Businesses (CFIB).

Alarmingly, many Canadian small businesses seem unprepared to protect themselves from hacking incidents, despite the high cost and increased risk of a data breach.

A surprising two-thirds of Canadian businesses invested nothing in cybersecurity in 2020, according to the CFIB report.

Filing cabinet with one drawer open
Doing nothing about website security is like leaving your door unlocked.
Photo: Maksym Kaharlytskyi on Unsplash

While some of those businesses may have already had the IT infrastructure in place to protect themselves, many businesses found themselves too short on cash to consider cybersecurity.

You can’t overestimate the importance of keeping your site updated to protect it from hackers and improve its performance. You need your customers to trust you with their data as you rely on your website more and more to connect with them.

Editor’s Note: Want all-in-one website protection? GoDaddy’s Website Security comes with all you need to keep hackers away, plus automatic website backups and alert notifications for added protection.

3 methods hackers use to identify targets

There are three types of vulnerabilities cybercriminals look for in their targets: client-side, server-side, and direct. Let’s take a look at what those security gaps are and what you can do to protect your website.

1. Client-side attacks

A client-side attack occurs when a server that has been co-opted by hackers attacks client software such as a web browser. These vulnerabilities include:

  • Cross-site Scripting (XSS): This is where a malicious bit of code is injected into an otherwise trusted website. Because web applications believe the script comes from a trusted site, it can access session tokens, cookies, and sensitive information such as banking details that your customers enter into your web pages.
  • Structured Query Language (SQL): This type of injection is one of the most common types of hacking techniques. The attack interferes with database queries, allowing the attacker to view sensitive data such as passwords, credit card information and user information. An attacker can also acquire back door access into an organization’s system.
  • Cross-Site Request Forgery (CSRF): This is where hackers take over a user’s session through a link sent in an email or chat. These attacks are used against administrative accounts to compromise an entire application.

Hackers use a suite of tools to automatically test sites to see if they might be vulnerable to these attacks. Today, there are significant protections against SQL and CSRF, but new vulnerabilities for XSS attacks continue to crop up as web pages become more complex.

Here are a few more popular client-side tricks:

API attacks

Application Programming Interfaces (API) are often targeted by hackers looking to find credentials or access codes. APIs are used to communicate with the backends of websites, and poor security can let hackers gain information about the architecture of your site.

API attacks are predicted to become the most frequent attack leading to data breaches in 2022.

Preventing API abuse requires a strong authentication scheme, potentially involving an external app-authentication service.

Exploiting open-source libraries

Row of Lego Star Wards stormtroopers

Open-source libraries, frameworks, and plug-ins are another major source of vulnerabilities. Hackers can spend far more time looking into libraries available to everyone than the average web developer will. Usually, the flaws in these resources aren’t discovered until one of them successfully uses them to do mischief.

Open-source libraries are sources of code available for anyone in the public to use or modify.

That means hackers have free access to examine the code for potential ways in. Web developers widely use these libraries, but the side effect is that their wide use can expose websites built using them.

Pro tip: Ask your web developer to make sure your site isn’t using open-source code that’s been abandoned. The best defence against open-source vulnerabilities is using plug-ins and frameworks that are still actively fixing vulnerabilities.

Harmful plug-ins

Plugins can be a major source of vulnerability, but they can also improve your functionality. There are image plugins, SEO plug-ins and more, so it’s key to identify the differences between a helpful and harmful SEO plug-in.

A good plugin should optimize your pages without slowing down your site’s speed.

If you cater to international users, look for a plug-in that includes a CDN — Content Delivery Network. CDNs are designed to bridge the gap between your users and your server, which often results in less bandwidth and better security.

Harmful plugins, on the other hand, can cause more harm than good for your business. You’ll know you’ve stumbled upon one of these plug-ins if:

  • You experience page breaks
  • The plug-in hasn’t been updated in years
  • It offers too many features and is unable to guarantee the value of each one

So, when it comes to choosing an effective plug-in to improve your security and overall functionality, look at the number of downloads and the reviews available. Use these resources to determine if the plug-in you’re interested in can solve your current problems and whether it has the features you need.

Related: Cyber-security a rising threat for entrepreneurs in Canada

2. Server-side vulnerabilities

Cybercriminals may start by identifying your website’s server type, software and operating system. They find this information from web page source code, session cookie names and even social media. Once they know what’s going on behind the scenes, they can exploit open ports, default configurations and access the server folders.

When they’re looking for an easy target, hackers make the most of security misconfigurations such as:

  • Outdated WordPress plug-ins
  • Unnecessary services
  • Websites that still have default keys and passwords in place.
Man in black hoodie looking at computer screens

One way to keep hackers from taking advantage of these vulnerabilities is by using an automated build-and-deploy process that tests your security configurations and stops code from going out with default passwords.

Another way that hackers can identify good targets is open port scanning. Open ports are designed to accept packets, whereas closed ports ignore them.

Ports are how information on the internet is communicated, and open ports can be exploited by malware and social engineering to gain access to sensitive data.

Cybercriminals use tools like Grayhat Warfare to scan for open ports. They can then use open ports to:

  • Learn more information about your network, such as the operating system
  • Exploit out-of-date software, which tends to be rife with well-known vulnerabilities
  • Access unused services with default passwords and distribute content

Closing open ports will reduce your website’s “attack surface,” giving hackers fewer opportunities to find and exploit your website’s vulnerabilities.

Editor’s note: If you're a web developer with many clients, you can reduce your workload and increase revenue with GoDaddy Pro — and it's 100% free.

3. Direct cyber-attacks

Direct attacks target either the user or administrator directly, and right now most of these attacks are based on credential stuffing. This is where they automatically inject pairs of stolen username/password data to get access to accounts.

Hackers use data they’ve gained from a server-side breach and stuff them in huge numbers to find existing accounts. If a customer with breached account information has an account on your website, hackers could then hijack that account for their own purposes.

Credential stuffing is a growing threat to both customers and enterprises.

Cybercriminals profit by draining accounts of any value and scraping saved credit card numbers or other personal information. Since so many people reuse the same passwords on the dozens (if not hundreds) of sites and apps they use, credential stuffing can be a highly effective crime.

How to protect against credential stuffing

Credential stuffing is a low-risk, high-reward proposition for cybercriminals. To protect against it, website owners can use techniques like multi-factor authentication. It’s not fool-proof against phishing and account takeovers, but hackers will only be successful with much more resource-intensive attacks than relatively easy credential stuffing.

For organizations that require employees to sign into an app or website regularly for work, encourage good password hygiene. Password managers such as LastPass allow users to generate complex passwords without having to remember them.

A quick note on access tokens

Then there are attacks on access tokens. Access tokens represent the user’s authorization to let an app or website access part of the user’s data. A great example of an authorized token would be using two-factor authentication with your phone.

Hackers will look for ways to steal tokens from cookies or local storage, often through XSS methods. Again, these attacks are made to gain access to accounts.

Keep up with new threats

Hackers are constantly searching for new ways to get their hands on your data.

They have no boundaries, no remorse.

If they crash your databases or website, it’s of no concern to them. It’s not always apparent why hackers want access to your website or device, either.

Apple laptop sitting on desk next to notebook

Look no further than the Silver Sparrow Mac malware that’s now been detected in tens of thousands of devices. It’s a great example of emergent malware being closely watched by cybersecurity experts, while remaining a mystery.

The Silver Sparrow Mac malware is delivered through an Apple Installer package, including JavaScript code in such a way that the code could run before installation had even begun.

Once it downloads the payload, the malware deletes itself. The intention behind the malware remains unknown, and it’s become yet another new threat that businesses relying on Macs need to protect themselves from.

How hacking can hurt your website

If your customers can’t find you, you’re at a big disadvantage. With more and more business being done online, your virtual property is your gateway to the world.

A hacking incident can take your website offline, making your business practically invisible.

If Google detects malicious code such as an SQL injection, your site can wind up being filtered out of results (known as the Google Sandbox effect).

Desktop computer with Google Analytics on screen.

In addition to protecting your website from hacking, you’ll also want to take a look at your site’s speed performance. Faster site load times helps turn web visitors into customers, as sites that load slowly tend to send them elsewhere. Now that Google Web Core Vitals are set to be implemented in 2021, your site’s performance will be a ranking factor.

Businesses need to make sure that their websites are safe, secure, and optimized.

The average small business in Canada spent $11,000 on cybersecurity in 2019; the average medium-sized business budgeted $74,000 annually.

Is your business keeping up with growing cybersecurity threats?

The importance of mobile functionality and security

Today, more than half of all web traffic comes from mobile devices. No matter where you look, you’ll find Canadians on their phones, scrolling through their favourite apps and websites.

Cómo mejorar la tasa de conversión

With mobile use becoming a core part of everyday life, it’s no surprise that Google decided to implement mobile-first indexing. The end goal was to ensure the entire web would be indexed mobile-first by March 2021. Mobile-first indexing refers to Google’s new preference for indexing and ranking the mobile version of your site rather than the desktop browser version.

As this branch of web development becomes an integral part of the user’s browsing experience, there are added security risks that cannot be overlooked — particularly when it comes to preventing your site from becoming vulnerable to cybercriminals.

Mobile cybersecurity is essential, especially for small to medium-sized businesses. According to the Government of Canada’s Get Cyber Safe Guide for Small and Medium Businesses, hackers will often target these companies first. Why? There is a greater chance they don’t have a secure network in place — unlike a major corporation, which will often have firewalls and specialized coding in place to protect their data.

Here's how to protect your mobile website from cybersecurity threats:

Security plug-ins

If you’re using a content management system to build your site, look for security plug-ins that are designed to prevent hacking attempts in real-time without slowing down your site’s performance.

SSL certificate

While SSL certificates have always been a key part of any eCommerce business, they’ve become equally as important for all websites. This certificate signals to Google that your website is safe to share important user data, including credit cards and contact information, between the server and your site.

Updating your platform and software

Keeping your CMS, plug-ins, apps, and installed scripts up-to-date ensures your website is void of any vulnerabilities and will keep hackers from exploiting any weakness in your platform.

Secure passwords

One of the most accessible ways to secure the back end of your website is to ensure your passwords are complex. Include a mixture of numbers, letters, and special characters and avoid using phrases that can easily be guessed or decoded by hackers, including birthdays and or kids’ names.

Automated backups

While you can certainly make it a point to manually back up your platform weekly, there’s always a chance you may forget. Instead, have your files and data automatically backed up so you can easily restore your website should you face any cybersecurity threats.

Stay vigilant, stay informed

If you haven’t spent a minute on the security and performance of your website, now is the time. Cybercriminals are using client-side vulnerabilities, server-side vulnerabilities and direct attacks to scrape data and take over user accounts.

Becoming the victim of cybercrime can damage your website’s ranking and performance — not to mention your reputation. As malware continues to evolve, you have to stay up-to-date with the latest defences against cybercrime. By proactively closing security gaps, you can help make sure your website doesn’t become an easy target for hackers.

Frequently Asked Questions

What is a hacker?

A hacker is an individual who uses a website’s weak spots to gain access to their system, gather important information, and potentially block system access.

What does it mean when a website is hacked?

If your website has been hacked, that means an outside individual has gained access to your site. In most cases, hackers look for weaknesses in your system to obtain information related to your company’s data and potentially sensitive client data.

In many cases, your browser will alert you of suspicious activity or the hosting provider will take your website offline without warning. If it reaches your customer base, you may receive emails from users regarding problems they’re having with your site or phishing emails they have received claiming to be your business. Your responsibility is to re-instill trust in your customers and to ensure them and your web provider you’re able to solve this problem right away.

How do hackers use websites?

To understand how to prevent hackers from accessing your website, it’s important to first understand the various techniques they may use to access your data. There are several common techniques hackers can use to breach your security and retrieve sensitive data, including:

Cross-site scripting

This is one of the most popular website hacking methods and involves inserting harmful client-side JavaScript code into any webpage with hyperlinks. If the user clicks the link, the code can access the user’s account and proceed to steal their personal data.

Cookie theft

Cookies are commonly found on most web pages and are designed to hold various pieces of information, including users’ passwords and browsing history. Hackers can access cookies easily, since they’re stored in plain text.

Social engineering

This technique involves performing tricks on a website user or administrator to convince them to share certain data that could be used to exploit the site.

A hacker, for example, could pose as a new tech support member and ask the user for information like password or user ID to set up their account, when they’re going to use that data to hurt them.

Phishing

Like social engineering, phishing involves tricking unsuspecting users or administrators into giving away sensitive information. In most cases, this is executed through an email with a link that takes the user to a seemingly legitimate website. In fact, this is a ruse to steal their data.

Why do hackers target websites?

While hackers' motivations may vary, their primary intent is often to:

  • Retrieve personal data and use it to extort the owner of the site
  • Steal information from customers

Small and medium-sized businesses are a prime target for hackers, most often because there is a greater chance that they lack the security needed to fully protect their site and customers’ data from intruders. All businesses need to ensure they have the proper cybersecurity resources in place to protect them from potential attacks.

What happens when a hacker has access to my site?

If a hacker gains access to your website, there are several possible outcomes. In most cases, hackers will use this opportunity to steal sensitive data, including:

  • Passwords
  • Credit card data
  • Addresses and more

With this information, they can wreak havoc, ruin your customers' credit, make large purchases at their expense, or even sell their data to others who then use it for illegal purposes.

How can I protect my website from a hacker?

Cybersecurity is essential for all businesses, though it is especially important for small to medium-sized companies since they remain the most vulnerable to hackers. Taking proactive steps is vital to keeping your and your customers' data secure.

To protect your website from hackers, there are simple steps you can take:

  • Install a strong firewall that can identify malicious requests and IP addresses
  • Use a password manager to create strong, complex passwords that cannot be easily detected by an outside party
  • Regularly update your software to ensure there are no vulnerabilities
  • A Secure Sockets Layer SSL certificate will encrypt communication to and from your site and will prevent hackers from harvesting shared information.
  • Choose credible, well-reviewed plug-ins that update regularly and has been developed by a trusted developer.

UPDATE: This post was first published on 25 March 2021 and updated on 15 February 2022.

Products Used