We have been hearing website got hacked on a daily basis but what could be the possible cause. In the recent weeks, there is a sharp increase in web site hacking cases by a group of local hackers targeting WordPress website. The victim's website would be defaced with a hacked "Hari Raya" page.
With more than 12 years experience in the web hosting industry, we see most of the hacking cases were caused by insecure and outdated source code in the website itself. This is amounting of up to almost all of website hacking causes.
Possible causes of website hacking:
1. Common Web Site framework (Wordpress, Joomla, Drupal and etc.)
- The most common website framework being used is Wordpress as it is mature, easy to use and it offer a lot of useful free plugins. On contrary on the popularity of Wordpress, it come with a big security issue. Wordpress is an open source platform which means everybody could download the code including the bad guys. This would mean that the bad guys know the in and out of your website.
2. SQL injection
- The bad guys could launch an SQL injection on your website as they know how does your website work. You need to remember that they have the codes of your website. Upon gaining access, they could deface your website and steal your data.
3. Password leak
- Do you save your password in your Internet browser? That is a very bad habit and you need to remove all of it. A virus, malware or Trojan infection on your workstation could cause your website got hacked. The bad guys will be able to retrieve all your password and launch an attack. Use a secure password, save it on the safe location and only share it with the needed person.
4. Easy to guess password
- abc123 and qwerty would be an easy password for you as well as the bad guys. Stop using easy password! Your password should have a combination of upper/lower case, number and symbols.
5. Plugins/Themes
- You have updated your Wordpress but still got hacked, what is happening? We see many cases of intrusion from the plugins and themes. Remember to update all your plugins and themes. Only install the necessary trusted plugins on your website.
6. Compromised host
- The hosting server could be compromised or have bad security policy. From our experience, this would be the last to happen as most good hosting companies secure their servers from attack unless you are getting inferior low budget services from your host. There would be more bad guys trying to hack on website level instead of server level due to the difficulty differences.
10 Simple Steps to secure your website
1. Secure and update your framework all the time whenever there is a new update
2. Choose your plugin and theme carefully. Keep it updated regularly.
3. Hire a good developer to customize and secure the website for you.
4. Inspect your web site logs to trace the possible hacking attempt.
5. Subscribe to a third party security scanning service.
6. Remember to have a local backup copy on your workstation all the time. Usually, your host will do the backup for you.
7. Monitor your Wordpress with plugins. My recommendation would be:
- Exploit Scanner
- WordFence Security
- WordPress Sentinel
- WP Notifier
- VIP Scanner
9. Talk with your developer or host on how to improve your website security.
10. Subscribe to Web Firewall services if the budget allow.
Are you totally safe from the bad guys now after securing your website? My answer would be NO! Government website with million of dollars security investment could be hacked so there would be no exception for yours. There is no guarantee that your website is safe from hacking but at least you have reduced the risk by making it difficult for the hacker.
No comments:
Post a Comment