Hacking is Child's Play

If you own a website, this will scare the pants off you.

The most common way to hack a website is to guess the password. It is usually done using a technique called a brute-force attack. Hackers use software to iterate through password combinations and try them on your site.

Free software is available that will run on an ordinary desktop PC that can check over 100 million combinations per second. A complex 8-digit password using mixed case, numbers and symbols has only 1 billion permutations. It can be cracked in 16 minutes.

To speed things up, hackers hijack hundreds of thousands of computers to do the work. To say the numbers become enormous at this point would be a gross understatement.

Humans being humans, we need patterns or familiar words to remember our passwords. Brute-force software starts with these common patterns. For example, dictionary words, common names, dates, patterns and substitutions (using $ instead of an s). This further shortens the process of gaining access to your site.

Hackers will use your website to relay spam, run malware, build SEO pages or promote their religious or political ideals.

Remember, if your password is readable, a beginner can hack it with free software in minutes. Make it complex and make it at least 12 characters long.

Website Hacking is Common

Sometimes the hack will be obvious. They will replace your home page with theirs. Often, you won't even know until your site turns up on blacklists or in Google's search results. e.g. www.yoursite.com/cheap-viagra.

There are almost 1 billion websites on the Internet in 2015. Approximately 1% is compromised, according to Sucuri - that's 10 million hacked sites!

Wordpress Hacks

Wordpress seems to be under attack, particularly in the past 18 months. It's getting a bad reputation for being unsecure. In our experience this is not true.

Wordpress gets hacked for four main reasons.

  • It's popular. Wordpress runs almost 20% of the Internet.
  • It's an easy target. Wordpress is simple to use and a favourite for small businesses and startups who feel they have no need for security.
  • It's not kept up to date. Wordpress release updates almost every week. These work. We have never seen an up to date Wordpress site hacked.
  • Plugins and themes. Third party developers don't always think about the longevity of their software. They may not have the budget or resources to do rigorous security testing and release ongoing updates.

Plugins and Themes - the weakest link

Third party plugins and off-the-shelf themes are soooo convenient. If you want to add a feature to your site, chances are somebody has already built it and is offering it for free. No coding necessary.

Unfortunately, there is no guarantee of quality. Sole operators in their bedrooms often make plugins and themes. They create a nifty solution to a problem, but don't consider the wider implications. And, often don't have the budget or resources to support it for long.

Usually only large businesses like WooThemes or Gravity Forms have a security budget. Longevity is in their best interest.

Resist the temptation to use themes and plugins. Find a good designer and an experienced developer and build an original site – not a collage of other people's ideas.

How to remember complex passwords

Unless you have a tricky way of creating passwords using song titles or lyrics, don't bother. It's too difficult. (See example from Hack Rescue)

Use a password vault or key chain storage system. There are lots of them. Find one that works across all your devices so you always have it with you.

Password Vaults

Password vaults - http://goo.gl/BzEumF.
Lastpass.com is popular.

Website Security is Easy

Start with these things;

  • change your passwords
  • update your CMS and plugins
  • delete all inactive plugins and themes
  • Call Hack Rescue for security hardening and 24/7 monitoring.

This applies to any popular CMS including Wordpress, Joomla, Magento, and Drupal.