My website has been hacked. Who’s fault is it?
As system administrator working for hosting company – this is the question, that many ask “silently” or at least – question that is in the air, when something goes wrong. In most cases, usually, customers are polite enough to ask “why did this happen?” or “how did this happen”. And words “this” and “something goes wrong” may be said in so many different situations.
As brief and most common examples I could name:
- deleted pages;
- pages infected with malicious code (usually javascript, to do harm to visitors);
- hacked email accounts;
- send or relayed spam;
- abused webforms;
- stolen customer information;
My 20 year experience shows, that size or importance of the page does not always correlate with number of hacking and abuse attempts. Even small and not-so-important websites and accounts are being abused and hacked – and you, as webpage owner, should not take it personally. Big and financially successful websites will be abused more, no doubt, but in many cases “hackers” will use scripts and hacking-tools on just any domain in attempt to find flaws, known backdoors, known bugs, guess passwords, etc, etc.. When I setup a new server – that new server start getting random requests from wide range of networks with a minutes. There’s nothing personal, just automated-kids playing around.
Yet, these “kids” can do various harm. And that harm can be painful. And this article’s purpose is to make you aware of things, that can protect you and make life for the “kids” more complicated and minimize the harm, that they could do to your webpage. The following tips are purely based on my experience, their importance might vary, but nevertheless I am trying to write a general list for a broad audience. Sequence of these tips and points is not specifically ordered either.
Bad code, programmer mistakes, outdated plugins, etc.
This one is actually the biggest source for all the hacks. If there is a code, that allows attacker “do some action” – that action can be pretty much anything. I mean – if your website has a code, that allows third person to execute specific command, that can be used to do the harm – that’s a big problem. And it should not be some thing “big and complicated”. It does not have to be “hack_the_nasa” functionality. But if, as the most common example, attacker can upload their own script or include part of their own remote code – that is almost completely as much as they have access to all your scripts or data. And unfortunately this is one of the most common reasons for hacks. Bad code. Mistakes in the code. Outdated plugins (especially from public repositories) with discovered bugs.
Many security experts will scream, that running old PHP version, old Apache version or old MySQL is a security risk. It is, but it is very low risk, especially compared to bad code. If someone can use scripts on your site to do the harm – it does not matter what PHP version you have. And vice versa – if your code is bulletproof, full of security checks and validations, then running very old PHP version is not a problem.
Many customers will ask for better server security after being hacked, but unfortunately there is no such ultimate tool, that would completely prevent website being hacked again, if there are bug and problems in the code of the website itself.
Easy passwords or single password, that you use everywhere.
I am the one, who still have 2 or 3 passwords, that I use a lot in so many places. Yet, I will put this point here, also a reminder for myself – this is dangerous. If you use same password just on your websites – that might be a bit less dangerous, but if the same password is also used on third part sites, especially not so-well popular ones – you are putting yourself to a danger.
There are several sources of danger:
- website might be hacked, data (database) can be leaked or be stolen and even encrypted passwords can be theoretically guessed. It’s the matter of how much that is needed and how much you are targeted.
- website (read – other system) can be collecting or storing your passwords without any encryption
- once guessed – your password will be linked to your ID, email, name and hackers will target you more directly.
Many years ago I had my phone stolen while traveling in India. I had a pin and screen had a lock – but anyway – after a month or two I have received several threats with my commonly used password in plain text. Luckily by that time I have already stopped using it, but still I had few unpleasant moments reading an email from a stranger with my password in a text.
There are several systems, like https://haveibeenpwned.com/ where you can test your email or name and see, if there were any leakeages linked to you.
Lack of server security and protecting measures
Right – I have just said, that there is no ultimate tool, that you can have on the server to protect your from the bad code. But that does not mean, that there should not be any leave of security on the server. The more difficult you make life for hackers, the more your website will be protected. While some people spend their time and energy on trying to hack others, some will spend it on developing protective scripts, measures and tools. In this way it’s a constant battle and unfortunately it’s not getting won by either of the parts.
So yes, there are tools, that can run on servers in order to protect your website. These tools are especially good against general and commonly used attacks and brute force attacks. These tools are:
- firewalls, especially those, that can parse log files and block attacker’s IP after certain amount of unsuccessful login attempts – most popular are fail2ban and ConfigServerFirewall (CSF);
- web filters (mod_security) with various rules – these are quite effective against well known attack patterns, that are often used for finding bad scripts, backdoors or simply testing your code for mistakes. Combining such webfilters with firewalls for IP or even network block is a very powerful tool, but – should be used with care (as it can give false alarms and block legit requests);
- two factor authentication – another very powerful way of protecting yourself is enabling 2FA where it is possible (and if possible – disable use of systems/protocols, that do not support it, for example FTP). Even if someone steals your password – they will have to confirm login with extra protecting measure. But make sure, that 2FA is as well extra-protected.
Lack of user process and file protection on the server
Technically this point is a sub-point of the previous section, but I wanted to emphasize it a bit more.
Most modern control panels have addressed this long time ago. If, for instance, your hosting company is using cPanel or Plesk or Enhance – it would hardly allow other users on the same server (for shared hosting, that is) to see or hack your site and files. But if you setup your server manually – you still can easily have setup, that works great, but allows scripts of one website access files of the other website. And theoretically this would allow one hacked website do huge harm to others.
Different websites, different users – they all must be separated from each other on user permission, core, kernel level. One website should never be able to find, read, list, access or write other website files. Not any of these actions. Never. Being able to list other users or files hosted on the same server poses great danger and risk. It should not be possible to do and it is not hard to have such setup – there are various ways to achieve this.
Same rule applies to database access. Your database user should only have access to your database. It should not be able to list other databases or database, that are not relevant to your project or website. Good news is that MySQL has very flexible and configurable access permission policies – it is really up to you (or your server/website administrator) to setup it correctly. You should not have server-wide users, best if database is not accessible from our side of the server.
Scam website, that make you enter your password
It might sound strange, you might think, that you will never ever fail into this trap, but believe me – this risk is real and not so uncommon, that even experienced users do fail into scammer traps.
Scammer websites try to mirror some system that you use. Very often it starts with an email, that looks legit and contains some call for action. Most common is a warning, that your mailbox run out of disk space and you need to act now. Of course – these emails are usually sent from faked, scammer domains and link that they contain – leads to scammer website. Such websites might actually have very alike domain name, url, the design and look in most cases is exactly the same. All they ask you for is to enter your username and password. Once you do it – someone store it and try to use it on various places, that scammer might have already linked you to.
And that’s why it is important to use different password for different systems – so even if you fall into scammer’s trap – not all systems you use would be affected. Keep your password in secure place – I personally use KeePass for that. If you decide to store your passwords inside a browser, please – please set Master Password. This way you will protect stored passwords on your computer.