Think hackers are not interested in your website? Think again.

Tuesday, 28 July 2020  |  Posted in: Most Recent, News  |  8min read

The risk of being hacked has never been higher for Australian businesses.

The recent announcement by the Australian Government of a pro-longed cyber-attack on government and organisations across the country should be enough to highlight that anyone can be the target of hacking attempts due to the chaos and opportunities it can create for the hacker.

It would be easy to assume that unless your organisation’s website performs eCommerce transactions or stores customer information that it would be of little to no value to cybercriminals, but you would be wrong. While illegally accessing funds and information is a common motivator behind the hacking activity, there are many other things that can motivate hackers and cybercriminals to target your organisation’s website regardless of its size, functions or content.

Compromised websites can be used to extort organisations and individuals, unlock access to internal networks or simply sold to other cybercriminals on the dark web.

Regardless of the method or motivation, there are certain measures you can take to mitigate the risks of losing control of your website to protect your business or organisation from such threats.

 

3 common hacker targets to look out for

There are many ways a website can be compromised by a hacker ranging from very sophisticated methods requiring careful and deliberate coding through to blunter methods such as forcing entry past weak barriers. Unfortunately, it is impossible to protect against all types of hacker, but there are lots of things you can do to raise the bar and make accessing your website more difficult.

The three methods below highlight some of the most common ways that websites are compromised, and what you can do about it.

Don’t leave your organisations website vulnerable to cyber threats

Book your website security assessments with The Digital Embassy starting from only $450 ex GST.

Take action today to quickly identify risks and prevent intruders from accessing your website and sensitive information. Offer is limited to August 2020.

FIND OUT MORE

 

Default login screens

Many website platforms share the same basic structure and process for logging in. Normally this means going to a URL like example.com/admin or /login and entering a username and password. The problem with this default setup is that it is predictable and commonly left in place by developers. As a result, hackers can target these default settings to automate the attack of large numbers of websites with poor security.

Customised programs, sometimes called ‘bots’, seek out websites with these default setups and bombard them with common username/password combinations that are designed to break into a website with brute force.

What steps you should take

Work with your web developers to update the default setup of your login screens and see what you can do to make them harder to detect and better at repelling brute force attacks.

We recommend updating the login URL to something obscure and/or company-specific such as example.com/contentmanagement. The more specific the better as it is less likely to have been anticipated by a hacker and so less likely to have been programmed into a bot.

For additional protection and peace of mind consider taking measures to prevent login pages from being accessed from outside of your office or business network. This can be done by establishing access controls which only use authorised networks, meaning access via all other networks will be blocked.

There are several other features you can add to your login screens to make them stronger and more difficult to force past. For example, login screens can include a reCAPTCHA type challenge that prevents automated access. Two-factor authentication is another option where logging in requires the user to enter a randomly generated code sent by text or app directly to the user.

Additionally, failure limits can be imposed so that after a given number of attempts at logging in the website is locked down for a period of time and the web administrators are notified. For bots that attempt to force their way past login screens that can be an effective way of halting their attempt quickly.

 

Generic and shared logins

Unsurprisingly the most common, unsophisticated, yet successful method to illegally access websites is to simply guess a generic username and password combination. While it may seem baffling that this is still such an easy way to gain access to many website platforms the reality is that many websites retain a generic or very simple username/password combination when creating a website that never gets updated once the website is deployed to live production.

A recent review of common passwords recovered from hacks gives us a very scary top 5 commonly hacked passwords:

  1. 123456
  2. password
  3. 123456789
  4. 12345
  5. 12345678

If any of your accounts use passwords like this, then you are inviting attackers.

Another common vulnerability is shared login details used by multiple individuals within an organisation. While it can be more convenient to have a single account for your website having multiple people know the same details increases the chances it will be inadvertently shared creating an easy opportunity for hackers to access your website and confidential information.

What steps you should take

All website platforms these days have robust user management systems that can force certain requirements (username/password strength, for example) and allow for easy review of who has access, at what level, and what are they doing with that access. We recommend imposing a requirement for strong passwords that contain letters, numbers and characters onto all accounts with access to your website.

It is also highly recommended that any generic access (such as via group emails) is removed and instead individual people are assigned personal access privileges based on what they are required to do on the website.

In doing this you also introduce a layer of accountability and governance to the website management as it is clear which users are performing different activities on the website – making unexpected or suspicious usage more obvious.

 

Vulnerable Plugins and Integrations

popular website platforms, such as WordPress, draw a lot of their functionality from plugins, third-party applications that are designed to be added to the WordPress platform to provide specific additional functionality. A given WordPress website could have dozens of plugins enabling functionality ranging from simple SEO guidance through to sophisticated image manipulation tools.

Once a plugin is out of date it can represent a significant security risk to the entire website as plugins are designed to integrate into the core platform structure. A hacker targeting an insecure plugin can often gain access to the entire site using the plugin as a back door.

What steps you should take

Time should be regularly assigned to development teams to review the current versions of the core website platform plus all plugins and update, or patch, as required. Website platforms like WordPress and responsible plugin developers regularly release updates aimed at addressing security vulnerabilities while also improving the stability or functionality of the code. Closing these vulnerabilities is vital in protecting the website from being inappropriately accessed and compromised.

 

Prioritise your security

There are lots of reasons why a website might end up getting hacked but it is also true that many websites are not initially targeted for any particular reason. Many hacked websites are a result of poor website security and a random interaction with a hackers bot that identifies it as a potential target. As a result one of the best things that can be done to protect your website from hacking is to do all the simple things that make it more difficult – if someone else is lower hanging fruit, they are more likely to be targeted than you.

If, however, you do fall into the category of websites more likely to be deliberately targeted (eCommerce, membership details, large corporation etc.) then it is important to take additional steps to investigate vulnerabilities in both your website but also your website infrastructure such as your hosting servers.

Rates of cybercrime are only likely to increase as the world continues to become more digitally connected so prioritising, and adequately resourcing, your security should be a top priority and central component of your digital strategy and resilience planning.

Scan your website to understand your risks

Book your website security assessments with The Digital Embassy starting from only $450 ex GST.

Take action today to quickly identify risks and prevent intruders from accessing your website and sensitive information. Offer is limited to August 2020.

FIND OUT MORE

Ready to talk about your requirements?

Phone us on 1300 375 368 for an obligation-free chat with a digital specialist about how we can help to scale up your business online.

Reset
[contact-form-7 id="120" title="Let's Talk"]
This website uses cookies to improve your experience. By using our website you consent to the use of cookies in accordance with our Privacy Policy
Read More