This post isn’t about how a hacker might get into your website, or what you can do about it in the event it happens. This is purely to help you understand WHY you might be a target.
As website maintenance providers people often ask us,“Why would anyone want to hack my website? I’m just a dentist/hair-dresser/contractor/author/[insert your profession here].”
The unfortunate fact is, an estimated 70-85% of small business websites get hacked, and many never realize they’ve been compromised. It doesn’t matter whether you’ve got 10 weekly visitors or 10 million, having a website makes you a potential target.
First, it’s important to understand that the vast majority of hacking is automated. Hackers use programs (known as “bots” or “scripts”) which can scan thousands of websites in a matter of moments. These bots are looking for known vulnerabilities they can take advantage of. This is known as an attack of opportunity, because they will eventually stumble upon websites they can get into. This is one of the reasons it’s so important your website software is up to date. If your site is running outdated software, these programs know which weaknesses are available for them to exploit.
Far less common are targeted attacks. This is when a hacker has a specific victim in mind, and is most often perpetrated against larger businesses, corporations, organizations, or governments. Some of the common reasons for targeted attacks are:
- Bragging rights
- Hacktivism (hacking for a cause)
- To satisfy a grudge
Those are all pretty self explanatory, and unless you’ve made a hacker mad, you’re not very likely to be a victim of this type of attack. But what about automated attacks that target any website with a weakness? What do they get out of it?
Computers these days are incredibly powerful, but some of the tasks we ask them to do are incredibly resource intensive. Take cracking passwords for example. If you have a password with 10 characters of just lower-case letters and numbers, there are 3.76 quadrillion possible combinations for a hacker to try. If they have a single computer that can guess 1,000 times per second, it would take them 3.7 weeks to crack that one password. However, if then can get control of more computers, they can set them all to the task. It’s not unheard of for clusters of compromised computers to get to an order of 100 trillion guesses per second. At that rate, it would take them less than 37 seconds to get the password correct.
When a hacker gets control of a bunch of computers, it’s known as a botnet. The more computers they control, the more ambitious tasks they can set it to. Botnets of more than a million computers have been discovered. Just let that sink in for a moment. That’s an monstrous amount of computing power in the hands of someone with less than ideal moral standards.
A hacker who gets access to your website has a number of ways they can profit from it.
- URL hijacking is when an attacker takes over your URL. I’ve heard of people who woke up one day to discover that their web address now led visitors to a porn site. We spoke with a woman who had a hacker turn her site into a service illegally selling answers to university tests.
- Blackhat SEO spam campaigns are when a hacker uses your domain to send spam emails. This makes it harder for authorities to find them, since the offending spam is coming from YOUR website instead of their own.
- Drive-by-downloads are when malicious software is loaded onto your visitors computers without their consent. Maybe it’s a program that will make your visitors computers part of a botnet. Perhaps it’s watching everything that happens on the infected computers so the hackers can record banking logins and passwords. If Google discovers drive-by-downloads on your website, they’ll block access to your site entirely.
All of this is a simplified and far-from-exhaustive version of a complex issue. I don’t want to get too deeply into the weeds with this post. However, this should be enough to give you an idea of why your website is considered just as good of a target as any by most hackers.
8 out of 10 websites Smart Monkey Design and Maintenance look at don’t have any security set up at all. If you have a WordPress website and you don’t know how good your security is, we’d love to talk with you.