Top website security threats and how to protect your site from attack

This article was originally published on May 29, 2014, and was updated on Aug. 14, 2018, and Sept. 30, 2019.

You can’t take website security threats seriously enough — especially if your customers entrust you with their credit card information and other sensitive data. From using strong passwords to defending your site against images that attack, taking the important steps necessary to protect your website from cyber security threats isn’t a maybe — it’s a must.

Related: Understanding Online Security Threats

Top website security threats and steps to protect your site from attack

This guide will take a deep dive into the most prevalent website security threats, and outline some steps you can take to remain vigilant against them. Here’s what we’re going to cover:

• Characteristics of commonly targeted websites.
• Effects of cyber attacks on businesses.
• Types of cyber security threats and malware families.
• Understanding and preventing SQL injections.
• Understanding and preventing cross site scripting (XSS).
• Understanding and preventing malware attacks.
• Understanding and preventing distributed denial of service (DDoS) attacks.
• How to improve website security.

Ready? Let’s get started.

Characteristics of commonly targeted websites

Based on the GoDaddy Security and Sucuri teams’ analysis of more than 25,000 infected websites and 4.4 million cleaned files, Sucuri’s Website Hack Trend Report 2018 gives us great insight into the source of website security threats for some of the most popular open-source content management systems.

• WordPress infections rose from 83% in 2017 to 90% in 2018.
• Magento infection rates dropped from 6.5% in 2017 to 4.6% in 2018.
• Joomla! infection rates dropped from 13.1% in 2017 to 4.3% in 2018.
• Drupal infections rose from 1.6% in 2017 to 3.7% in 2018.

Note: While the report found security breaches most prevalent on sites built on the WordPress, Magento and Joomla! CMS platforms, “this does not imply these platforms are more or less secure than others,” the authors write. “This data represents the most common platforms seen in our environment and reflects the overall popularity of CMS’.”

“As seen in previous reports, issues pertaining to vulnerabilities in extensible components and overall security posture among website administrators are a constant factor. … The most notorious threats to CMS’ stem from vulnerabilities introduced by add-on modules, plugins, themes, and extensions.”

The report identifies these common issues and themes in CMS vulnerabilities:

• Improper deployment
• Security configuration issues
• A lack of security knowledge or resources
• Overall site maintenance by webmasters
• Broken authentication and session management

“These issues continue to be the leading causes of today’s website hacks,” the authors note.

WordPress + website security threats

The report shows that WordPress continues to lead the infected CMS pack, with 90% of all websites cleaned by Sucuri in 2018 built on the WordPress platform.

And this makes perfect sense. Why?

WordPress powers more than one-third of all websites on the internet. It commands a 60% market share of all open-source content management systems.

It’s really popular. And with great popularity comes a big target.

Related: How to stay on top of WordPress security issues

Cyber security threats and small business websites

However, it’s important to know that website security attacks aren’t necessarily targeted at specific websites. In most hacking attempts, attackers aren’t actively seeking out any website in particular, which is why even small sites get attacked.

Hackers use bots to sniff out vulnerabilities, and once one is found, the hackers jump in to do some damage.

According to GoDaddy cybersecurity research, 58% of small businesses are most vulnerable to malware attacks. Other research shows that six out of 10 breaches hit small businesses.

But only 30% of businesses regularly check for vulnerabilities, and 40% rarely do.

Small businesses are most vulnerable to website security threats simply because they don’t usually have enough security acumen nor do they have enough budget or time to devote to website security compared to many large corporations.

Related: What is the cybersecurity skills gap and what does it mean for your business?

Back to top

Effects of cyber attacks on businesses

By now, you should have a basic understanding of why website security is important.

But to make things even more clear, let’s take a look at some of the negative effects that a business might experience after experiencing a cyber attack:

1. Financial loss

Nearly half of small businesses surveyed by GoDaddy reported suffering a financial loss from hacking, with one out of eight saying that the loss was greater than $5,000.

You might notice that there’s a bit of a paradox for small businesses dealing with cyber attacks.

In most cases, small businesses don’t have enough money for website security, yet when faced with a cybersecurity attack, they are often advised to pay up, even when those cyber attacks cause financial losses.

Even worse, Security magazine reports that 60% of hacked small businesses go out of business within six months.

2. Reputation damage

Businesses have a duty to inform their clients if they experience a cyber breach that involves the exposure of personal information. If you’ve ever been a customer whose data has been exposed after trusting a company to handle it properly, you realize how this can jeopardize business relationships.

3. Blacklisting by search engines

Websites compromised by hacks are often blacklisted by search engines or internet security companies. For those that rely on traffic from search, this can have major negative business implications.

Back to top

Types of cyber security threats and malware families

Sucuri’s Website Hack Trend Report 2018 also includes analysis of infection trends and how these trends correlate to malware families. “Malware families allow our team to assess an attacker’s tactics, techniques, and procedures (TTP),” the authors write. “This information inevitably leads us to their intentions and helps us understand and mitigate future threats.”

Malware families and other notable website security threats, both highlighted in the report and beyond, include:

Backdoors

Backdoors give hackers unauthorized access and rights to a computer or network after a successful compromise. Backdoor infections were revealed in 68% of all Sucuri cleanup requests in 2018.

“Backdoors give attackers the opportunity to bypass existing access controls to web server environments and are particularly effective at eluding modern website scanning technologies,” the report’s authors write. “This makes them one of the most commonly missed payloads and a leading cause of reinfections.”

Malware

Malware, short for “malicious software,” is a generic term used for intrusive code that tries to take control of your website in some way. Forms of malware include viruses, Trojan horses and drive-by downloads.

The Sucuri report notes an increase in the general malware family distribution, from 47% in 2017 to more than 56% in 2018.

SEO spam

The Sucuri report identifies SEO spam as the culprit in more than 51% of all the infection cases the team addressed in 2018 — a 7% increase from the year before.

“This is one of the fastest growing families over the previous years,” the authors write. “They are difficult to detect and have a strong economic engine driven by impression-based affiliate marketing.”

Mailers

Mailers are spam generating tools designed to abuse server resources, allowing hackers to send unwanted emails from a domain.

“These forms of malware can wreak havoc by distributing malware or phishing campaigns and stealing sensitive information.”

SQL injections

SQL injections are web security vulnerabilities that allow bad actors to interfere with a query an application makes to its database.

Cross site scripting (XSS)

Cross site scripting is a type of attack that happens when malicious scripts are inserted into an otherwise trusted website with the intent of stealing the user’s identity data through cookies, session tokens and other information.

Distributed Denial of Service (DDoS)

Distributed Denial of Service is malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with internet traffic.

HackTool

Exploit, or distributed denial of service (DDoS) tools, used to attack other sites.

Defaced

Hacks that leave a website’s home page unusable and promote an unrelated subject (i.e., hacktivism).

Phishing

Phishing is a type of scam in which bad actors send fraudulent emails made to look like they are from legitimate individuals or companies in an attempt to trick users into sharing sensitive information like credit card data and logins.

Dropper

This is a type of malware that “drops” viruses into targeted computers. The virus’s code is contained within the dropper.

Banking Trojans

Banking Trojans focus on stealing bank account logins. Examples include Citadel and Zeus.

Keyloggers

Keyloggers steal anything that’s typed on a keyboard or touchscreen.

Ransomware

Ransomware encrypts data then ransoms its release. One example is the hack that struck the city of Atlanta.

Exploit kits

Exploit kits give cyber crooks malware upload options.

Bots

Bots take control of infected computers to assist in other crimes.

Drive-by downloads

Drive-by downloads are unintentional downloads of malicious code that open the door for security breaches on apps, operating systems or web browsers.

Advanced persistent threat

Advanced persistent threats are a type of (generally sophisticated and long-running) attack that usually involves malware.

Back to top

Understanding and preventing SQL injections

As noted above, website security covers a broad spectrum of cyber security threats. However, it’s worth taking a closer look at SQL injections and three more of the most common online security culprits.

As a refresher, SQL injection is a web security vulnerability that allows hackers to interfere with a query an application makes to its database.

Why SQL injections are bad

Many websites and web applications store their data in SQL databases.

Sometimes, you can use SQL commands to run operating system commands. When a hacker gets access to the SQL database, they can view and modify data they normally aren’t able to retrieve or access, which includes data belonging to users, or data that the application has access to.

 

In some cases, you can even access the operating system using the database server. When attackers get access to this, they can attack the internal network behind a firewall.

How SQL injections work

Attackers find vulnerable input fields on the website and insert content via an SQL query. This is often called malicious payload, and is a key part of the attack. After the attacker sends this content, malicious SQL commands are executed in the database.

Types of SQL injections

There are three types of SQL injections:

In-band SQLi

The most common and easy to exploit SQLi, in-band SQLi is when the attacker is able to use the same communication channel to launch the attack and gather results.

The two most common types of in-band SQLi are Error-based SQLi and Union-based SQLi:

• Error-based SQLi: Errors can be useful in the development phase of a website, but should be disabled on a live site. This type of SQLi relies on error messages thrown by the database server to obtain information about the structure of the database.
• Union-based SQLi: Leverages the UNION SQL operator to combine the results of two or more SELECT statements into a single result, which is returned as part of the HTTP response.

Blind/inferential SQLi

This type of attack takes much longer than an in-band SQLi attack.

With this type of attack, no data is actually transferred via the web application and the attacker isn’t able to see the result of the attack in-band (that’s why it’s called blind SQLi). Instead, the attacker is able to reconstruct the database by sending payloads and then observing the web application’s response and the resulting behavior of the database server.

There are two types of blind SQLis:

• Boolean-based/content-based blind SQLi: Relies on sending an SQL query to the database, which forces the application to return a different result depending on whether the query returns a TRUE or FALSE result.
• Time-based blind SQLi: This type of attack forces the database to wait for a specific amount of time (in seconds) before responding. Depending on the result, the HTTP response may be returned immediately or with a delay, and the attacker can infer whether the attack was TRUE or FALSE based on how long the result took.

Out-of-band SQLi

Of the three types of SQLi, this is the most uncommon because it depends on the features being enabled on the database server being used by the web application.

This type of SQL injection occurs when the attacker is unable to use the same channel to launch the attack and gather results. This type of attack is an alternative to inferential SQLi, especially if the server responses are not stable.

A real world example of SQL injections

In 2008, information from 134 million credit cards was exposed when spyware was injected in Heartland Payment Systems’ data systems. What’s worse is that this was not discovered until a year later, when Visa and Mastercard notified Heartland Payment Systems of the suspicious transactions.

A few additional examples of the negative real-life impacts of SQL injections:

• The Google Maps WordPress plugin made 400,000 sites vulnerable to attack.
• Georgia Tech University had a data breach that could have exposed the information of up to 1.3 million people.

Read more about the top SQLi attacks.

How to prevent SQL attacks

Determine whether your site is vulnerable by launching your own SQL attacks on your website to see whether they are successful. You can use an automated SQL injection attack tool such as Havij, SQLmap or jSQL.

Besides sussing out vulnerabilities on your own, make sure to also employ the use of a web application firewall (WAF).

Read more tips on how to prevent SQL attacks.

Back to top

Understanding and preventing cross site scripting (XSS)

Cross site scripting is a type of attack that happens when malicious scripts are inserted into an otherwise trusted website with the intent of stealing the user’s identity data through cookies, session tokens and other information.

It’s important to have an understanding around these types of website security threats, as 84% of vulnerabilities are a result of XSS attacks.

Why cross site scripting is bad

At least at this point in time, the browser has no way of knowing that the script should not be trusted and will execute it. And, unlike other web attacks, XSS targets its users and not your web application, causing harm to your clients and reputation.

Why cross site scripting happens

Many developers automatically trust all users to the point that they don’t make an extra effort when it comes to filtering user input. There are many variants of an XSS attack, so the application gets confused regarding what to filter.

How cross site scripting works

Attackers inject client-side scripts into web pages viewed by other users through a vulnerable point. Once the user visits the website or clicks on the link, the malicious string of code from the database is sent in response. The victim’s browser then executes the malicious script.

Types of cross site scripting attacks

Cross site scripting can take on many different malicious forms, including:

Non-persistent/reflected attack

The attacker usually sends a link containing a malicious code, or exploits a form on the website. These attacks may be sent to a victim with the intention of stealing their session cookies and ultimately their account.

But compared to other XSS attacks, these are much less dangerous. This is because reflected attacks rely on a victim taking action, making it hard to automate. For the attack to be successful, each victim must be targeted individually.

Persistent/stored attack

The attacker sends malicious data to a website stored in a database. When the user visits the site, they are served the data that performs a malicious action.

Compared to reflected attacks, these can be automated. A script can be created that visits thousands of websites, exploits a vulnerability on each site, and drops the stored XSS load. In this case, the site visitor does not have to do anything but visit the site to get infected. Needless to say, the persistent attack affects more people.

Document Object Model (DOM) Attack

The attacker modifies the DOM environment of the user’s browser, the result of exploiting the original client-side JavaScript hardcoded into the site.

While uncommon, this attack is difficult to address because it usually occurs on the client side. During these attacks, the HTTP response of a page is not changed and no unique data is sent to the server.

A real world example of cross site scripting

An XSS flaw on eBay exposed its users to phishing scams in 2014. Also, in 2018, the information of 685 million Tinder, Western Union, Shopify, Yelp and Imgur users was at risk due to XSS.

How to prevent cross site scripting

In some cases, preventing an XSS attack can be as simple as adding an HTML code to your site.

Here’s how to protect yourself:

• Encoding: In a nutshell, encoding is when you strip user input of all code and force web browsers to interpret that input only as data. Instead of being rendered in HTML, CSS, JavaScript, or as a URL, the end result is rendered as text on both the server and client-side.
• Validation: Involves making sure that the data matches your expectations.
• Sanitization: Involves cleaning up all data entered by a user. Many code libraries and eCommerce platforms do this by default. The problem with this is that it can limit what a user can enter. Infosec shares a list of data that needs to be sanitized as well as instructions on how to sanitize your data.

Finally, you can also prevent cross site scripting attacks by disabling JavaScript from your browser and installing a Web Application Firewall.

Back to top

Understanding and preventing malware attacks

Malware is a portmanteau of the words malicious and software. It’s an intrusive code (normally installed via a corrupted file packaged with healthy software) that tries to take control of your website in some way.

Malware can take on many forms:

• Viruses: The most common form of malware, often found in email attachments.
• Trojan horses: Also known as backdoor malware, it is disguised as a legitimate program but can take control of your computer once installed.
• Driveby downloads: Uses your website as a delivery method for other corrupted files and can cause damage without the recipient knowing.
• Ransomware: A kind of attack where criminals hold data hostage until a payment is made. One in five small businesses faced a debilitating ransomware attack in 2016.

There are other forms of malware, the aforementioned representing the most common types.

How malware works

Malware spreads when you download or install infected software. It can also enter your computer via a link or email. Once installed, it replicates fast and can immediately spread to other computers in the network.

Malware can affect PC performance, resulting in a slow PC response. It can also consume internet data: if your internet usage is higher than normal, you might be infected with malware.

Malware can interfere with computer activities by generating unwanted popups and ads. It can destroy computer programs and the computer’s operating system.

Furthermore, malware can steal personal information and encrypt your files — forcing you to pay for an encryption key to unlock them.

A real world example of malware

Hackers launched WannaCry ransomware, extorting banks, hospitals and the FBI.

Hackers earned $5.9 million through SamSam ransomware attacks since 2015, even generating $64,000 from a single attack — the highest amount generated from a ransomware attack to date.

Here’s a list of the worst malware in 2018.

How to prevent malware

Bad news first: most of the time, you won’t be informed if you were infected by malware, though some sites warn you before allowing you to navigate to an infected site.

If you’ve been infected by malware, use a dedicated tool such as GoDaddy Express Malware Removal to find and remove malware from your site.

How to protect your site from malware

There’s not a lot you can do after the fact, which means you must be proactive.

 

Keep monitoring your website, scan your downloads for viruses and verify if the links you click are safe. Ensure that proper security measures are in place as outlined earlier in this article.

Back to top

Understanding and preventing distributed denial of service (DDoS) attacks

Distributed Denial of Service is malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with internet traffic.

How distributed denial of service works

A DDoS attack requires an attacker to gain control of a network of online machines in order to carry out an attack. Computers and other machines (such as IoT devices) are infected with malware, turning each one into a bot which the attacker has control over. The attacker collects a network of bots, which is called a botnet.

Once a botnet is established, the attacker controls the botnet by sending updated instructions to each bot via a method of remote control. When the IP address of the victim is targeted by the botnet, each bot will send requests to the target, potentially causing the targeted server or network to reach its overflow capacity, resulting in a denial-of-service to normal traffic.

Because each bot is a legitimate internet device, separating the attack traffic from normal traffic can be difficult.

Types of distributed denial of service attacks

There are 12 types of DDoS attacks, falling under these three main categories:

Volume-based attacks

Creates congestion by consuming all available bandwidth between the target and larger internet. These represent the most common attacks for botnets.

Protocol Attacks

Also known as state-exhaustion attacks, these types of attacks cause a service disruption by consuming all the available capacity of web application servers or intermediate resources like firewalls and load balancers.

Application layer attacks

This is the most sophisticated type of DDoS attack, named after the seventh layer of the network device where the human-computer interaction occurs, and applications can access network services. The goal of the attack is to exhaust the resources of the target, which can be costly to the server side. These attacks typically leverage flaws in a website application’s code and abuse it in ways that overwhelm the system.

They “trick” the system into thinking they are receiving legitimate web traffic, when it’s actually just traffic from botnets. These types of attacks are hard to defend as traffic can be difficult to flag as malicious.

A real world example of distributed denial of service attacks

Github experienced one of the largest DDoS attacks to date, with the first part peaking at 1.35Tbps, and a second one spiking later at 400Gbps. The previous largest attack peaked at 1.1Tbps. It’s a good thing Github has the appropriate technology protection in place!

If you think that only large sites are targeted and your small site is exempted, think again.

Hackers have different motivations: They can either target sites they hold grudges against or want to get a ransom from, or they might just want to target a random site. In any case, it’s always best to be prepared.

If your website experiences slow traffic, and traffic is generated by a bot, your website may have been hosted on the same server as a targeted site.

How to prevent distributed denial of service attacks

Here are a few things to do to protect your website from DDoS attacks:

Monitor your web traffic

This will give you an idea of what constitutes a normal, high or low volume of web traffic. If you know what your normal traffic rate is, you can limit it to accept just as many requests as it can handle. While you’re at it, get a little bit more bandwidth than you actually need.

Install a web application firewall (WAF)

A firewall can analyze traffic before it reaches your site. For example, GoDaddy Website Security can protect your site from botnet traffic surges and other malicious content.

Distribute your network infrastructure

Don’t put all your eggs in one basket. By keeping multiple network resources, you have backups when one is being attacked. Also, keep shuffling geographical servers from time to time.

Back to top

How to improve website security

In addition to the tips above for protecting your website against specific cyber security threats, there are things you can do now to keep your website safer.

Generally, specific vulnerable websites elements are targeted in order for a website security breach to be successful.

The following represent common entry points for security breaches and how you can reinforce them.

Take password security seriously

Everyone knows the importance of password security, which doesn’t explain why “password” is on the list of the top 25 most common passwords people use. What’s not surprising is that, according to Panda Security, 81% of attacks happen mainly because of insecure or stolen passwords.

Many attackers gain entry to your site via brute force, or the repeated entry of username and password combinations until they get the right one.

Here’s how to take control and reduce a hacker’s chances of infiltrating your website when it comes to password security:

Limit attacks by limiting login attempts

If you’re on WordPress, use a plugin like Login LockDown, which records the IP address and timestamp of every failed login attempt and locks down login functionality if the number of failed attempts from the same IP range are reached in a short period of time. This helps to reduce the effectiveness of brute force attacks.

Create a strong password

Use a password that has more than six characters, and contains a combination of both upper and lowercase letters, numbers and special symbols.

If you’re short on inspiration, WordPress can generate an uncrackable password for you. And if you’re forgetful, you can use an app like LastPass to generate, store, and recall secure passwords.

Change passwords often and don’t reuse passwords

If you use one password for everything, a hacker needs only to gain access to it from one security vulnerability on one website. Then, in the worst case scenario, they could use this information to access accounts with the same login information — such as your email and online bank accounts.

Related: 10 best practices for creating and securing stronger passwords

Get an SSL certificate

SSL certificates encrypt sensitive information and data to prevent attackers from spying on exchanges between you and your site visitors/customers.

 

It’s worth mentioning that Google Chrome marks websites that do not have an SSL certificate as “not secure” and secure websites tend to rank higher in Google search engine results pages, as HTTPS is an officially recognized ranking signal.

Learn more about SSL certificates and how to add HTTPS encryption to your website.

Secure your login page

Besides the combination of information you use to login, the WordPress login page itself is also a point of vulnerability.

Once hackers gain access to the login page, they can apply brute force and eventually access the site if your security measures are insufficient. Knowing this, securing your login page is a preventive measure.

Prevent access to your login page by:

Renaming your login page

By default, the WordPress login page can be accessed by adding /wp-login or /wp-admin to the end of a website’s domain name.

A failure to change this makes it that much easier for a hacker to use brute force methods to gain access to your website.

The Rename wp-login.php plugin makes the wp-admin directory and wp-login.php page inaccessible but does not change the files in the WordPress core, whatsoever. You can then pick a new name for the login area that makes sense to you but would be hard for a hacker to guess.

Using two-factor authentication

Two-factor authentication, also known as two-step verification, requires registering a separate device to confirm the site owner’s identity.

This can be done using three methods: SMS, email, or an authenticator app.

The beauty of this method is that if an unauthorized login is made, you will be notified. The hassle of it is that you have to have your device with you all the time. Also, if you choose the SMS-based authentication, you potentially put your personal information at risk, and companies can send you unwanted notifications.

Another caveat: if hackers get ahold of the phone number data you use for two-factor authentication, they can potentially use this to gain access to your account.

Work with a web host who takes security seriously

Although it may not seem like it at first blush, your hosting provider plays an important role in keeping your website secure. More specifically, 41% of hacks happened because of a security vulnerability on a web hosting platform.

Most attacks occur with websites on a shared web server, because you’re sharing resources with other websites. This makes the site susceptible to cross-site contamination, where a hacker gains access to your site via another.

A best practice to avoid this possibility is to pay a little extra to use a service such as GoDaddy WordPress Hosting. This solution handles important security functions that include backups, WordPress version updates, uptime, security and speed.

Keep WordPress core version, themes and plugins updated and patched

The WordPress core software is frequently updated to fix any bugs or issues.

Continually updating the WordPress core is one of the most effective ways to prevent attacks because these updates help patch known vulnerabilities.

If you’re not running the latest version of WordPress, you’ve effectively made yourself a target for hackers.

WordPress updates can be manual or automatic, with major updates having to be manually initiated.

When the WordPress core is updated, reliable themes and plugins also release their own updates to adapt as necessary. So make sure that your plugins and themes are also regularly updated to their latest versions to avoid related security issues.

Related: How to update WordPress like a pro

Use a security plugin

More than 70% of the most popular WordPress installations that are vulnerable can be detected using free automated tools.

Some of the top security plugins include Wordfence, Sucuri and Defender, which have functions that include scanning for vulnerabilities, blocking security threats and malicious networks, implementing a firewall and monitoring DNS changes.

Back up your website

Having backups ensures that your site’s files stay safe in case something goes wrong.

There are several plugins that you can use to back up your site over a certain time period, but if you have GoDaddy WordPress Hosting, this also happens automatically in the background.

Protect input fields

Not all hacks happen from the backdoor of your website. Input fields, such as comment boxes and contact forms, can also create vulnerabilities on your website.

Hackers can take data being entered to those fields by force or by stealth (such as by monitoring keystrokes). This can result in spamming your site with comments, making spam contributions, hacking into your email and sending spam messages to your followers.

Through input fields, hackers can also breach your site via SQL injection or cross site scripting.

To help reduce the chance of a related hacking attack, use the Akismet plugin to reduce spam or disable comment fields altogether.

Improve training, process and procedures

Train all your employees to understand regulations and risk areas. Conduct awareness training on how to keep their data safe, and hold regular audit activities.

Related: Tools to Secure a Website

Back to top

Final thoughts

Website security threats can be pesky and costly, especially for small businesses. In most cases, taking reasonable precautions to protect against attacks will save your website from the worst threats.

And protecting your website is important from a business perspective, as customers need to trust that you’ll protect them from viruses, hackers and other website security threats. Count on GoDaddy’s web security products to keep your website secure, your visitors safe, and your business growing.

This article includes content originally published on the GoDaddy blog by Andrea Rowland.

The post Top website security threats and how to protect your site from attack appeared first on GoDaddy Blog.