Book a free discovery call
We are happypath.
This is one of our articles.

Why would hackers target your small business?

Book a free discovery call Find out what we do
Happypath is a website development company in Melbourne. We build great websites for small businesses.

Why would hackers target your small business?

Hint: They probably don’t, but you can still get hacked!

By

Tagged as:

Recently I was looking at one of our competitors websites, a local Melbourne website designer. Their blog had some standard web design company content - why you need a website, how much it should cost etc. The most recent three articles were much more interesting. None of them made much sense to actually read, and in the content were multiple links to ‘spammy’ websites - online gambling, dubious crypto schemes, mail order brides - lots of mail order brides.

Of course the website company hadn’t written or posted this content, it was added by a bot (software that crawls the web looking for opportunities) because of some security hole in the website itself. Being good neighbours we let them know, although it took another 2 weeks for them to get rid of it!

So why would a hacker target this particular website? The answer of course is that they wouldn’t. What they are targeting is the opportunity. A large percentage of websites are run using the same content management systems - usually Wordpress, so these become attractive targets. If you can find an exploitable flaw in Wordpress you potentially have access to 100s of thousands of websites around the world. Which is where your website comes in. If your website is sitting on a compromised system it’s just a matter of time. Hackers don’t visit websites looking for the flaw, they have automated scripts that do the work for them. Crawling through the web looking hackable websites, and once found automatically delivering their unwanted gifts.

Be reassured you are not alone. It is estimated that 70% of Wordpress websites have security flaws.

So what we now have is a game of cat and mouse. The vendors such as Wordpress are highly active in trying to make sure their product is secure, issuing updates when exploits are discovered. This in turn requires your website developers to be on the ball and applying the updates in a timely fashion before your site can be hacked. A full time business, as there are highly motivated groups and individuals actively looking for ways to get in and take over your websites.

The plugin ecosystem

Wordpress has a large market for plugins - 3rd party features and functions that make a website developers life easier. Rather than coding something from scratch they can install the plugin and get an image gallery, a carousel or 1000s of other useful features. So an average Wordpress site may use many different plugins from different vendors. These too are susceptible to exploits and like Wordpress itself need continuous updating and patching to remain secure. A reputable website company is going to be taking this very seriously and a fair percentage of your monthly hosting fee is going to pay for this service. Even with highly vigilant companies there is a chance the flaw can be exploited before the plugin can be secured, and updated.

Plugins require skill and effort to develop and there is a thriving market in paid plugins. A percentage of this profit is used to pay for any patching and security updates required as well as improved functionality. Where there is a paid market there is also a black market. Copies, clones and pirated versions of plugins are freely available. Often these have additional security exploits already added - called backdoors. So you need to make sure if your vendor is using plugins, which they probably are, that they are all legitimate, legal versions.

Even with legitimate plugins you can never be sure. A security flaw in Popup builder, has been fixed but if you have not kept your plugins upto date then you are still vulnerable to the ‘Balada Injector’. A piece of malware that is thought to have infected over a million websites since 2017.

The platforms

Wordpress requires a server running PHP and a MySQL database, and guess what? These also need constant updates and patching and have their own layer of security issues.

So what motivates hackers? The answer is complicated, for many it is simply money. For others it is political, and for some it’s just for fun or the thrill of messing up your website!

Malware

Malware is software installed onto your website that does something malicious - obvious! Malware takes many forms but may be used to add additional links into your website content (for someone else’s SEO), or steal sensitive information from your visitors such as passwords and card numbers. Malware is surreptitious and you may not know it is there until the damage has been done. Hackers sometimes use compromised websites to send 1000s of spam emails, when detected by other email servers these can be blacklisted which means your website domain name is blacklisted, damaging your reputation. While these spam emails are being sent the server your website is running on is extra busy so has fewer resources to deliver your website, resulting in a slow website. If it is running at all.

Malware is also used for cryptocurrency mining. This is a computer intensive process so malicious hackers add software to your website that then hijacks the computers of your visitors to ‘mine’ cryptocurrency. By infecting 1000s of machines this can be done at scale. Again you are unlikely to see evidence of this other than your website performance slowing considerably.

Side affects of malware can include being blacklisted by Google, so your site can continue to suffer long after the malware has been identified and removed.

Additional tools are needed to be run on your Wordpress site to detect the presence of malware and scan your site for vulnerabilities. Malware is nearly always run for some sort of monetary gain and often criminal.

Once a hacker has access to your site it is easy to add links or metadata. One common occurrence is the ‘Pharma Hack’. Your page redirects visitors to a site selling the likes of (fake) Viagra, Cialis, and Xanax. Another trick is to randomly add links into existing content like your blog. By doing this 1000s of times on different sites the SEO of the target website is increased. Again none of this is done specifically to your website. It is the result of automated tools looking for loopholes to exploit.

The Pesky Script kiddies

The proliferation of these types of hacking tools online means they are easy to get hold of. ‘Script Kiddie’ is the derogative term given to young or immature ‘hackers’ using these tools randomly often for fun. Script Kiddies are looked down upon by proper hackers as they are merely using existing tools. Many hackers delight in making original discoveries and developing advanced techniques. Nonetheless Script Kiddies can cause huge amounts of damage running these tools indiscriminately and often aimlessly.

Political and State Sponsored hacking

One of the biggest and most popular Wordpress plugins is a design/authoring system called Elementor. It’s very powerful and allows people with little coding knowledge to create beautiful websites using its visual interface. It’s one of the tools of choice for many website designers, it is estimated that Elementor is powering 9.6% of all websites, something like 12 million sites. Like Wordpress, Elementor has its own security issues and requires constant maintenance and updating to make sure sites aren’t vulnerable to hackers.

Elementor also happen to be an Israeli company, and understandably fairly outspoken in their support for the Israeli action against Hamas and Hezbollah.

This puts a massive target on Elementor.

Often these kinds of hacks are not motivated by criminal gain, purely to make a point. Once an exploit is found in a system like Elementor it can be used to gain access to thousands of websites indiscriminately and deface them with political messages. So although your website has nothing directly to do with a particular issue, by chance you can be caught up in it.

Depending on your own political views you may not want to use Elementor or Wix, also an Israeli company. During the initial invasion of Ukraine I was working for a company that had a policy of not operating in, or supporting certain markets that were deemed problematic. As a result Russia was blacklisted and we had to remove any Russian based software products from our tech stack. It’s obviously a complicated situation, and realistically no country is beyond reproach.

There are many highly charged political situations throughout the world, all of them utilising hacktivism to make their own points.

The Russians are well known for their hacking activities. As part of their invasion of Ukraine, they hijack Wordpress sites and use them to bombard Ukrainian infrastructure with millions of requests known as a Distributed Denial of Service Attack (DDos). The aim of this is to put Ukrainian websites and online services out of action. Similarly to the Pharma hacks mentioned previously, this is going to result in your website coming to a halt as all its resources are taken. Arguably its worse for the Ukrainians, it is worth remembering as a small business owner your website is something that can be utilised, and weaponised against someone on the other side of the world.

Hacking groups actively involved in Israel/Palestine - interesting that many of these are existing Pro Russian groups, so there is conflict crossover.

Insecure passwords

Wordpress websites out of the box have generic username and password accounts. Again, automated scripts are looking for these constantly. It’s likely that these are changed during setup, but if you or your development partner use insecure passwords they can be easily ‘guessed’ by dictionary attacks (repeatedly trying 1000s of words). And changing an O to a 0, or an e to a 3 will not help in the slightest. A brute force attack can guess an 8 character lowercase password in 200 seconds so mix your cases (which will take 14 hours to break!). Like your online banking, keep your website admin password secret. Always add Two Factor Authentication (2FA). You can also get your wordpress up to restrict the number of login attempts, make sure you can remember your strong password first though.

Even with a secure password, malware added to your server through a compromised plugin can simply wait for you to login at which point it runs its own payload without needing to steal your credentials.

Cheap hosting providers

Cheap is not always cheerful. Cheap hosting piles multiple sites onto shared servers and it maybe the case that it’s someone elses website that is compromised. Because you are sharing resources your site might slow to a crawl or even go offline because of increased activity on the other website. Many website designers use cheap hosting to keep their overheads down.

If your site is sharing resources with another site that has been hacked then you are likely going to see a dip in performance too. This is avoidable if you go the route of a CDN (Content Delivery Network) rather than regular webhosting.

How do you know if your Wordpress website has been hacked?

There are a few giveaways that may suggest your website has been hacked.

  • You can’t log in to your admin panel

To prevent you finding out what they have done and fixing the problem, hackers can lock you out of your own website. It’s possible you’ve just forgotten your password though so don’t panic too much.

  • Increase in emails

If your web server is being used for sending spam you might see an increase of strange activity in your own emails. You may get locked out of your email too.

  • Your homepage goes somewhere else but not to your homepage!

Yes, its been hijacked. Sometimes this is done subtly so maybe it doesn’t happen every time, or it only happens if you come from a Google search result.

  • Someone else has added content

Big giveaway. If you see some strange content that you don’t think should be there - time to give your web people a call.

  • Large reduction in website speed

If your server is busy doing something else, its not serving webpages as well as it should. Again, there are many reasons why this could be happening so don’t jump to conclusions.

  • You are not in Google

If you are blacklisted, bye bye Google listing.

  • Alerts from your browser

Security alerts warning that the site you are trying to access contains malware or is a phishing site. If it’s your site you are looking at then that’s not great!

  • Your account is suspended by the website hosting provider

This is likely not your web development partner but a third party hosting service. If their security systems clock something suspicious they will remove your site to protect other sites on the shared server.

You don’t need Wordpress. What!

Now we’ve outlined the nightmare of keeping PHP, MySQL, Wordpress and its plugin ecosystem, up to date I am going to tell you that you don’t need it.

In many cases Wordpress is overkill. A content management system is useful if you are running sites with 10s of thousands of pages but for most small business websites it’s probably not necessary. So why are most website designers offering wordpress sites? Basically it’s because it makes their job easier. It is relatively simple to setup a wordpress site using a bought template, change a few images and words, then sell on to you as a website. Looks nice, you probably don’t even realise it’s an off the shelf design used 1000s of times around the world. As an added bonus the functionality of a Content Management System - that you can update your own content, is sold to you as a plus. You can get a website that you can update yourself without needing to go back to your developer! What could be better than that!

Do you really want to have to run your own website? Updating is great until it doesn’t quite look like it did when it was first launched. You’re not sure why the photo you added of your new staff member is all blurry, or why its taking longer for the page to load. Do you really have time to invest in learning how to administrate your own website?

Static websites for the win

At happypath we don’t use a Content Management System (CMS) system like Wordpress. There are many reasons for this, mainly to do with performance. We build what are termed as Static Websites or sometimes JAMStack, these don’t use a database to deliver content to your screen. They deliver fully formed code from a Content Delivery Network which makes the sites much quicker to load. Because we are not using third party systems or code we have full control over everything and can optimise and tweak to ensure the best possible performance from your website. And we continue to do this. Because we update your site on your behalf you can be reassured it will always be highly performing, SEO optimised, and no blurry images!

The other advantage is security. Not having a database behind our sites means that there is nothing to hack. Your site is fully secure, and we don’t have to spend hours each month making sure your navigation menu plugin is secure and up to date with the latest fixes. All the things you’ve just been reading about are not going to happen to you.

Of course no system is 100% secure but to get into one of our sites is far more difficult. The CDN we use serves pre-rendered code with no active surface area for attack. The CDN is monitored for traffic anomalies, and spread over multiple locations, so in the event of a problem in one data center, the site will be switched off and the next data center will take over.

We also take our own security very seriously and have 2 factor, and token authentication on all the services we use. You should too!

So if you’ve been hacked in the past, or you are concerned about the security of your current website provider, why not give happypath a call and see how a static, and fully managed website can alleviate all these problems.

The extra bit

What is a Content Delivery Network (CDN)?

A Content Delivery Network (CDN) is a network of servers spread around the world, designed to deliver your website’s content to users more quickly. Normally, when someone visits your website, they connect to a server that might be located far away from them. This distance can cause delays in loading your website. With a CDN, copies of your website are stored on multiple servers in various locations. When someone visits your website, the CDN directs them to the closest server. This reduces the distance the data needs to travel, speeding up the loading time of your website. For a small business, this means visitors from different regions can access your site faster, which is crucial for keeping their interest and potentially increasing sales. Additionally, a CDN can handle high traffic better. If many people visit your website at the same time, a CDN can distribute the load across its network, preventing any single server from becoming overloaded. This helps to keep your website running smoothly, even during peak times.

Why is a CDN different from webhosting?

CDNs normally only serve static data, whereas a webserver can run code then serve it. This makes it slower and also more vulnerable to hackers. The CDN is optimised for speed and is a network of connected servers that work together to send the website code to your visitor in the most efficient manner. CDNs are much more secure and have systems to cope with DDoS attacks and suspect traffic. They also utilise highly effective compression and cacheing techniques.

Can Static websites be hacked?

Not on the code level. There is no ‘running code’ so nothing to exploit and no database to access. Static sites can still be compromised if a hacker can get into the developers code repository which would be a password access issue. This is much less likely as the kinds of automated attacks we see on Wordpress websites are not going to achieve this. Plus code repositories are highly secure, have two factor authentication, and token authentication which means they can only be accessed by predetermined specific computers. as the repository is separate from the Content Delivery Network it would also be possible to roll back the site to a previous unhacked version without regaining access to the repository.

More articles

We've already helped these clients with a fabulous website...

Sarah looking stunning

Sarah

Wholelistic Health and Healing

I found this experience so easy and straightforward. I have had a lot of issues in the past with other providers which didn't do what I asked and found follow up and future changes cost more on top of what I had paid. Jared came up with some great ideas to help with the SEO which helps more traffic come to my website. I can't recommend Happy Path highly enough and if you're looking for a web designer who's affordable, listens to the needs of your business, and gets your website up and running in a matter of weeks then Happy Path are the people for you.

5 stars
Justine looking stunning

Justine

YouHypnotherapy

Would love to give Happy Path 6/5 because Jared always goes above and beyond. His attention to detail is unparalleled. I love how easy it has been to work with Jared to get me a website that is professional, beautiful and functional. It's rare to find someone with so much skill and expertise who can deliver on time, and definitely within budget at the same time as having a sense of humour. I do not hesitate to recommend Jared to all my business associates. He's a genuine good hearted person who takes great pride in delivering a premium service.

5 stars

Ready to get started?

Book an obligation free discovery call to discuss how we can work together to deliver great outcomes for your business.

Not sure yet? Take a minute to realise the many ways happypath is offering an exciting website service.

Book a free discovery call Find out what we do

Why risk waiting?

A low quality website doesn't help your business or your customers. In fact, it can lose you customers and weaken your brand. Even a nice looking website might not be delivering the best results. You might not even know where you are missing out.

We make sure your website is the best it can be. In every way.