Disclosure: As Bitgog editors, we write about products that we independently select because we love them and believe that you will like them too. Our site often has affiliate partnerships, so we may receive a small compensation, that we spend on making this site more resourceful making your experience great.
If you are able to understand the techniques that hackers use to hack website, you can implement the safeguarding techniques to protect yourself from getting hacked. You see, we learn from experience as well. Sharing my personal experience here: I had not implemented all security measures on one of my websites since I was not working actively on it. I thought why would anyone want to hack it since the website was not even much popular, but I was wrong, since that website got hacked, and it was a very bad feeling to see “You have been hacked” words on the home page of the website. If you want to read my experience, you can check out the article where I mentioned what happened when my website got hacked and how I recovered it.
After that incident, I make sure I implement strategies that make my website secure and make it difficult for hackers to hack it.
Hackers use certain security vulnerabilities to hack websites, Here is a list of 13 horrible mistakes people make that can get their websites hacked:
1. Weak passwords
Hackers use softwares that scan through random combination of letters, numbers and special characters. They can also scan for common passwords. The weaker a password is, the easier it is to crack. Make sure you are using strong passwords for each of your following accounts, since a hacker can get access of your website if any of the below gets compromised:
- WordPress administrator account
- Web hosting cpanel account
- FTP (file transfer protocol) accounts
- Your website's MySQL database
- Email accounts associated with your WordPress admin or hosting account
Three ways you can create strong passwords
A. Always use a combination of letters (both uppercase and lowercase), numbers and special characters
Doing so will make your password very strong and harder to break, because the number of possible combinations increase when you use different type of characters in the same password. For example, if you have only numbers in your password, then password breaking tools only need to guess numbers from 0 to 9.
B. Create longer character passwords
It becomes difficult and takes more time to crack passwords with higher number of characters. This is because the total number of probable combination increase exponentially with a higher number of characters.
It is far more difficult for a hacker to crack a 12 character password containing numbers, letters and special characters compared to a 7 character password.
C. Never use same password everywhere
If a hacker becomes successful in stealing your password from one website, and if you have used the same password on other websites as well, it can become very easy for the hacker to try that password on other sites.
Some of the worst passwords used by people:
- 123456 or 12345678
2. Not updating WordPress to latest version
WordPress keeps coming out with newer versions that are more secure than previous ones. Older versions might have security vulnerabilities which can be dangerous. There are a lot of people who feel scared of updating wordpress since they get afraid, that it might break their website. They do not realize the importance of updating to the latest version of wordpress. Each new version is more secure than the previous one. Not updating your wordpress to the latest version is like giving an open invitation to hackers to hack your website.
How to update WordPress to latest version?
Updating is a single button click process. Just make sure, that before you update it, take a backup of your website, so that in case there is some goof up, you can always revert back the website to the way it looked before upgrading.
Since we talked about WordPress here, you might be interested in checking out this article on 5 common mistakes people make with their WordPress websites and how to avoid them.
3. Not updating plugins and themes to latest versions
The same is true with plugins and themes, whether you are using free or paid versions of plugins or themes, your developer would update them from time to time and fix security vulnerabilities. Newer versions are more secure than previous versions. Using outdated plugins or themes makes your website vulnerable.
How to update plugins and themes to latest versions?
When you login into your wordpress dashboard, if a plugin has an update, you will get its notification in the dashboard. Otherwise, you can click on plugins to see installed plugins. If a plugin requires an update, it will be mentioned below the plugin.
For example, see below notification from Akismet to update the plugin to latest version:
4. Using nulled themes or plugins / Downloading plugins or themes from non trusted sources
Do not download these from any other source apart from the above. Sometimes paid plugins or themes are nulled and are available for free to be downloaded from non-trustworthy sources. Some people download these paid plugins or themes for free from either torrent sites or from some forums; they feel they have saved on the cost of plugin or theme, but it can be highly dangerous as these might contain some trojans or backdoor script that might harm their website in the long run.
In fact, here is a list of 17 things you must do before changing WordPress themes.
5. Security Policy Loopholes
Sometimes, it might happen that there are certain loopholes in security policy such as:
- Giving administrator access to users who do not require it
- Giving permission to unauthenticated users to upload files
For example, if a website has a section for job applicants to upload their resume and if there is no check on the type of file that can be uploaded, then this is a possible security loophole, since a hacker might upload a malicious file.
How can you avoid this mistake?
A. You can monitor access controls and user privileges at frequent intervals
B. Regularly check security logs for suspicious activity
6. Using Web hosting that may have security vulnerabilities
Some web hosting companies offer their hosting services at very low prices. They are able to entice customers to use their services. But they might not be properly securing their hosting platform. Due to this, all the websites that are hosted on such servers may become vulnerable to attacks. It is important to use a good web host. You can check out this detailed guide on different types of web hosting servers so that you can cross check if you are using a good one as per your site's needs.
How can you avoid this mistake?
Only go for reputed hosting providers. If you want additional security, you can go for managed hosting providers such as WpEngine or Kinsta Hosting.
7. Providing unguarded access to WordPress Admin area
Only administrators are supposed to access the WordPress admin area. If anyone can get unauthorized access to this area, they can play havoc with your website. If you do not pay much attention to secure this area, then hackers might use different techniques to get access to this area.
How can you avoid this mistake?
A. You can use two factor authentication to login to wordpress admin area
You can use a plugin that provides this functionality. By doing so, the administrator will have to enter a second factor such as OTP (one time password) that can be received by administrator on an email id or a mobile number.
B. Limit the number of incorrect login attempts
There are free plugins available that limit the number of incorrect login attempts from a particular ip address. They disable logging attempt from that ip for a particular duration. You can search the official plugins directory to see which plugin works for you.
C. Enforce strong passwords for all users on website
Your website might have multiple authors/contributors. You can enforce strong passwords so that no user on your website has a weak password. You can use a free plugin to achieve this functionality.
D. Password protect admin area
If your hosting company provides you a cpanel (you will not have a cpanel if you are on shared hosting or managed wordpress hosting), then you can password protect your admin directory.
8. Incorrect file attributes/permissions
File attributes tell the web server about which particular type of user has which type of permissions.
File permissions are of three types:
Read: Read permission allows reading a file, or reading names of files in a folder. It has a numeric value 4.
Write: Write permission allows updating or writing to a file. Through this permission, a file can also be deleted. It has a numeric value 2.
Execute: This permission allows an executable file in that folder to be executed. This permission can run a file or access files in a folder. It has a numeric value 1.
For example, if a user has permission 6 on a file, that means the permission is (6=4+2), so she can read and write that file.
These permissions are given as a set of three digits such as 644 or 777, called as permission mode.
- First digit. It signifies what the user of the account that owns the file can do
- Second digit. It signifies what other user accounts in the owner’s group can do
- Third digit. It signifies what the user accounts of public (including website visitors) can do
How to avoid this mistake of incorrect file permissions?
All files in wordpress folders should have 644 permission. It means the owner/administrator has read and write permission (4+2=6) , groups and public has only reading permission, that is 4. Therefore it is 644.
All folders on your site should have 755 permission. It means the owner/administrator has read + write + execute permission (4+2+1=7) , groups and public have reading and executing permission (4+1=5), therefore its 755.
9. Using https instead of https
https is ‘hyper text transfer protocol' whereas https is ‘hyper text transfer protocol secure'.
Https implies there is an encrypted connection between a browser of a user and a web server. It means that data traveling between the user and a web server is safe and that unintended users are not able to obstruct or intercept the communication between the two. Https is a mechanism that secures information in transit.
If you have still not installed ssl (secure socket layer) to make your website's address turn to https from https, then it is a security loophole.
In fact, google had announced on their webmaster blog in 2014 that they consider https as one of the ranking factors in their algorithm. So, if you are using https on your website, it will not just provide an added layer of security, but will also help in ranking your website better in google search results. So, it is very important that you purchase and install an ssl on your website to make it https.
Although there are more than 200 ranking factors that google considers and this is just one of those ranking factors, so doing this alone wont make you ranking better. You will have to work on other ranking factors as well.
Also, if you do not have https on your website, then customers might not feel that your website is safe for them to enter their credit card details. In fact, not having https is one of the reasons why customers might leave your website.
How to avoid this mistake?
If you are on a shared hosting server, you can purchase a ssl from your host, the license has to be renewed every year and is available at sites such as godaddy for a reasonable price of around 60$ per year. I have also purchased ssl from godaddy for several of my websites.
10. Using plain FTP instead of SFTP/SSH
You generally use an FTP (File transfer protocol) client (such as Filezilla which is available for free) to upload or download files to your web server. When you only use FTP connection, then your password goes to the server in an unencrypted form and a hacker can try spying on you and figuring it out. If you connect via SFTP which is secure FTP or if you connect via SSH (secure shell), then the communication between the web server and ftp client happens in an encrypted form, which is difficult to crack.
How to avoid this mistake?
When using a FTP client, choose SFTP/SSH instead of only FTP.
For example, in Filezilla, you can click on File->Site Manager and choose SFTP as shown in screenshot below:
11. Using simple or common WordPress usernames
When you install wordpress on your website, by default, the username of the administrator account is admin. A lot of people do not change this default username, due to which many hackers can try cracking the password since they already know the username.
How to avoid this mistake?
You can either create a new Administrator username which is different than ‘admin', then login into your wordpress dashboard with the new administrator account, and then delete the admin user account.
You can also change the username via cpanel by going into phpmyadmin and changing it. If this sounds too complex for you, you can use the first method mentioned above.
12. Not securing WordPress configuration file wp-config.php
The WordPress configuration file wp-config.php contains the username of your website's database. If this file gets compromised and is someone can get access to the username of the database, it might become easier for them to crack the password. So, it is important to safeguard this file from any intruders.
How to secure wp-config.php file?
Go to the root folder of your site, there is a file named .htaccess over there. Make sure you take a backup of this file before making any changes to it.
Add below mentioned code to your .htaccess file:
deny from all
13. Not using a firewall
A lot of website users are not aware how important it is to install a firewall on their site. A firewall for your website (also called as web-application-firewall) shields your website. A firewall protects a website by constantly monitoring a website against malicious attacks from spammers, hackers. A strong firewall can even protect from distributed denial of service attacks.
How to avoid this mistake?
When my website got hacked, I looked for several solutions online and found these two to be good
- Sucuri website security
I purchased Sucuri firewall for my main website and installed the free version of wordfence on one of my other websites and I found both of them to be good. Sucuri guys helped me bring my website back in a few hours, I have been subscribed to them since then.
Although I am supposed to be telling you about 13 dangerous mistakes, but don't we like it when we are offered something extra than what we were supposed to be offered. That's why, here is the 14th mistake that you must avoid:
14. Getting tricked by Social Engineering attacks
A social engineering attack is when a person is tricked into doing something dangerous online such as sharing your password, downloading unwanted software etc. You would be thinking – “What? Why would I share my password with someone else, I would never do that, no one would.”
Yes you are right, no one would consciously share their password with a potential attacker. That's why these guys trick people into doing so.
Some of the tactics used by hackers for tricking people are:
Phishing is generally done via ads, email, or sites that look very similar to the sites that you already use. Such sites would have either a misspelling in the domain url which would be difficult for a user to spot, their home page or login page would look exactly like your trusted site page. Once you enter your username and password, it may give you an error and you might not even get to know that you have shared your password with them.
B. Deceptive content
This type of content tricks you into doing something that you would only do for a website that you trust, such as downloading a software, sharing a password. They can do this by showing you an ad suggesting that your computer has viruses or your anti virus is out of date and you must install the software to get rid of viruses. In fact, the software may be a keylogger which might track all the keys that you press on your keyboard and the software keeps sending it to the attacker. So, for any attacker, it becomes fairly easy to get your passwords, since normally what happens is when you open your browser, you type the website url in your browser , and then enter username and password. All this activity gets tracked by a keylogger software and it is periodically sent to the attacker's email id.
How can you avoid this mistake?
The first thing you can do is to be aware about these methods, so that you can be aware to check the site url correctly while logging into trusted sites. You should have a good anti-virus software installed on your system that can help you protect from unwanted software downloads.
To summarize, The above are the dangerous mistakes that people might do to get their websites hacked. I have also mentioned different techniques on how you can avoid these mistakes.
If you find the above article helpful, request you to please share it with your friends or family on social media because you will feel great that you helped them avoid these mistakes.