Why Do Websites Get Hacked?

Posted on by

Share Button

This is a question I get asked a lot.

“Why would anyone want to my hack my website?”

Your website may not have any eCommerce, may be small, may be just a personal blog, so you wonder why on earth anyone would even care enough to hack your site.


Well, the answer is: because most hacking is done for profit.

Yup, just like most everything else in life, hacking is done because it can be profitable. Ok, there are a few out there who just want to cause trouble, but most of it is done to make money.

So how does hacking your website become profitable?

Well, your site is nothing more than a tool for a hacker. The purpose of hacking for money is generally to get private financial data. So how does your website become a tool for that?

The hacker has two options for trying to get private data:

  • To place malicious code on your website which will be automatically downloaded to people visiting the site. For example, one method for this is to hijack an existing download link on your site and instead use that to distribute this malicious code (or malware).
  • To place a link on your site to another site that distributes malware. This may be to replace an existing link or could be a page that redirects to a site distributing malware.

That’s the main reason. However, there is also a secondary reason for hacking: black hat SEO. What on earth is that? It’s trying to get better search engine rankings by using dishonest techniques.

The three main types of black hat SEO:

  • To place links on a website for the purpose of improving another site’s backlinks. In SEO, the more links that you have from reputable sites linking to yours, generally the better your score. So some people want to put a bunch of links to another site on yours to boost that site’s score.
  • The other type of black hat SEO is a bit more evil. It involves trashing your site because you are dominating the rankings for something. It’s just like trying to win a car race by slashing the tires of the best driver. It’s cheating, it’s evil, and unfortunately it works.
  • DOS: Denial of Service. In this approach your website is flooded with too much traffic and legitimate users (and search engines) can’t access it. In a number of cases this can crash your server rendering your website completely down.

Fact: Both of these methods don’t even require hacking your site. If you have comments automatically approved on your site, people can leave black hat links and links to malware.

Who Actually Attacks the Site?

Ok, you’re probably thinking: but that’s a lot of work trying to hack all these different sites. If you’re thinking that, you’re wrong. Very wrong.

The majority of all hacking is done by bots, not humans. A bot is a computer program that goes around the web doing some task. Good bots are those like Google bot which roams the web reading websites and adding them to the Google index. Bad bots are written by bad people for bad purposes, and they roam the web too.

So what happens is a hacker gets the code for a bot from another hacker (hackers love to flaunt their work and share it with friends). Then they unleash the bot to roam the web. The bot typically tries to do one of the following:

  • Get into your site by using the usernames “admin” or “administrator” at all the usual login URLs and with a giant list of passwords to try. This is why you should never have either of these usernames. Also why relocating your login URL is a very good idea.
  • Use the vulnerability of the month (one of the biggest running around is the XSS right now).
  • Use a known plugin vulnerability.
  • Use a known theme vulnerability.
  • Use a known content management system vulnerability.
  • SQL injection if your site has a database.
  • And many more

And once they are in, they may cause a lot or just a little damage. All depends on their goals. A lot of times they want to cause just a little damage so that they can hide and stick around for a good long time.

How Do You Know If You’re Vulnerable?

If you have a website, you have some level of vulnerability. Everything from cheap shared hosting (where your website lives on a server with thousands of other sites) to your content management system can make you vulnerable.

How Do You Know If You’ve Been Hacked?

The most common routes are:

  • You visit your site and notice something wrong (this is pretty much the least common)
  • Your hosting company sends you an email saying “clean out your site or you’ll be shut down” (usually with a very near deadline).
  • Your Google Webmaster tools sends you an email alert (you did setup webmaster tools, right?).
  • You search for yourself on Google and see: This site may harm your computer.
  • A client or customer emails you with concerns about your site.
  • Your web maintenance person catches something on their regular site inspection.

The hope is that it’s not a customer or a search engine alerting you to an issue. If it’s that far, you’ve probably lost sales and are in jeopardy of being banned from the search engine results.

Fact: If you’re hacked and search engines find out you can be banned. If you get banned from search results, it can be a long, painful and expensive process to recover.

What Can You Do To Prevent It?

Get a quality hosting company (one that would notice if something went wrong). I particularly like Flywheel for WordPress. They do a lot of their own security stuff (doesn’t mean you are off the hook for doing your part) and will work with you if there’s an issue.

And make sure to keep your site up to date and regularly maintained.

Use WordPress?

If you aren’t someone with the time & knowledge to diagnose a hack and fix it, get a maintenance plan with someone who can. Prevention costs a lot less than hack removal does. If you don’t have the budget for regular maintenance, at least get a proper security setup to start with. You’ll still need to maintain it, but it’s a whole lot easier to maintain something that starts out right than something that doesn’t.

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *