Hackers aren’t after your site in particular (at least, 99% of the time they’re not), but that doesn’t mean you’re not at risk. If you’ve ever wondered whether you as a small business owner should really be concerned about protecting yourself from getting hacked, the answer is yes– you absolutely need to. You don’t need to attract the particular attention of an individual hacker or be a famous brand to be a target.
First, let’s cover why and how hackers attack your site. Then, read a real-life example of what happened to one small business who had a security problem, with no countermeasures in place, and how it impacted their business.
Why and how hackers pick websites to attack
Most hacking is not targeted, so you don’t have to be a big business or have a website that gets a lot of traffic in order to get caught in the crossfire. Instead, hackers use automated tools to rapidly search many sites for a weak spot that will allow them to exploit your site or the resources of the server that your site lives on.
Usually, this weak spot is a plugin that has a security vulnerability. Once the flaw is made public, the risk of your site being targeted skyrockets, because bad actors are likely searching at scale for any site with this plugin installed.
The original authors of the flawed software may release an update that fixes the problem right away. But you still need to install the update to protect your site! So if you don’t monitor your site and keep up with the latest security news, you might get hacked.
If your site is hacked, hackers can do things like deface your website, redirect your traffic to other websites (often foreign pharmaceutical sites), insert ads into your content, or even use your server resources as part of a “bot” network for their own purposes.
How it happens in real life
Here’s the story of a security vulnerability that I watched unfold in real time.
A security flaw was discovered in a plugin called Social Warfare, which was very popular with bloggers. The plugin adds social media integration and it had tens of thousands of active installations. The flaw allowed pages on the affected website to be redirected to other arbitrary web addresses. This type of vulnerability is often used to direct traffic from a hacked website to sketchy foreign pharmaceutical websites or other dubious sites.
A well-known (and, if you want the insider drama, notoriously unbalanced) security researcher had published the details of exactly how this security vulnerability worked without giving any heads-up to the original author of the plugin. This was not the normal procedure for disclosing a vulnerability.
The normal way would be to contact the author of the plugin and let them know of the problem, allow them time to develop a patch, and once that patch was available, then publicize the vulnerability.
Instead, the security researcher had published a full proof of concept of the exploit, which amounted to a how-to for hacking any website that had this plugin installed. At the time, there were about 70,000 active installations of this plugin.
Obviously, many were outraged about this, and many sites were hacked as a result. Within hours, the authors of the plugin in question had released a patch, but obviously that patch needed to be installed in order to protect anyone with this plugin installed. Most people don’t check their websites daily for plugin updates.
I was browsing the comments section of a news article about this breaking story on a web security forum when I saw an exchange between an account that evidently belonged to the above-mentioned rogue security researcher who’d published the exploit and a random blogger whose site had been victim to the hack.
This poor blogger had sent out an email campaign to his entire list with a link back to his site– not knowing he had just been hacked. Hundreds of his readers clicked a link to his site, but were instead redirected to obscene content. Immediately, the blogger lost trust and credibility and many unsubscribed. His mailing list was decimated. His only recourse was to send a follow up email to remaining subscribers, and let the readers know via the website, after it was restored, that the problem had been a result of hacking– but the damage was done.
All because of a bad plugin, a security expert who irresponsibly blabbed to the entire internet how to exploit the bad plugin, and a bunch of (probably) teen boys in hoodies who took advantage of the situation.
The lesson is clear: any site can be a target, because they’re not just after sites that get a lot of traffic or famous brands. Hacking is a business (or sometimes a “sport”) of volume & scale. And the stakes are high. Make sure your site is protected!