How to keep your website from getting hacked

As the 16th century English father of empiricism Francis Bacon said, knowledge is power. I’m pretty sure that if Sir Francis were alive today he’d tell you that if you want to avoid getting hacked you need to understand how you get hacked.

I’m going to go over six of the most common ways websites get hacked. Now, I can’t guarantee that if you understand these six hacking methods you’ll never get hacked. However, I will guarantee that if you do, you’ll be making it a lot harder for the bad guys. Getting into your website isn’t going to be a walk in the park.

Hacked passwords

Hackers have a lot of tricks up their sleeve when it comes to cracking passwords. Brute force attacks, dictionary attacks, and something called rainbow table attacks are just a few of the techniques commonly used to crack a password. I’m not going to go into the details of how these techniques work. It’s enough for you to know that it’s a kind of guessing where the hackers run random combinations of numbers, letters and other stuff until they hit pay dirt. Some of these techniques take considerable computing power and the longer and more complex the password the harder it will be to crack.

Your job is to make it hard for hackers to use these various techniques in order to guess your password. You can do that by creating strong passwords. I have an entire article on how to create a strong password. It won’t take you more than a few minutes to read through it.

Insecure CMS plugins and themes

Plugins and themes allow you to add features and functionality to your CMS.  However, you need to keep them up to date. Outdated themes make a site vulnerable to attacks.

A couple of things to keep in mind when updating themes and plugins. It’s a good idea to backup your site first just in case there are errors in the new update. Also, watch out for plugins that aren’t frequently updated. If you see that happening you might want to find a safer replacement.

Finally, free plugins may be tempting However, they often contain malicious code.  Use with extreme caution.

Social engineering

Social engineering is when hackers attempt to trick the user in some way in order to bypass security. One common type of social engineering you’ve probably heard about called “phishing” involves sending emails, text, or phone messages that request confidential information.  Once the user unwittingly offers the information to the hacker it’s then used to access important accounts.

Phishing can be surprisingly sophisticated and successful. Don’t assume that you’re too smart to be deceived in this manner. Never give out passwords, credit card numbers or any other sensitive information unless you are absolutely sure who is going to be receiving it. Just because things look 100% legit doesn’t mean that they are. Error on the side of caution.

Software that’s out of date

Hackers are always on the lookout for old, out-of-date software that can be compromised.  You can thwart their efforts by keeping your software up to date in order to reduce vulnerabilities. The best practice is to receive automatic updates for any software that you’re using.

Confidential data leaks

When a data leak happens confidential data is unintentionally made publicly available. Check out what hackers can do using advanced search strings to uncover hard-to-find information via Google Search.

Check periodically to make sure that you’re not leaking confidential information and make sure that you have security policies in place to protect sensitive data. If you find something that shouldn’t be out there here’s how to remove it from Google search.

Weak security policies

Weak security policies can easily cause your site to be compromised. Examples of weak security policies include allowing access to people who don’t need to have it, allowing employees to create weak passwords, and having a website that isn’t HTTPS enabled.

Here are a few things you can do to strengthen security:

1. Don’t use any services unless they are absolutely necessary.
2. Use encryption on all pages containing sensitive information. Login pages, for example.
3. Test user privileges and access controls.
4. Check logs periodically for anything that seems suspicious.