How Did My Website Get Hacked?

If your website has ever been hacked, you know that fixing it can be a big headache. And even after it is fixed, you might find that your website has less traffic and worse search engine positioning than before.

As a result, fixing a hacked site is an urgent matter that should be taken care of immediately to minimize any negative effects. But before you rush to restore your files or get your website back online, the first thing you should do is determine how your website was hacked so you can prevent it from happening again.

5 Ways Hackers Might Have Gotten into Your Website

The list below gives some common ways websites are hacked, as well as a few things you can do to protect your website.

1. Your Web Host Is Vulnerable

Quite frequently, many websites hosted by the same web hosting company are all hacked together. In these cases, the problem usually lies with the host. Either their servers have some vulnerability which is being exploited by a hacker OR the hackers have figured out a way to gain access to one website on a server and then use that website to infect the other websites hosted on the server.

To make sure that this isn't your web host's problem, it is a good idea to report the hacked website to your host.¹

If your host has a bad record when it comes to hacked websites, you should consider moving your website to another host which has implemented better security for their servers.

2. Your Computer or Your Web Developer's Computer Has Been Compromised

Sometimes, the root of the problem lies with machine used to access the website and not a vulnerability of the website itself. Hackers can infect a computer with malware, enabling them to steal saved passwords or infect files as they are uploaded to a server.

To prevent this from happening, the computer used to access a website via FTP or SSH should be regularly scanned for spyware, viruses and malware. Additionally, unencrypted passwords should not be stored in FTP programs.

Finally, when accessing any protected area of the website — FTP, SSH, control panel, databases — be sure that you are using a trusted network. And if possible, you should also access a website via SFTP, instead of FTP, because it allows your password to be encrypted when transmitted between your website and computer.

3. Your Passwords Have Been Leaked or Are NOT Strong

When it comes to passwords, they can only protect your website is they are strong. This means that passwords must adhere to the following criteria.

1. Unique. FTP, database, control panel, and email passwords should all be different from each other and not used on any other website.
2. Complex. Passwords should not be easily guessed. The best passwords do not contain words and are a combination of numbers, symbols, and upper and lower case letters.
3. Private. Be careful about who you share your passwords with and how you share the passwords. If sending a password via email, consider transmitting it as an image instead of via plain text.
4. Self-Selected. When you setup a web hosting account, install content management software, or create databases, passwords are typically automatically generated. And while these passwords are often very complex, hackers can sometimes guess these passwords. So it may be best to create your own complex passwords yourself.
5. Regularly Changed. By periodically updating your passwords, you lessen the chance that a leaked password can be used to gain access to your website.

Additionally, if your website has been hacked, make sure that the hacker has not created any unauthorized accounts that could be used for subsequent hacking attempts.

4. Your Content Management Software Has Security Holes

Content management systems (CMS) are used by websites to make it easier to manage content or maintain other functionality. But there is a big downside. Regardless of which CMS is used, there are always security holes that can be exploited by hackers.

To keep a CMS as secure as possible, there are certain basic recommendations that you or your developer should always follow:

• Hide your CMS version and make sure it is not displayed in HTML markup.
• Verify file permissions are correct and not too permissible.
• Hide your directory structure.
• Do not let two or more applications share the same database.

Additionally, the programmers behind your CMS may release updated versions or patches when vulnerabilities are discovered. And while it may be expensive or time-consuming to keep your CMS updated, it is worth the effort. After a new update is released, details about security flaws in the older version are often released. And what this means is that if you don't upgrade to the latest software version, hackers will literally have a roadmap to getting into your website.

5. Your Code is Poorly Written

Poorly coded website forms, dynamic pages, and CMS plugins/modules could result in easily exploitable security holes. To prevent this from happening, make sure that all custom code is fully tested and coded with security in mind. And before installing a 3rd-party plugin or module for your CMS, review the feedback and/or take a look under the hood to make sure that the plugin is well-coded.

No Website Is Hacker-Proof

Even after employing the best preventative measures, it is still possible for your website to be hacked. As a result, it is a good idea to regularly monitor your site and its log files so that you know if any changes have been made to its files or if hackers are trying to gain access. There are also a variety of 3rd-party monitoring tools which can be used to alert you if your website has been compromised.²

1. Some web hosts will be able to provide your with backed up files or restore your website, free of charge. [↩]
2. If you are looking for a free 3rd-party tool, Google Webmaster Tools will alert the contact person of a registered website if Malware has been found and reported. However, it is a good idea to use another reporting tool as it may take several weeks for Google Webmaster Tools to scan a website and identify it as compromised. [↩]