Web Shopping Systems Logo
21st golden anniversary





Introduction

Hacking website securityFor hackers, hacking your website security is done for something as small as bragging rights to something as large as identity theft and theft of  financial information. There are many types of hacking. Computer hacking has similarities to hacking a web server, however, the focus of this document is hacking of websites. While a number of online applications and websites have protection, they are still susceptible to website security problems and hostile attacks. This can occur with any website or online application even with something like an internet bank or a web store  for a small neighborhood business.

Some websites and online applications become targets because of how well-known they are and some become targets because of their vulnerability. Smaller systems are easy targets for hackers, even if they do not hold private data. There are hacking websites that do nothing but share information about insecurities in various software and at various websites. There is no shortage of people who want to be hackers. There are hacking camps that teach others how to circumvent website security and hack websites.

Most people see website security as a defensive barrier encircling a single site and/or server, which can simply be reinforced or ignored. A better, more factual viewpoint is that every computerized protection measure is a blanket of security. If you input more layers, then it is more likely that your data will remain safe and untouched. Adding layer after layer may appear unnecessary but doing so makes it more efficient. It is better to assume that every layer you add will be breached.



Hacking: Brute Force Attack

Brute force attack lock imageA brute force attack consists of the hacker attempting to use several password guesses in a variety of combinations until one of them grants access. Basically, it is akin to someone trying to open a combination padlock by inputting multiple numeric combinations until one works.



How to Avoid a Brute Force Attack

Several applications and content management systems (CMS) contain software that oversees website security and monitors excessive login failures. Some provide a plugin system that shows this data and allows you to block and unblock users and/or IP addresses. These plugins and software are efficient defenses against brute force attacks, as they heavily restrict the number of guesses permitted.

The WebShoppingSystems.com Fully Managed WordPress Hosting prevents this type of hacking using the iThemes Security Pro premium plug in. iThemes Security Pro prevents this type of attack and many others.




Hacking: Code Injection (Remote Code Execution)

SQL injection attack on codeTo start with a code injection a hacker will test the areas of your website that collects user input – namely a search box, contact form, or data-entry field. After trial and error, the attacker gains knowledge of which fields can be manipulated to give access to unintended data on the server.

Here is an example: A hacker will enter a variety of database commands into a search field. If your website’s search function gives un-sanitized data access to the database query then the hacker can be successful in extracting unexpected data from your database.



How to Prevent a Code Injection Attack

Maintain frequent updates with security patches when it involves development platforms, CMS, or any framework. It is highly advised that, when data processing, the best practices are followed in regards to sterilization. It does not matter if it is minimal, all user input should be checked to be sure that it is the anticipated.data type.

Programmers that create the code that processes your data are responsible for sanitizing and validating all incoming data. Sanitizing data has to do with removing known characters used in hack attempts. Validation has do with using the programming to verify that you have received the expected data type. For example, if you expect to receive an email address then the programming should check that the data is in the format of an email address.



Hacking: Credential Stuffing Attack

Hackers will abuse the re-use of passwords throughout a number of accounts. This is called credential stuffing, and it is a general term given to hackers who do this. There is no doubt that, if hackers have one of your account passwords, they will use that password to attempt to log into countless of other services.

How to Avoid Credential Stuffing

Never use the same password or username for different services. Web users should maintain a password book to track the credentials of each service they use. This is the most efficient way to prevent this security issue. What also helps is multi-factor authentication. Two factor authentication is very common now. This type of security uses a password and live authorization from the owner of the login information. This maintains a secure login even if the main password is frail.