Why do websites get hacked? Websites get hacked for a bunch of different reasons:
- To plant hidden links to other sites in an attempt to game search engines and raise those site's rankings
- To plant spyware on your site that will infect your visitors and take over their computers, to make a botnet
- To hijack the server itself and use it to attack other systems
- To send out spam
- To gain access to credit card info or personal identities
- For the pure thrill of vandalism
- Because someone has a grudge against you
- Because somebody is bored, and you made it easy
Many people don't think it will happen to them. Why would somebody hack your web site? Well, as you can see from the list above, lots of reasons that don't have anything to do with you. And it happens all the time.
We have seen sites hacked for all the reasons above, except for the credit card/personal identity theft. That's the one that could hurt our customers the most, and so far, small e-tailers have been lucky that there are so many much bigger targets with lax security that this kind of theft is not yet a problem. But it seems inevitable to me that this kind of attack will get much more pervasive as the big targets get harder to compromise.
How do they break in?
There's a whole bunch of different ways to break into your web site. Here are ones we've seen:
- FTP password is sniffed at an open wireless point, and the attacker gets full access to upload anything they want to your site.
- An attacker puts malicious code into a form on your site that attacks the application you're running (Word Press, Joomla), your visitors (a cross-site scripting attack that installs malware on Windows computers) or you (tricking your browser into doing some administrative task without you knowing about it), or another site (a "cross-site request forgery", used perhaps to attack a specific banking site and request a wire transfer to a mule).
- An attacker finds a known vulnerability in the software you're running, or even a library your custom site happens to have available, and uses it to break into the server (or any of the other attacks we listed).
- An attacker guesses your password, perhaps by finding it at another site they have already attacked, and logs in as you.
- Your desktop or laptop gets spyware on it, and sends everything you type back to the botnet owner, including your passwords.
- The attacker finds a vulnerable service running on the server, and uses that to exploit all the sites it hosts.
- Another site on the same server gets hacked, and the attacker uploads a script that runs on the server and infects every other site.
How does your web host protect you?
In most cases, out of the 7 attacks listed above, typical web hosts protect you from one of these: # 6. They do nothing to protect you from any other attack -- preventing the rest is entirely up to you.
That is where our service is different. We provide some level of protection for all of those attacks. Here's how:
- We don't run FTP on any of our servers. All server access is through encrypted connections.
- We have limited the applications we support to a single platform (Drupal), with constant widespread review of vulnerable forms, and actively apply updates that affect your site.
- Preventing attacks based on your password getting stolen is not possible. And if your site doesn't use SSL, your administrative password can be sniffed. But even with your password stolen, we protect your site in two ways:
- Limited access -- generally we start you out with less administrative access until you've become comfortable using your site. Not only does this make it easier for you to learn, but it limits the damage that can be done with your account.
- We've got you covered. We have over-the-top backup systems in multiple locations, with historical backups going for up to 16 months. We take nightly snapshots of your database as well as files, and can restore your site to the way it was 3 days ago, or 2 weeks ago, or a variety of other points. And we have experience extracting just certain bits of content from the backup, selectively restoring what you need.
- We lock down our servers, not even running control panel software or anything not directly needed to support the operation of our customer's sites.
- We maintain all of the sites on our servers, not just yours. You can rest assured that there's not an old Word Press site sharing the server with your site, leaving a wide-open door to infect your site even if you've done everything else right.
- Platform chosen and configured for security. One of the really great features of Drupal is that we can set it up so the web server cannot change the code running the server, because the operating system won't let it. And we can allow files like images, videos, and documents to specially-controlled section of the server where code cannot be run, where files used for an attack are rendered harmless. When set up like this, it's much harder for an attacker to upload a malicious file and gain access to the server. We cannot do this without breaking things with platforms like Joomla, Word Press, or ZenCart -- which is one of the reasons we no longer support that software.
- Versioning of the site code. By using version control with cryptographic hashing of all file contents, we can very easily detect if something gets changed, see what those changes are, and very easily undo them.
We are not your typical host.
Of course, providing this level of service comes at a cost, and we have been moving many of our very small customers to other hosts like Dreamweaver or Media Temple because it's more than they want to spend.
But one of our customers pointed me to this story: http://techcrunch.com/2012/01/20/dreamhost-hacked-password-changes-made… ... which pretty much demonstrates why the extra level of security is necessary... read some of the comments on that story for more!