How do Websites get Hacked – Username and Password Theft

Screenshot of a hacked website

Three types of WordPress hacks

I’ve said elsewhere on this site that cyber-crime is probably the only real growth industry around today. The scale of it is daunting.

So this and the next 2 articles will look at how websites get hacked and, in particular, the three broad types of hack that affect WordPress websites:

  1. Login details theft and misuse
  2. Software vulnerability
  3. Third party software integration

But first, some context:

Some Statistics on Website Hacking

A picture showing an increasing trendHere are some statistics on websites and the scale of hacking today. Keep in mind that both the number of websites and the scale of hacking increases every year, so these figures will be higher next year.

Here are some key indicators, which come, with thanks, from Sucuri:

  1. The number of websites live on the web has exceeded 1.8 billion (yes, with a ‘B’)
  2. On average, Google blacklists 10,000 websites every day because they have been hacked and made malicious in some way
  3. Around 1 million new malware threats are released every day

If points 2 and 3 don’t make you stop and think, they should.

As I’ve said, cyber-crime is the only real growth industry around today!

What are the Moving Parts supporting your Website?

I’ve listed below the different components that need to operate correctly in order for a website to be viewed online.

A successful hack of any one of them will affect your website.

  1. The Domain Name System, that translates human language website addresses into IP addresses and so finds the server on which the website sits
  2. Your website hosting provider’s overall infrastructure
  3. The specific server at your web host, on which your website files reside
  4. The network of nodes globally that make up the Internet (typically a request to view a website will go through anything up to 20 different nodes between the browser and the server, and the website files will be sent back through 20 nodes – usually, but not always, the same ones)
  5. Your website files
  6. The browser through which the request to view your website was made
  7. The computer on which that browser resides

The fact is that every single one of those components is continuously being attacked by hackers, and a successful attack on any of them will affect your website.

The last 3 (your website files, your browser and your computer) are the ones that you need to protect (the rest are taken care of by others), and this series looks at the threats for which you need to be prepared.

We’ll start with the theft of login details (usernames and passwords).

Username and password theft

Screenshot of login credentialsThe formal name for username and password theft and misuse is ‘access integrity corruption’.

I mention that because when you’re browsing other security sites you will see that (or a similar) term being used. It caused my eyes to glaze over when I first heard it, but it’s really just a complicated name for username and password theft and misuse.

Here, then, are the different accounts that (in most cases) you need to log into in the course of working with, and managing, your website:

  1. Your hosting account (cPanel)
  2. Your FTP account
  3. Your domain registrar
  4. Your computer
  5. Your website itself

If the hackers get hold of your login details for any of those accounts your website is in trouble. Here’s how:

Your hosting account (cPanel)

With access to your cPanel the hacker can set up website redirects, intercept your email, access and edit or delete any of your website files, corrupt your database or delete and remove your website altogether.

Your FTP account

Filezilla LogoWith access to your FTP account the hackers can edit or delete any of your website files, or delete and remove your website completely.

Depending on the quality of security protection applied to the web server and hosting infrastructure, the hacker could potentially access other websites on the same server and, possibly, the same hosting provider, and do their damage.

Your domain registrar

If the hackers get access to your domain registrar they can point your domain to a completely different website by editing the DNS details.

They could also potentially get hold of your credit card details.

Your computer

If the hackers get access to your computer they can harvest the usernames and passwords of every single account you log into (including, of course, your website) by installing key logging software. They can also install ransom ware that locks down your computer, thereby preventing you from accessing anything until you pay their ransom (and sometimes not even then).

Your website itself

If they gain illegal access to your website through an Administrator level login they have complete control of your website and can do whatever they want.

How can hackers steal your username and password?

There are 4 main ways through which hackers can steal your username and password details:

1. Man in the middle attacks

Man in the middle attackMan in the middle attacks take place when you’re using an insecure network to access your website.

What happens is that the hackers are sitting in the same location as you (a coffee shop, in an airport, in a hotel or restaurant) and they’re using a scanner to monitor the traffic of everyone that’s using that network.

Because WiFi networks in those locations are not secure (the network name and logon password are made available to everyone) it’s a simple process for the hacker to log on to the same network as you’re using and sit there collecting all the usernames and passwords that are typed in to computers, phones or tablets.

Update – 8th October, 2018:

Here’s a real life example of Man in the Middle attacks being carried out globally and on a commercial scale: Russian spies infiltrated hotel WiFi networks.

2. Brute force attacks

Audit trail of brute force attack attemptsBrute force attacks are carried out by computer programs (referred to as ‘bots’), that locate the login pages of the websites they’re attacking and attempt to guess the usernames and passwords.

These bots can make millions of username/password combination guesses a second, although finding the exact number of guesses they can make is difficult.

This is because there are so many different variables in play, for example: the bot has to allow time for your website to respond with a login failed message to the failed attempts before it can try the next one.

None-the-less, these bots are certainly capable of making millions of login details guesses a second.

A variation of the Brute Force attack is the Dictionary Attack which, as its name suggests, tries every word in the dictionary as a password but, in addition, tries the full range of numbers and symbols at the beginning and end of each word it tries.

3. Phishing attacks

A Phishing Attack is one where the hacker attempts to fool you into revealing your username and password.

Phishing attacks have been rampant in email for a long time – most of us are familiar with emails that tell us there’s a problem with one of our accounts and that we need to log in to confirm some information in order to fix it, through the ‘conveniently’ supplied link.

A phishing attack emailIn these cases, that link doesn’t go anywhere hear the real login page: it takes us to the hacker’s page where they collect and store our login credentials for future use.

Increasingly websites themselves are being used in Phishing attacks – for example when someone receives an email telling them that they are owed a tax refund and should visit the tax authority website to confirm receipt of the notification, and their bank account details, so the refund can be processed.

Unfortunately for the victims of this type of attack, their bank account balance decreases to zero instead of growing.

4. Cross site scripting attacks

Cross site scripting attacks start off as a software vulnerability problem (the subject of the next article in this series) but becomes one of stealing usernames and passwords that are then used to commit further crimes.

In a cross-site scripting attack an already-hacked website will install some code in the site visitor’s browser and the browser will then execute the code. Sometimes the user is prompted to take some action that causes the code to run, but sometimes just loading the page in the browser is enough.

How to defend against attempts to steal your usernames and passwords

I wrote a detailed article on how you can make WordPress usernames and passwords as strong as possible, and I do recommend you read it because the information it contains is an important part of defending yourself against password theft.

You can read it here.

Other steps you should take:

  • Use a different password for each account (this is important because if you use the same password on more than one account you have a problem – see this article)
  • Install and use a VPN – this is the only way you can really protect yourself against Man in the Middle attacks when you’re using public WiFi
  • Install and use a proper Internet Security application to protect your computer (not just a free anti-virus program)
  • Install the free Herdprotect malware scanner and remover and run scans at least once a week
  • If a link in an email asks you to log in to one of your accounts to fix a problem, navigate to your account directly in your browser and log in there, do not click the link in the email.
  • Don’t use your browser to store log in details for your accounts – a cross-site scripting attack will steal all of them for the hacker
  • Use Two Factor Authentication (2FA) wherever possible
  • Do use a Password Manager. This is important because a Password Manager is the only way you can maintain and use different, strong passwords for each of your accounts. I have used RoboForm for many years and I do recommend it, but there are others.
  • Follow the principle of ‘lowest level of privilege’ – I discussed this in detail in the ‘User roles’ section of this article and I do recommend you read that
  • Install a WordPress security plugin that offers effective protection against brute force attacks in the event your login details are stolen. More details here.

An important point: I’ve said it before, no website can ever be 100% secure, and anyone who tells you they can make it so is not being truthful.

But following the steps I’ve outlined above will help to make it more resistant to hack attacks.

In the next article I’ll look at software vulnerabilities and how you can defend yourself against those.

If you have any questions on anything do please leave a comment below – I’ll get back to you as soon as I can.

Martin Malden

P.S. Is your WordPress website as secure as it could be? These are the products I use on my own sites, and sites I build for clients, to keep them safe and to recover from a hack: