4 Ways Hackers Can Use
Your Site for Evil
If you read our previous post on why hackers are targeting sites like yours, then you know that it’s not just about stealing customer information or maliciously breaking your site for the lulz. Once your site is compromised a hacker has access to the computer your site’s hosted on, which means they essentially have control over a free computer (a.k.a. server if you nasty) with which they can wreak havoc on the rest of the world.
What kind of havoc?
Glad you asked. They could:
How well a page ranks in Google, or other search engine, results is still affected by the number of links pointing to it from other sites. If a hacker can slip a sneaky little script onto your site’s server, valuable links can be forced into all the text of your site, from menus to blog posts. Whole sentences may even get injected into your site’s original copy with links directed to the sites they want to boost.
It sounds like something you’d catch pretty quick, right? The kicker is that you wouldn’t know until it was too late since the code will show these links only when your site is being crawled by the search engine. After that the links disappear leaving you none the wiser. By injecting fake links on your site, which has legitimate traffic, they can get an artificial boost to their site’s ranking. To make matters worse, your ranking will decline after a while as Google wises up to the scheme, eventually leading to your site getting flagged as malicious.
Having your site flagged as malicious means that while you’re still showing up in organic searches (until you get reranked into the ground) your site will trigger a big red malicious warning and advise users to steer clear.
Whether through contact forms or forgotten password reminders, sending emails is part of the day-to-day activity of a site. Hackers can tap into this feature to send out thousands of emails for free. They can send phishing scam emails all without incurring the typical costs of sending so many emails or hosting so many pages.
Eventually, people’s email clients or service providers wise up and your site’s IP address will be flagged for sending all that spam. This at first just stops your emails from getting through to your customers. It can also lead to your site/hosting being taken down, especially if you share that hosting server with other sites. Of course, by then, the hackers have moved on to another unsuspecting server.
Typically this involves putting their own scam site files on your server and using it to run their operation until they’re caught. We once found a single 500MB file on one of our client’s servers that would unpack all sorts of phishing scam pages if the browser accessed it from a particular URL.
This is pretty bad as, eventually, you’ll get reported (you’re hosting it after all), your site will be flagged as malicious and, because you’re in likely violation of your hosting providers Terms of Use, your site can be taken offline.
While you may not know exactly what this is, you’ve already been affected by it. In 2016 a Denial of Service attack (DDoS) took down major retailers (like Amazon, Comcast, PayPal, Spotify, etc) for most of a day by attacking Dyn (the company that routes their traffic). Astronomical amounts of money was lost and, because Twitter was down, no one could gripe about it. Sad!
DDoS attacks happen when a server is bombarded with traffic from too many sources, all at once. When this happens, the infrastructure meant to handle traffic gets overwhelmed and eventually breaks down. A non-malicious version of this happens every time a new Star Wars movie is released and millions of people log on to Fandango for tickets.
Hackers create this same effect by installing bits of code on your site that run by themselves. Then, whenever they flip the switch, your server becomes an unwilling member of a legion of other zombie servers all working together to send millions of requests per second to a poor unsuspecting site.
As with most hacks, eventually your host provider will discover you’re hosting account is involved in the attack and shut it down.
So whether it’s for selfish goals like boosting their search ranking, or malicious intent like unleashing a robot army on their enemy, your innocent little site can be used for a lot of evil stuff. That’s why it’s more important than ever that you have a security system in place to monitor and block anyone from getting in without your permission.
There are simple things that you can do, right now, to help prevent your WordPress website from becoming evil. The first would be to take a look back at our easy-to-use guide 6 Simple Ways to Protect Your WordPress Site from Hackers , if you haven’t already, and start implementing those security measures, like last week.
But if you need help implementing them or would like to talk about a more robust security setup,