Disclosure: Hosting Canada is community-supported. We may earn a commission when you make a purchase through one of our links. Learn more.

5 Most Common Vulnerabilities Your Website Faces

Gary Stevens —

Last updated:

The average website comes under attack by some form of hacking 22 times per day, which adds up to almost 8,000 times per year. If all your security precautions are up to snuff, no problem. Firewalls and other security measures can knock aside these penetration attempts without batting an eye. But vulnerabilities that can derail the best of intentions to keep the bad guys out.

In a perfect world, website vulnerabilities wouldn’t exist but, unfortunately, they do. Any time a website or any software on it is misconfigured, a path opens that could allow a hacker to slip inside the network or server. The same holds true when code is buggy. It would be like finding a tunnel that goes under the moat and exits out of sight inside the castle walls.

Website vulnerabilities are the prime way data is stolen, malware distributed, or spam injected into individual computers or even business networks. Here are the five basic tactics to be aware of.

#1. SQL Injection

An SQL injection is a hacker tactic that targets a website’s database by figuring out how to bypass security measures and directly input malicious code that is commonly used for any or all of the following bad behavior:

  • Stealing customers’ personal information
  • Posting spam on the website
  • Taking control of the website

Open source content management systems (CMS) that rely heavily on a database like Joomla, WordPress, and Drupal are favorite targets for this kind of cyber attack. As not only the most popular CMS, but used on 27% of ALL websites on the internet, WordPress developers spend a lot of time fending off never-ending iterations of the SQL injection strategy.

#2. Cross-Site Scripting

Referred to in shorthand as XSS, this is when an attacker uses a website’s unprotected user input field, most commonly a form to submit questions or subscribe to emails, to go after a visitor’s browser rather than the website itself or server.

Using XSS, a hacker injects malicious JavaScript onto the website. When a visitor arrives, the browser can’t tell that the script is malicious – it just assumes it’s part of the website – and executes the instructions, which often take the guise of:

  • Distributing spam to the visitor
  • Hijacking the session, thereby gaining access to websites the visitor may have visited like bank accounts
  • Stealing personal data

Once again, WordPress finds itself taking the brunt of a lot of these XSS attacks, largely because it is widely-used open source software and many users don’t take the time to properly secure and update their system.

While XSS attacks are nothing new, they’ve been uncovered in WordPress versions as recent as 4.8.

#3. Command Injection

The command injection vulnerability targets servers by, once again, including malicious code along when submitting user information through forms on a website. The reason the process works is that header information accompanying the infected form does not properly validate the submission, thus allowing the bad code to sneak past to the server.

This server-level attack has been associated with takeovers over not only of individual websites but entire servers hosting dozens or even hundreds of websites, as well as the propagation of widespread ‘botnet attacks.

#4. File Inclusion

The general method of corrupting a website’s form submission process is used again with a file inclusion attack but, rather than injecting the malicious code into the server files, it activates a server-side language like PHP to execute hacker files that are stored somewhere else. Though the tactic is slightly different than others we’ve discussed, the end result can be the same with the hacker able to complete any of the following nefarious actions:

  • Launch phishing attacks inside a website visitor’s browser
  • Take control of a website’s administrator’s control panel or, like with a command injection, the entire server
  • Many, MANY more…

There is another flavor of this vulnerability known as local file inclusion which sneaks through site input forms again in order to read or write to local files, often the configuration files that generate credentials for gaining access to the database. Hackers have also been known to use local file inclusion to review and steal sensitive data. It was an inclusion attack that managed to penetrate Starbuck’s mobile app “defenses” and steal credit card information.

These kinds of attacks aren’t something you really have to worry about when you’re using a centralized service like a website builder.

#5. Cross-Site Request Forgery

Not to be confused with XSS, Cross-Site Request Forgery (CSRF) is less often used by hackers but has proven to be quite vexing in some instances related mainly to banking and ecommerce sites. Essentially, a CSRF attack tricks either site users or administrators or both into performing malicious actions for the hacker, some of which might include:

  • Changing product prices and customer orders
  • Transferring funds between accounts
  • Messing with user passwords in order to hijack accounts

Probably the best known CSRF attack happened when hackers took over a Brazilian bank’s online operations for five hours, creating all kinds of chaos by intercepting ATM, investment, mobile, point-of-sale, and online banking transactions for that time period.

Final Thoughts

Keeping bad guys out of your website can be accomplished to a large extent by taking three simple actions that way too many people don’t bother with. Do all these and your site will be considerably more secure than average.

#1. Update all your applications/software/CMS regularly.
#2. Use an internal firewall.
#3. Install a REPUTABLE automated malware scanner.

That’s all. Now go sleep better at night.

For more web hosting info, check out our complete guide on the best… and also safest… web hosting companies in Canada.

You May Also Like:

References and image credits:

  • Imperva.com
  • Vitalflux.com
  • Manjeetjakhar.com
  • TheSecurityBuddy.com
  • FirebearStudio.com