Top ways sites get hacked by spammers

Understanding how your site was compromised is an important part of protecting your site from attacks. This page covers some security vulnerabilities that can result in your site being compromised.

The following video outlines the different types of hacks and ways hackers can take control of your site.

Compromised passwords

Attackers can use password guessing techniques by trying different passwords until they guess the right one. Password guessing attacks can be conducted through various methods such as trying common passwords or scanning through random combinations of letters and numbers until the password is discovered. To prevent this, create a strong password that is difficult to guess. You can find tips for creating a strong password in Google's help center article.

There are two important points to remember. First, it's important to avoid reusing passwords across services. Once attackers are able to identify a working username and password combination, they'll try to use the username and password combination on as many services as possible. Therefore, using different passwords on different services can prevent other accounts on other services from being compromised.

Second, take advantage of two-factor authentication (2FA) like Google 2-Step Verification if the option is available. 2FA allows a second layer of login credentials, usually through a text message code or other dynamically generated PIN, that diminishes an attacker's ability to access your account with just a stolen password. Some CMS providers have guidance on configuring 2FA: see documentation for Joomla!, WordPress, or Drupal.

Missed security updates

Earlier versions of software can be affected by high-risk security vulnerabilities that enable attackers to compromise an entire site. Attackers actively seek out old software with vulnerabilities. Ignoring a vulnerability on your site increases the chance of your site being attacked.

Some examples of software to you'll want to keep updated include:

  • Web server software, if you run your own servers.
  • Your Content Management System (CMS). Example: security releases from Wordpress, Drupal, and Joomla!.
  • All plugins and add-ons you use on your site.

Insecure themes and plugins

Plugins and themes on a CMS add valuable, enhanced features. However, outdated or unpatched themes and plugins are a major source of vulnerabilities on websites. If you use themes or plugins on your site, make sure to keep them up to date. Remove themes or plugins that are no longer maintained by their developers.

Be extremely cautious of free plugins or themes from untrusted sites. It's a common tactic for attackers to add malicious code to free versions of paid plugins or themes. When removing a plugin, make sure to remove all its files from your server rather than just disabling it.

Social engineering

Social engineering is about exploiting human nature to bypass sophisticated security infrastructure. These types of attacks trick authorized users into providing confidential information such as passwords. One common form of social engineering is phishing. During a phishing attempt, an attacker will send an email pretending to be a legitimate organization and request confidential information.

Remember to never give out any sensitive information (for example, passwords, credit card numbers, banking information, or even your date of birth) unless you're sure about the requestor's identity. If your site is managed by several people, consider providing training to raise security awareness against social engineering attacks. For basic phishing protection tips, refer to the Gmail Help Center.

Security policy holes

If you're a system administrator or run your own site, remember that poor security policies can allow attackers to compromise your site. Some examples include:

  • Allowing users to create weak passwords.
  • Giving administrative access to users who don't require it.
  • Not enabling HTTPS on your site and allowing users to sign in using HTTP.
  • Allowing file uploads from unauthenticated users, or with no type checking.

A few basic tips to protect your site:

  • Ensure your website is configured with high security controls by disabling unnecessary services.
  • Test access controls and user privileges.
  • Use encryption for pages that handle sensitive information, like login pages.
  • Check your logs regularly for any suspicious activities.

Data leaks

Data leaks can happen when confidential data is uploaded and a misconfiguration makes that confidential information publicly available. For example, error handling and messaging in a web application can potentially leak configuration information in an unhandled error message. Using a method known as "dorking", malicious actors can exploit search engine functionality to find this data.

Ensure that your site doesn't reveal sensitive information to unauthorized users by conducting periodic checks and restricting confidential data to trusted entities through security policies. If you do happen to discover any sensitive information displayed on your site that urgently needs to be removed from Google Search results, you can use the URL removal tool to remove individual URLs from Google Search.