If you think your site won't be hacked because it's too small to matter, think again. I'll show why that is a false and dangerous assumption.
Many site owners and webmasters think that hackers only care about popular, highly-ranked websites. They are wrong.
High traffic volume helps boost earnings on partner programs by redirecting visitors to other sites, gets more views of unauthorized advertisements and attracts more clicks on rogue links. But that is not the only way hackers make money.
Unprotected sites with low traffic volume are equally attractive to hackers. It is the way they are used that differs from how hackers monetize more popular websites. Any normal site, with an audience of as little as 30 visitors a day, can still be threatened by hacking and infection.
"It's the competitor's fault"—A Case Study
The first thing that enters the mind of the owner of a hacked site is: "My competitor did this!"
This is a common reaction. Site owners can think of no other reason their small, innocent site would be a target. Here's an illustration of what I mean.
I was once contacted by a customer with a family-run, brick-and-mortar business in a small town. Their WordPress-based website provided local advertising, contact details, and little else. It was poorly maintained with a very old and out-of-date WordPress installation.
This site had fallen victim to a well-known and critical WordPress vulnerability (
This small business owner noticed nothing until the site was blocked by their hosting provider for 'exceeding resources for tier'. The hosting provider also reminded the site operator (my client) that it was their responsibility to perform anti-virus and anti-malware scanning.
Once I had detected and cleaned out the site, the owner told me she intended to "begin legal proceedings". Not against me, but against a competitor, who just happened to be in the same street and same line of business.
I explained a little of how hackers work and that it was most likely not the work of her local 'nemesis'.
The reply: "But who else would want to hack such a small site like mine?"
How hackers use hacked sites
Hackers don't need high-profile, high-traffic sites to do damage. They may not be interested in the site itself, but in the hosting resource on which it resides. They want it for setting up spam
Another way hackers use a hacked site, of any size, is as their own hosting resource. Hackers need a place to store infected files, such as .apk archives, which can infect mobile devices running the Android operating system. Once on the device, the infection causes redirection of traffic. In the language of medical contagion, your hacked site was just used as a transmission vector, spreading a virus without showing any symptoms itself.
In other cases, attackers can use hacked sites as a base for launching attacks on other sites, such as brute force or DoS attacks. Or they may use them as an intermediate step, redirecting visitors to other infected sites. In shared hosting environments, a hacked site threatens all neighbors on that server.
The hacker's main motive is monetary gain. To orchestrate attacks, you need either a server (or group of servers
It is the owner of the site who has to deal with the consequences of intrusion. Whether spam, phishing, or infection, all unauthorized actions are restricted by hosting companies and search engines. A hoster blocks websites when their owners violate the hosting platform's terms of service. Search engines issue warning messages, indicating that the site may contain phishing content and a visit to the site runs the risk of revealing a user's personal information. As a result, visitors to the site lose confidence in it, while the owner of the site gets an unnecessary headache, or worse, goes out of business.
What should you do?
- Realize that security problems exist and that even small websites with low visitor numbers are at risk.
- It is always cheaper and less painful to protect the site proactively. Skilled experts should be engaged to install site protection software.
- If you are already faced with a problem and you urgently need help, get in contact with security professionals and do not engage in 'self-service treatment', especially if you are unskilled in these areas. Inadequate safety expertise leads to sites being reinfected or malicious code being removed incorrectly, which ultimately leads to the destruction of the site.
Imunify360 is a complete security solution for web hosters. To learn more, visit Imunify360.com.