The Different Types of Website Malware & How to Stop Them

No one wants malware on their site. It leads to lost traffic, sales, and visitor trust. If your website is your business, it could have huge financial implications.

Websites are hacked more often than you think — 30,000 times per day or more — and sites of all sizes are targets. The bots that carry out hacks aren’t looking for specific websites or people, just vulnerabilities they can exploit. 

Almost 39% of all websites use WordPress, which means hackers often target WordPress sites first, for the biggest impact possible. But thanks to its huge popularity and community of contributors, vulnerabilities are usually found early and fixed fast. 

Jetpack Scan monitors your website and alerts you if it finds something wrong. Let’s take a look at how hackers can access your site, the types of threats they cause, and why Jetpack Scan is the best method of protection.

How hackers access websites

There are a variety of ways hackers can access your site, including:

• WordPress core: Out-of-date software, like WordPress, sometimes contains vulnerabilities that make it easier for hackers to get into your website.
• Plugins and themes: “Nulled” themes and plugins — premium versions offered for free or for a low price — are often full of malicious code and are the source of a lot of malware infections. And also, just like with WordPress core, out-of-date plugins and themes are often taken advantage of by hackers.
• Servers: Old versions of software (like PHP) don’t have the newest security features that protect your site.
• Your login page: Insecure, simple usernames and passwords make it easy for hackers to guess your credentials and gain access.

Every plugin or theme you upload adds more potential vulnerabilities to your website. Limiting these to only the most important (and to the ones you actually use) is critical to staying safe. 

Types of threats

Most WordPress hacks fall into one of the following categories:

• Cross-site scripting (XSS) vulnerabilities within a theme or plugin. These happen when the data a user enters (e.g., filling out a form) isn’t sanitized to ensure that any code submitted is not executed in the visitor’s browser. The attacker will look for vulnerabilities so they can execute their own JavaScript code on your site visitor’s computer without having access. 
• Cross-site request forgery (CSRF) exploits occur when a user is tricked into doing something they didn’t intend to do. An example is a malicious link that resets a user’s password. 
• SQL injections allow an attacker to execute commands on your database to delete, modify, or steal data.
• Back doors give attackers access to your site or server without having credentials. The attacker places a script (line of code) on your server — often through an insecure plugin — that lets them modify your site at will. 
• Brute force attacks are the simplest attacks — but they’re effective. An attacker tries thousands of username and password combinations that are commonly used on websites until they find the right one. 
• Open redirects are when URL parameters (which show up after a question mark in a URL) redirect a user to another website without any validation. These often occur after someone logs in or updates account information, and can be used for very convincing phishing attacks. A user might be redirected to a clone of their bank’s website, for example, where hackers can steal vital banking information.

How do attackers exploit compromised websites?

Hackers use these vulnerabilities to: 

• Inject unwanted ads for things like shady pharmacies and adult content.
• Set up phishing scams, like fake anti-virus software.
• Create ‘drive-by’ downloads causing site visitors to unintentionally download malicious files containing viruses or malware.
• Steal data, like valuable customer information.
• Bring down a website by deleting your database or critical website files.
• Hijack your hosting resources for their own purposes. Since many hosting providers allocate set resources for each site, this can slow your site down or cause you to exceed bandwidth limits. 

The impact of a hack

A hacked website suffers a variety of consequences, including:

• A drop in search engine results. Many businesses rely on organic search results for most of their traffic. If Google notices you’ve been hacked, you may slip in the rankings.
• Placement on Google’s internal “black list.” When users visit your site, they may see a warning that your site is unsafe, costing you customers before you can even greet them. 
• Loss of customer trust. If potential customers arrive on a site full of spam, they’ll lose confidence in your business and look elsewhere.
• Financial loss. This can come in the form of fleeing customers or reduced traffic, but also fines. In 2019, British Airways was fined a record £183 million (approximately $240 million) for a data breach where hackers gained access to 500,000 customers’ data.
• Time and expense. Unless you know how to fix a hacked site, you’ll need to pay someone to do it for you.

The solution: Jetpack Scan

At the time of writing, WPScan Vulnerability Database (sponsored by Automattic, the people behind Jetpack) has 21,688 known vulnerabilities in its database — that’s a lot! These are continually evolving and difficult to spot, so it’s important to have a tool that constantly checks your website. While you can never have 100% website protection, regular scans significantly lower the amount of damage a hack can cause.

This is where Jetpack Scan comes in. You don’t want to find out from your customers that you’ve been hacked! Let Jetpack protect your business, for a low monthly cost. 

Jetpack Scan features:

• Decentralized scanning: Everything takes place on Jetpack servers so it doesn’t affect your site speed.
• Automatic scanning: Everything happens behind the scenes. You’ll get email notifications should something need your attention — new threats, bad actors, or suspicious behavior. This allows you to focus on your business.
• Easy-to-use interface: The Jetpack Scan interface was designed for website owners, not security experts. Learn about issues quickly and solve many of them with a click.
• Early access to information: Jetpack monitors millions of websites for vulnerabilities and is the first to know about the latest security threats. 
• WordPress-specific functionality: Jetpack Scan was built just for WordPress and is solely focused on the specific vulnerabilities most likely to affect your site.
• Jetpack Backup integration: Add even more power with Jetpack Backup — if Scan finds any issues, you can restore your website to right before the problem occurred. 

Protect your site today

Threats come in all shapes and sizes, don’t discriminate, and can cause lasting damage. Implementing a tool that keeps an eye on your site is a simple decision — the cost is nothing compared to the consequences of a hack.

Get Jetpack Scan

---