To protect your site from future attacks, it's important to understand how your site was compromised. This document covers some of the security vulnerabilities that can result in your site being compromised.
The following video outlines the types of hacks and how hackers take control of your site.
Compromised passwords
Attackers may get your password by guessing different passwords until they guess correctly. Password guessing attacks use methods, for example, trying common passwords or scanning random combinations of letters and numbers. To prevent this, create a strong, difficult-to-guess password. You can find tips for creating a strong password in Google's help center article.
Remember two points.
- Avoid reusing passwords across services. Once attackers identify a working username and password combination, they try the credentials on as many services as possible. Use a unique password to prevent other accounts from being compromised.
- Use two-factor authentication (2FA), such as Google 2-Step Verification. 2FA adds a second layer of credentials, through a text message code or a dynamically generated PIN, to prevent attackers from accessing your account. Some CMS providers have guidance on configuring 2FA:
Missed security updates
Earlier software versions can have high-risk security vulnerabilities that enable attackers to compromise an entire site. Attackers actively seek out old software with vulnerabilities. Ignoring vulnerabilities increases the risk of attack.
For example:
- Web server software (if you host your own servers).
- Your content management system (CMS). For example, security releases from Wordpress, Drupal, and Joomla!.
- All plugins and add-ons you use on your site.
Insecure themes and plugins
CMS plugins and themes add valuable features. However, outdated or unpatched themes and plugins are a major source of vulnerabilities. Keep themes and plugins up to date. Remove themes or plugins that are no longer maintained.
Be extremely cautious of free plugins or themes from untrusted sites. It's a common tactic for attackers to add malicious code to free versions of paid plugins or themes. When removing a plugin, make sure to remove all its files from your server rather than just disabling it.
Social engineering
Social engineering exploits human nature to bypass security. These attacks trick users into providing confidential information, such as passwords. One common form of social engineering is phishing. In a phishing attempt, an attacker sends an email pretending to be a legitimate organization to request confidential information.
Never share sensitive information (for example, passwords, credit card numbers, banking information, or even your date of birth) unless you're sure of the requestor's identity. If multiple people manage your site, provide training to raise awareness of social engineering. For basic phishing protection tips, refer to the Gmail Help Center.
Security policy holes
If you're a system administrator or host your own site, poor security policies can allow attackers to compromise your site. Examples include:
- Allowing users to create weak passwords.
- Granting administrative access to users who don't require it.
- Not enabling HTTPS and allowing users to sign in using HTTP.
- Allowing file uploads from unauthenticated users without type checking.
Here are some tips to protect your site:
- Configure your website with high security controls by disabling unnecessary services.
- Test access controls and user privileges.
- Use encryption for pages that handle sensitive information, such as login pages.
- Check your logs regularly for suspicious activity.
Data leaks
Data leaks occur when confidential data is uploaded and misconfigured to be publicly available. For example, web application error messages can leak configuration information. Using a method known as "dorking", malicious actors can exploit search engine functionality to find this data.
Ensure your site doesn't reveal sensitive information by conducting periodic checks and restricting confidential data. If you discover sensitive information on your site that needs urgent removal from Google Search, use the URL removal tool.