How websites get hacked, and how to prevent it

Now that we’re several decades into the computer age, we all know what “being hacked” means – it’s the process by which malicious individuals break into something of yours, whether it’s your email account, Facebook profile, or a computer or website. I’ve had multiple incidents over the years where businesses have asked me to fix a website that had been hacked. In some cases the site was modified to redirect visitors to malicious third-party websites, which obviously doesn’t reflect very well on a business. Let’s dive into how it happens and how you can reduce the odds of it happening to you.

Most hacking is automated

One myth I want to dispel right away is the stock-footage idea of a guy in a balaclava sitting at his computer, trying to break into your stuff. That’s almost certainly not the kind of threat you’re facing, unless you’re a prominent public figure or your company is a ripe target for industrial espionage. The vast majority of hacks are done by bots – software – that crawl the internet, trying low-effort methods to automatically break into what they find.

Login information must be secure and unique

A common hacking method is for bots to use what’s called a “rainbow table”, which is a list of known passwords, usually obtained in data breaches. Bots will try the various passwords in the hope that you’re using one of them. That’s why it’s important to use passwords that are hard to guess, instead of something extremely obvious like “Password#2022”.

Password#2022? That’s the combination on my luggage!

This is also why using the same password for multiple sites is a big mistake – if someone gets access to one of your accounts, they’ll be able to try the same email + password combination across the web and gain access to all of your other online accounts.

To ensure this doesn’t happen, you should use a password manager (I like Bitwarden) which generates long, random passwords on demand and stores them in an encrypted vault. The vault is protected by a password of your choice – that password should be as long as possible (mine is about 25 characters) and you should never use it elsewhere. Make sure it’s something easy to remember – a good trick is to string a bunch of random words together, like “PotatoElephantAccessibleUniverse”.

Password managers protect you in two ways – the long random passwords are much harder to crack, and if someone somehow gets access to one of the passwords it will only work on one particular website, because you’re using a different password everywhere else.

A note about phishing

Hackers often use automated phishing emails that ask users to log in using their username and password so they can verify something (like an account number). Never enter any account details in a link you received in an unfamiliar email.

Make sure your website has a valid SSL Certificate

SSL Certificates (“Secure Socket Layer”) are a little bit like a VPN, if you’re familiar with those. SSL Certificates work by encrypting data so that no one can see what you’re sending to a website or what the website is sending back to you. This protects against “man-in-the-middle attacks”, which would otherwise allow hackers to intercept communications between your site and users.

Furthermore, if you don’t have an SSL Certificate installed on your website, anyone who visits your site will see a warning in their browser saying that they may be under threat from hackers or malware trying to access their computer – so it’s something you will want to set up either way.

Keep your website patched and up to date

Websites run on a stack of various pieces of software, and like any software, these must be regularly updated. To do this, you’ll need to make sure you’re running the latest versions of all your software, including:

  • The server operating system (typically some flavour of Linux). This is usually handled by the data center where the web hosting servers are located.
  • Your website’s web application code (usually PHP). This is managed by your web hosting provider.
  • Any third-party applications that run on the server (WordPress and any themes/plugins, for example)

Older versions of these almost inevitably have some kind of security vulnerability. If there are no new updates available for some reason or another – maybe because it’s an older version that doesn’t receive updates anymore – you should strongly consider upgrading to a newer version with better security features.

If your website is built on a fully-managed website builder platform (for example Wix or Squarespace), those updates are handled by the company itself and you don’t need to take any action. If your site is managed yourself (usually a WordPress install on cPanel hosting, or something similar), someone needs to stay on top of it. This is one of the main reasons why I offer updates and backups as part of my web design services.

Make it unhackable (almost)

If software and logins are how your website gets attacked, what better way to keep it safe than removing any software and logins? This is where “static websites” come in. They are made up of simple HTML + CSS + JavaScript files, like in the old days of the web. There’s no software behind them, no PHP or WordPress or anything of the sort – only plain files stored in a folder. The actual webpages are generated one time only as part of a “build” whenever the contents of a page change.

They do have disadvantages, however – the tools and technology involved in building them are more complex and have a steeper learning curve than the Word-like editing experience of something like WordPress. I generally don’t recommend these unless you have a solid knowledge of HTML, or have someone who can manage the website for you.

Back it up

Even with all of those security measures in place, you will still want to keep a backup. As Helmut von Moltke said about 150 years ago, “No plan survives first contact with the enemy”. Make sure your website is backed up on a schedule that will capture any recent updates (i.e., if your website content changes weekly, make sure it’s backed up more often than once per week).

An important note: make sure your backups are accessible outside your website. If your site goes offline for whatever reason, a backup that you have to log into your site to access won’t be much help!


Following the steps above won’t make your website invulnerable, but they will tremendously reduce the odds of it getting compromised – and if something bad does happen, you know you can restore from your latest backup. The best strategy is to have multiple strategies working in layers. If you’d like an audit of your website security, let me know!