Most common website attacks

We rely on websites to read the news, purchase clothes, find out about the weather, teach our children, and communicate with each other via webmail. So when websites are attacked, it can be catastrophic for both site owners and users.

To help you identify cyber threats before they take down your website, we’ve made a list of the top 6 most common website attacks. Any one of them could target your website, so it really pays to be prepared.

1. DDoS

Also known as Distributed Denial of Service, DDoS attacks can take down websites for days at a time, which can ruin the experience of customers and cause lost revenue.

These attacks are generally orchestrated from a central hub that allows attackers to control huge armies of bots on what's known as a "botnet". These bots are kept on thousands of computers around the world, and most hosts have no idea that they’re facilitating a website attack.

As soon as they’re engaged, botnets start spamming the authentication procedures on target websites. Or they simply bombard sites with so many requests that the websites can't cope with the onslaught. Either way, websites tend to buckle under the pressure, and until the flood of attackers subsides, they are hard to get back online.

DDoS attacks tend to vary in style. Some involve hijacking protocols used by hosting services, while others rely on IP spoofing and creating identities that the target site can’t verify. In more complex attacks, cybercriminals trigger what is known as an "HTTP flood” that attacks the POST or GET commands in HTTP instructions.

The latter type is both the most effective and the hardest to pull off. However, if attackers have the patience to learn what they need to know about their target, they can usually work out a solution. This is a case where shielding your website communications with a VPN really helps, since the VPN encryption makes it much more difficult for hackers to carry out their investigations before a website attack.

2. Cross-site scripting

Also known as XSS, Cross Site Scripting is just as dangerous as a well-crafted DDoS website attack. And if anything, they’re easier to customize, with potentially devastating consequences.

During XSS attacks, attackers inject code (or scripts) directly into the code used to run the target site. This code can then allow them to create tools that harvest user information, often without the legitimate site owners having any clue about what’s going on.

In the past, XSS attacks were particularly associated with browser extensions like Macromedia Flash (hence the periodic panics about how safe Flash players are). But JavaScript is now seen as the primary security vulnerability.

How does code injection happen? Usually, hackers will target sites that allow a degree of user input – such as feedback or comment forms. They can then enter "browser side" code which triggers the injection, and lets them take control.

This is why it's so important to design websites that avoid the most common JavaScript vulnerabilities. Cybercriminals scour the web for weak sites, and when they infiltrate your website, it can ruin the trust you've built up with your customers.

3. Web-based malware

This kind of website attack is somewhat different. In this case, a company's own website is left untouched, but their reputation almost certainly won't be.

Web-based malware seeks to fool users into thinking that malicious sites are actually the real deal. So they go to great lengths to disguise their front ends with accurate content and logos – whatever it takes to spoof actual business websites.

However, these websites are very different from your own. They can carry all of your actual product descriptions, but when users click on links or proceed to payment, everything changes. Instead of processing payment, fake sites tend to deliver malware which can lock up computers or steal data.

While this isn't technically an attack on specific sites, it is still a potent way to take actual sites down via reputational damage. So look out for copycat websites. If too many appear, customers will start to feel that your cybersecurity defences aren't up to the task.

4. SQL injection

If you've ever set up a web shop, you'll have come into contact with SQL (Structured Query Language). The reason is pretty simple: SQL is the most popular programming language to code structured databases for websites. It's great for holding and manipulating vast amounts of product information and also works fine with payment portals.

All this sounds great, but SQL comes with a major catch: SQL injection (SQLi) attacks. In this kind of website attack, hackers attempt to target a company's SQL database.

To do so, they seek to fool the database into thinking their queries are actually legitimate. If they do so, they can often bypass the authentication stages that are required by normal users – opening up data about finances and payment details. That's how companies can lose millions of credit card numbers – and it's a real business killer.

Thankfully, filtering systems included in SQL packages can counteract most SQL injection attacks. But these filters need to be calibrated properly (and not turned off – as many companies tend to do).

5. PHP vulnerabilities

PHP is the programming language generally used to govern the way websites work. Also, just like SQL, it's a major source of website attack potential. In this case, the key vulnerability is known as "Local File Inclusion" (LFI).

If PHP objects are incorrectly coded, attackers can use them to make all kinds of requests, potentially providing access to confidential files. If the cybercriminals have carried out diligent research, they can easily learn what files to request. And inside jobs can't be ruled out here, either.

This method can also be used to inject malicious code onto a site's servers, in much the same fashion as XSS. Alternatively, hackers can use a PHP technique called "Remote File Inclusion". This uses poorly coded PHP to call up files anywhere in the web.

6. Brute force attacks

If your site is protected by standard password fields, attackers might simply choose to batter down the doors. In cybersecurity, this is known as brute forcing, and it's a common technique for unsophisticated attackers to work out login details.

In this website attack, attackers program tools to constantly enter all the possible login combinations. Obviously, this method is the least likely method – but given enough combinations and weak passwords, hackers can get through.

Brute forcing is more effective when combined with information about users or employees, allowing attackers to narrow down their password search. Again, this is a point where encryption is vital. Remember, website hackers would love to track browser activity, emails, and location details.

Guard your website against every type of attack

As we've seen, websites can be vulnerable to many sorts of attacks. And no website is immune, so all managers need to take appropriate steps to fine-tune their online security.

Strong passwords, watertight SQL and PHP coding, external security audits, and the use of enterprise-grade VPNs can all contribute. Also, it helps to plan for the worst. Even the most well-managed sites can fall victim to these types of attacks. So have a continuity plan for worst-case scenarios. You may not need it, but if you do, you'll be glad to have it there.