When you run an enterprise-level organization, website security threats are always on your mind. An attack on your system can lead to a security breach, result in data loss, or cause your entire application to shut down.
The easiest way to avoid online threats is to remind or educate yourself about website vulnerabilities. Once you’re aware of common dangers like SQL injection attacks and brute force attacks, you can protect your customers and keep your site running smoothly at all times.
In this post, we’ll discuss 20 website vulnerabilities and security threats, and explore the real implications of even a single web security threat for an enterprise business.
Types of targeted attacks on websites
1. Brute force attacks
The brute force attack is not a very technical kind of website security threat. This means that essentially anyone can commit brute force attacks on your site.
This type of threat occurs when hackers or bots use trial and error to continually attempt to access your site. It involves the attacker guessing hundreds of password and username combinations until they find the right one.
This allows them to gain admin privileges for your application, giving them complete control over your data and your client and customer information.
To find out if your site is vulnerable to brute force attacks, you can install WPScan. Then, head to WPScan → Reports and scroll down to Security Checks.
Under Weak Passwords, you can see if WPScan was able to brute force the passwords for any privileged users on your site.
You can also reduce the risk of brute force attacks by strengthening your website’s login process. For instance, you can use a plugin like Jetpack, which can automatically block malicious IPs from trying to force their way in.
2. Distributed denial of service (DDoS)
A distributed denial of service (DDoS) attack attempts to overload your server by flooding it with fake requests. The purpose of a DDoS attack is to overwhelm your servers to the point where all resources and bandwidth are at full capacity. This way, you’re no longer able to respond to legitimate client requests.
Sometimes a DDoS attack can result in your online services being disrupted. Other times, the attack can completely take down your website, making it inaccessible to customers.
There are many ways an attacker can execute a DDoS attack. They might perform a volumetric attack, where huge amounts of traffic are generated to block genuine traffic.
What’s more, an attacker might execute a protocol DDoS attack, whereby the hacker is able to exploit infrastructure endpoints like load balancers. Meanwhile, an application DDoS attack targets weaknesses in your application.
Fortunately, there are practices that help you avoid a DDoS attack. For example, you can install a web application firewall (WAF). This way, you can monitor all incoming traffic and block any suspicious IPs before they reach your site. It’s also important to note that many quality web hosts provide a free web application firewall with their managed hosting plans.
3. DNS poisoning or spoofing
The domain name system (DNS) is an encrypted protocol that translates domain names (such as mywebsite.com) into readable IP addresses. It can be easy for hackers to intercept this process through poisoning or spoofing.
By default, DNS servers don’t validate the IP addresses to which they’re redirecting visitors. Therefore, hackers can alter DNS records to redirect visitors to a malicious site that resembles the intended destination.
Once someone arrives at this malicious site, they’re often prompted to log in. Usually, this ploy is successful because people believe they’re logging into a legitimate account. Then, the attacker can steal access credentials and other types of sensitive information that the user enters on the website.
On top of that, the malicious site can be used to install viruses on the visitor’s computer. This way, the attacker can access that computer on a long-term basis.
Typically, DNS spoofing is carried out in the form of a machine-in-the-middle (MITM) attack or a DNS server compromise. The latter is when the hacker hijacks the DNS server and configures it to return a malicious IP address.
As we mentioned, standard DNS is not encrypted, so there’s no way to ensure that lookups are from legitimate servers and users. That’s why it’s best to opt for a premium DNS that includes DNSSEC. This way, when you set up DNS entries, the DNS security layer adds a cryptographic signature before it accepts lookups as authentic.
4. Subdomain takeovers
Subdomains can leave you at a greater risk of online attacks if they aren’t properly secured. Takeovers of this kind usually occur when the subdomain has a canonical name in the DNS, but lacks a host to provide content for it.
This might be because the virtual host hasn’t been published yet or has been removed. Then, the attacker gains control of the subdomain by providing their own virtual host and hosting their own content.
The most popular reason for subdomain takeovers is to access and read cookies. But these attacks also enable attackers to perform cross-site scripting, steal sensitive information, and send malicious content to other users.
5. Machine-in-the-middle (MITM) attacks
If you haven’t encrypted data as it travels between the server and browser, you create a major vulnerability on your site. This is because, without encryption, anyone who intercepts the connection can access and steal it. That might include login credentials, personal information, or payment details. This is known as a machine-in-the-middle attack.
Your website will be at greater risk of MITM attacks if you use HTTP instead of HTTPS. You’ll also be more susceptible if you haven’t installed a valid SSL certificate. With HTTPS and SSL, the information is encrypted so an attacker can’t make sense of it, even if they manage to intercept the connection.
6. Watering hole attacks
Watering hole attacks are also known as ‘supply chain attacks’. These occur when a malicious actor identifies a website that’s frequently visited by members within an organization. The targeted website is compromised by the attacker, usually to enable the distribution of malware.
A watering hole attack can only be executed once the actor finds vulnerabilities in your cyber security (and the watering hole site is manipulated to deliver malware). The malware is ultimately what will exploit the vulnerabilities.
Since the targeted website is one that the visitor navigates to regularly, they continue to trust the website, even when it’s compromised. The malware itself might come from a file that the visitor downloads, or a button that they click.
Typically, this action provides the attacker with remote access to your systems, so watering hole attacks are used a lot in espionage on government websites.
One of the worst things about watering hole attacks is that, if the website can exploit some other browser or OS security flaw, the malware can be installed without the visitor realizing anything has happened. This is known as a drive-by attack.
While watering hole attacks can be complex, there are certain warning signs that can alert you as to whether you’re being targeted. For instance, you might receive an unsolicited email from a ‘trusted’ source.
You might also be peppered with alerts to update your software, or be presented with lots of popups. The best way to prevent a watering hole attack is to monitor your internet traffic using an antivirus program.
7. Clickjacking
Clickjacking relies on vulnerabilities in your user interface (UI). When executed successfully, clickjacking tricks visitors into performing actions on another website.
It works by encouraging visitors to click on certain UI elements that actually take effect on the targeted website. For example, someone might click a button to claim a prize. But the click is used to purchase an item on a different website.
In this instance, the attacker hides the target website’s UI and rearranges the visible UI so the visitor remains unaware of what’s happening. Typically, this threat is used by hackers to get more social media likes, access cookies, steal files, and deceive password managers.
There are various methods for preventing clickjacking attacks. You can implement a Content Security Policy (CSP) that uses headers (or meta elements) to restrict the content that can load on your site.
Alternatively, you can enable frame busting with JavaScript. This way, you can prevent the loading of your website within a frame without permission.
8. Compromised credentials
A weak login procedure is a major vulnerability on any website, since it can lead to exposed credentials. Credential-abuse attacks were recently ranked as the second most concerning security threat targeting organizations.
There are multiple types of password-based attacks, including brute force attacks (which we discussed earlier). Here are some of the other common varieties:
- Credential dumping: This involves attackers stealing your RAM.
- Credentials stuffing: This occurs when hackers use known credentials to log into other accounts.
- Pass the Hash techniques: This is when attackers steal a hashed credential to create an authenticated session.
Once your credentials have been exposed, attackers can steal data, access other accounts on your site (including the admin account), and shut down the entire network. As a result, it’s important to take preventative measures.
One of the best ways to reduce the risk of compromised credentials is to strengthen the login procedure. To do this, it’s a good idea to use (and enforce) strong passwords on your site.
Additionally, you can limit login attempts and implement Two-Factor Authentication (2FA).
This way, visitors are required to provide two keys to access your site. While one of these is usually a password, the second key is generated in real time (so bots and hackers aren’t able to furnish it).
What’s more, you can also operate on the principle of least privilege. This means that you only give users access to the parts of your site that they need to carry out their duties.
For instance, an author should only be able to create their own posts. They shouldn’t have additional permissions that let them install software, manage content, or update your system settings.
9. Credential stuffing
Credential stuffing is a type of credential-based attack where hackers use known credentials to log into a series of other accounts. This type of attack takes advantage of people who reuse the same username and password combinations across multiple accounts. While it can be used to conduct identity theft, it’s more often associated with financial theft.
Credential stuffing only works when the attacker fraudulently gains valid combinations for one site. This might be achieved through a brute force attack. Then the hacker can use the stolen credentials on other sites to access legitimate accounts.
Obviously, the easiest way to reduce the risk of credential stuffing is to frequently change your passwords (and require other users on your site to do so as well). Plus, it’s important to use different passwords for each of your accounts.
In order to create strong passwords, you might use a password manager, like 1Password, and its built-in generator.
Most generators come with a password manager. Therefore, you don’t need to worry about remembering your complex credentials.
Types of website security vulnerabilities
1. Vulnerability scanning
Vulnerability scanning — when hackers inspect your web application and networks for signs of weaknesses — is an important threat to watch out for.
The good side of vulnerability scanning
Most successful enterprise businesses use a vulnerability scanner like WPScan for their own benefit.
Using the WPScan CLI, your organization can connect to a database of thousands of up-to-date vulnerabilities and identify issues before bad actors can take advantage.
Better yet, with the Enterprise solution, you’ll also get instant email alerts, and you can view vulnerability information by ID.
The bad side of vulnerability scanning
Unfortunately, some vulnerability scanners can be used against you, enabling attackers to find weaknesses they can exploit. Those weaknesses might include problems with your network, operating systems, or software on your site.
Vulnerability scanning is especially risky for enterprise-level businesses, since they hold a wealth of information. As a result, there’s a much bigger reward available for an attacker. That’s why it’s crucial to proactively scan your website and address vulnerabilities before they can be exploited.
2. Outdated and unpatched software
Failing to update software can leave it more susceptible to web security threats. This is because, once a particular version of the software has been available for a while, a lot of its vulnerabilities become well known among hackers.
Those software vulnerabilities can be used for things like installing a backdoor to gain entry to your site. Additionally, most new releases and updates come with security patches and bug fixes to further increase web security.
If your site is built with WordPress, you can address this problem by going to Dashboard → Updates.
It’s also a good idea to use a scanner for security risks like WPScan, since this enables you to keep an eye on vulnerabilities in all the software on your site. This includes WordPress core, along with WordPress plugins, themes, and other tools.
In fact, you can go to WPScan → Report to view the current vulnerability status for each of your plugins.
3. Zero-day exploits
Another common website security vulnerability is the zero-day exploit. This type of threat occurs when a hacker manages to exploit a vulnerability in software before the developer finds a fix for it.
While this is more common with software from third-party developers, it’s not unheard of for WordPress core to suffer from this type of threat. For example, WPScan picked up on a blind SSRF vulnerability in WordPress 6.2.
The exploit itself can take many forms. It might manifest as an SQL injection, missing data encryption, URL redirects, bugs, or problems with password security.
Since these vulnerabilities have not yet been caught by the developer, they can be difficult for you to identify. But that also makes them harder for attackers to find.
Zero-day exploits are notoriously difficult to avoid, since the solution is in the developer’s hands.
Developers (and any application owner) can implement black box testing. This procedure is often used in software development and quality assurance processes.
It’s a great way to pick up on any bugs, usability issues, and website security threats. Plus, it enables you to examine workflows and check the accuracy of data. As a result, you can test your system’s core functionality and security to ensure that your infrastructure can withstand a breach attempt.
4. Vulnerable third-party applications and integrations
Your website may also be more susceptible to security threats if you use vulnerable third-party applications and integrations. ‘Third-party’ generally refers to the fact that the program isn’t created by the same company that produced the core software.
Instead, the program or application might have been created out of house, or compiled using off-the-shelf or open-source code. The problem with third-party applications is that there’s no way to assure that the code has been properly secured.
As a result, your website can become more vulnerable to threats like clickjacking, injection attacks, and cross-site scripting (XSS). The malicious code may also expose you to data theft, unauthorized access to systems, and downtime. Fortunately, with a quality vulnerability scanner like WPScan, you’ll be notified of any software issues as soon as the first scan is performed.
5. SQL injections
SQL injections are some of the most successful online ploys of recent times. The aim of SQL injections is to manipulate information out of the database. To do this, attackers compromise a server’s cookies, web forms, or HTTP posts.
Typically, attackers target input fields in online forms. This is where visitors are asked to supply their names and email addresses (among other personal details).
The attacker injects malicious scripts into these fields, tricking the server into providing unauthorized database information.
Fortunately, SQL injections are preventable. The best way to avoid an attack of this kind is to use the prepared/parameterized SQL queries available through your development framework (e.g. $wpdb->prepare() in WordPress PHP code).
6. Cross-site scripting (XSS)
Cross-site scripting (XSS) is one of the most common vulnerabilities found on WPScan. Therefore, it’s very important to make sure your website is protected against this type of attack.
XSS works by tricking the browser into delivering malicious scripts. Once received, the order will automatically be executed. These scripts can infiltrate your valuable data, inject malware, or redirect users to spoofed websites.
As a result, XSS can often lead to additional threats like session hijacking, form action hijacking, and server-side request forgery attacks. You can reduce the risk of XSS with a method known as escaping — denying special characters or symbols to avoid the injection of code.
Anything with dynamic output to the page should be correctly escaped for the context it’s in.
7. Cross-site request forgery (CSRF)
Cross-site request forgery (CSRF) is another top website vulnerability to watch out for. This occurs when attackers manage to perform an action within your application on behalf of a legitimate visitor.
It’s important to note that the attacker doesn’t directly steal the visitor’s identity. Instead, the attacker exploits the visitor to perform an operation without their consent and knowledge. For instance, a CSRF attack can result in someone changing their username or password or transferring money.
Additionally, the attacker might lead the visitor to perform an action like visit a web page or click on a link. This action sends a HTTP request to your website on the visitor’s behalf. This is processed as a legitimate request as long as the visitor has an active authorized session on the website.
One way you can protect your site against CSRF attacks is to use nonces in your code. This way, you can verify that requests are legitimate and that they’re coming from the same visitor who initiated the session. You can add nonces to your URLs, forms, and AJAX requests.
8. DNS poisoning or spoofing
The domain name system (DNS) is an encrypted protocol that translates domain names (such as mywebsite.com) into readable IP addresses. It can be easy for hackers to intercept this process through poisoning or spoofing.
By default, DNS servers don’t validate the IP addresses to which they’re redirecting visitors. Therefore, hackers can alter DNS records to redirect visitors to a malicious site that resembles the intended destination.
Once someone arrives at this malicious site, they’re often prompted to log in. Usually, this ploy is successful because people believe they’re logging into a legitimate account. Then, the attacker can steal access credentials and other types of sensitive information that the user enters on the website.
On top of that, the malicious site can be used to install viruses on the visitor’s computer. This way, the attacker can access that computer on a long-term basis.
Typically, DNS spoofing is carried out in the form of a machine-in-the-middle (MITM) attack or a DNS server compromise. The latter is when the hacker hijacks the DNS server and configures it to return a malicious IP address.
As we mentioned, standard DNS is not encrypted, so there’s no way to ensure that lookups are from legitimate servers and users. That’s why it’s best to opt for a premium DNS that includes DNSSEC. This way, when you set up DNS entries, the DNS security layer adds a cryptographic signature before it accepts lookups as authentic.
9. Directory traversal attacks
A directory traversal attack targets the web root folder to access unauthorized files or directories (outside the targeted folder). Then the attacker attempts to move up the hierarchy of files and directories by injecting movement patterns within the server.
If successful, directory traversal attacks can compromise your site’s access credentials, configuration files, databases, and even other websites or files on the same server.
Thankfully, there are ways to prevent directory traversal attacks. For example, you can keep visitors’ inputs safe and unrecoverable from your server. To do this, ensure that nothing that deals with filesystem paths in your codebase can use any user-supplied data directly, as well as require validation that any dynamically-constructed filesystem paths are pointing where you expect before usage.
10. API vulnerabilities
The use of APIs has grown in recent years, since they’ve become an important part of many single-page, JAMstack, and modular apps. But because they have a higher level of access to data and resources, they can also be appealing to attackers.
Common API vulnerabilities include poor coding, unsecured APIs, excessive data exposure, and broken user authentication. As a result, hackers can easily access your website by manipulating or breaching these web security protocols.
While some vulnerabilities can be resolved with robust tools, others require a complete protocol overhaul. But to secure your APIs, you can use encryption protocols like HTTPS and SSL to convert data into unreadable code. You can also track your API consumption using activity logs, and restrict access to your resources.
11. XML external entity (XXE) attacks
XML external entity (XXE) attacks interfere with the processing of XML data. The XML format can be used to transmit data between the browser and server, using a standard library or platform API to process the data.
Typically, this attack arises when the XML specification contains dangerous features that are supported by standard parsers. Often, this enables the attacker to view files on the server filesystem and interact with back-end systems.
But XXE attacks can even escalate further. For instance, the entire server or the back-end infrastructure can be compromised to perform server-side request forgery (SSRF).
12. Broken access control
Most organizations have some kind of access control in place to restrict access to sensitive data and systems. But vulnerabilities can exist that allow unauthorized access to your website.
Here are some common vulnerabilities that make you more susceptible to broken access control:
- Lack of proper authentication
- Insufficient authorization
- Weak passwords
- Lack of auditing
Once the access control is breached, attackers can view and edit sensitive data like personal information and payment details. These types of attacks can be carried out via cross-site scripting, injection flaws, broken authentication, and session management.
The main purpose of these attacks is to execute data breaches. Since the average cost of a security breach is around four million dollars, it’s very important to take steps to reduce the likelihood of this event.
Broken access control can also lead to compliance violations that incur heavy penalties and fines. Meanwhile, the threat can result in operational disruptions that lead to downtime and financial loss.
Secure your website against common vulnerabilities and threats
Website security threats on enterprise-level websites can result in long bouts of downtime, where your website is unavailable to visitors. Plus, attackers can commit data theft and crash the entire network. That’s why it’s vital to be aware of and minimize common website vulnerabilities and security risks.
For example, if you’re using outdated or third-party software, you can be more susceptible to security threats. Without encryption protocols, you might be subject to machine-in-the-middle attacks. What’s more, XXE and DDoS attacks can completely damage your server.
One of the easiest ways to increase security on your site is to use a vulnerability scanner like WPScan. This WordPress plugin continually scans your core software, plugins, and themes, looking for vulnerabilities.
Plus, you can view vulnerability details by ID, and you’ll get instant email alerts whenever a new threat is detected. Talk with a WPScan expert.
