What is a website defacement attack and how to prevent it?

Every website administrator has a nightmare they'll tell you about. It's one where they log on to their company website one day and it doesn't look the way it normally does. Instead, there's a message about how this website has been hacked, and there's usually a message indicating who did the hacking. The company has fallen prey to a website defacement attack. If your website administrator hasn't told you about this nightmare yet, they will. Before you have that conversation the hard way, let's talk about what website defacement is and how you can shut it down.

What is website defacement?

Website defacement is a type of website vandalism. In short, an attacker finds a way to modify the files or contents of your website without your permission. Usually, they'll change the contents of your website to something intended to embarrass you. Sometimes, activists deface websites of companies or organizations with whom they disagree, to raise awareness of what they see as that company's misdeeds.

Website defacement attacks differ from other cybersecurity threats because the attacker rarely stands to gain from the action. Instead of trying to do things like steal user credentials or skim money from unsuspecting users, they're trying to make as much noise as they can. Most malicious users try to hide their activities, but not those who choose defacement as a weapon. They're doing it to show off.

Why do attackers deface websites?

As we mentioned, defacing a website is unlike other forms of computer crime. The goal of the attacker is to make as much noise as they can. Sometimes, they'll do this purely for the "fun" of it or to increase their online credibility. Occasionally, website admins, spurned by companies who haven't paid them, will deface the site they administrate.

Other times, attackers are there to speak out about causes they believe in. In 2020, former president Trump's personal website was defaced by hackers who disagreed with his politics.

The common thread between these types of attacks is that the attackers want people to know they did it. Their goal is to raise as much awareness as they can in as short a period as they can.

Website defacement attacks Fig 1. Website Defacement

What are the consequences of website defacement?

If you find yourself waking up to the nightmare of a defaced website one day, what are the realistic consequences for your business? The biggest issue you'll face is a loss of customer trust. Customers trust that you're dedicated and thorough when you do work for them.

They trust that you test your products to ensure they work correctly the first time and that they're safe to use. That's why they trust you with their business. When someone defaces your website, your customers discover that you might not have the thorough commitment to quality they'd first believed in. It doesn't matter whether the vulnerability exploited by these hackers was simple or very complicated. To customers, you dropped the ball, were exposed, and will now pay the price.

The same is true from your perspective. Before hackers deface your website, you likely assume that your current security posture is sufficient. You know it's not perfect, but you feel like it's good enough, and you find out that it's not in the most outrageous way possible. Aside from the work you'll need to do to clean up the vandalism, you also need to ensure this doesn't happen again. That means a thorough audit of your current digital security posture. That's going to take some time, and it's probably going to cost a lot of money.

How does website defacement happen?

Sure, it's easy to say that website defacement is the result of an unauthorized person changing something on your website. But how does that happen? What are the mechanisms that they use to make those changes? Unfortunately, that's a broader topic than we have space to cover here, so we'll do so in brief. There are so many different configurations of web server and content management systems that an exhaustive list just isn't possible. But the basic gist is this: your attacker will seek to gain permission to change things on your website, usually by exploiting one or more security vulnerabilities. The most common are vulnerabilities like broken authentication, SQL injection, or misconfigured server security.

How does website defacement happen? Fig 2. How does website defacement happen?

Once they've exploited one or more of those security flaws, the attackers gain access to your system. Usually, they're trying to gain administrative access to your website. This doesn't always come with the first account that they access, so they may need to exploit yet more vulnerabilities in order to gain administrative access. Once the attacker gains administrative access, they're free to do whatever they wish. That's when they start to deface your website.

How can I prevent website defacements?

Preventing website defacement attacks helps you avoid the reputational damage and cleanup work that comes with a breach. But how can you do that?

If you remember above, website defacement attacks often require exploiting multiple vulnerabilities in your systems. For this reason, it’s wise to adopt a defense-in-depth approach to securing your systems.

Avoid common web vulnerabilities

Perhaps the single most impactful step you can take to avoid website defacement attacks is to audit your application for the most commonly-exploited security vulnerabilities. Knowing that you have these vulnerabilities won’t prevent you from falling victim to a defacement attack, but fixing them will. By eliminating these vulnerabilities from your application, you eliminate avenues attackers take to deface your website.

Secure your database

One of the most common attack vectors for any malicious user is via your application’s database. To this end, securing your database is a critical security step. As a bonus, this won’t just help protect against website defacement attacks, but many other types of attack, some of which are much more harmful.

Secure your source code

Another common vector for defacing a website is by modifying the source code of that website. While people you’ve never met aren’t likely to use this avenue to deface your website, there is a class of attacker who is: former employees. It’s no secret that every business relationship doesn’t end as well as we’d like. Sometimes, people leave your employment with negative feelings about their time working for you. If a disgruntled former employee still has access to modify your source code, one way they might take advantage of that is to deface your website.

No matter how people leave, you don’t want people who don’t work for you any more to be able to modify your website. You should regularly audit who has access to modify your company’s source code, and remove people who don’t need access. You should also ensure former employees are removed on their last day of employment. Don’t wait for the audit.

How do I detect website defacement?

In the event that an attacker does deface your website, you want to fix things as quickly as possible. While the best cure is preventing the attack in the first place, there is no such thing as perfect security. So, when you adopt a defense-in-depth approach, that also means monitoring your systems to detect when an attacker succeeds and compromises your system. Luckily, website monitoring tools are up to the task. Tools can monitor your website both for major changes like a full-blown defacement or for minor changes like an attacker linking to previously unused domains. They’re always monitoring your site, and if something wrong is ever detected, you'll know before any of your customers do with an alerting system.

Wrapping up

Obviously, no one ever wants to fall prey to website defacement. Much like you never want someone to break into your home and you never want someone to steal your credit card, you want to know your website is safe from attackers. But part of securing your website is watching to make sure that none of your security measures failed. While you don't ever want to fall victim to website defacement, detecting defacement right after it happens is critical to minimizing the impact.

Author Bio

This post was written by Eric Boersma. Eric is a software developer and development manager who's done everything from IT security in pharmaceuticals to writing intelligence software for the US government to building international development teams for non-profits. He loves to talk about the things he's learned along the way, and he enjoys listening to and learning from others as well.