Ramshankar
on systems, software & life

Hackers at the door, but nobody’s home

“Knock! Knock!” — and that’s the whole joke. Sorry hackers, there’s nobody home to reply.

Sites are often the target of hackers who want to hijack it. Sometimes their intentions are apparent, like when they deface the site.⁠[1] Other times, they break in without leaving a trace and use the site for nefarious activities. Whichever be the case, administrators of websites need to stay vigilant.

A computer hacker knocking on a door
Hackers at your door, all day, every day.

I don’t mean to be an alarmist, but your site doesn’t need to be big and famous, like Amazon or Facebook, to be a target. Hackers are incredibly quick at getting their grubby hands on any site they can. Usually, long before search engines discover newly launched sites, malicious bots (programmed by hackers) discover them and work ceaselessly to gain illegal access.

So how do website administrators thwart the bots of hackers? The simplest and most effective way is to have as little software as possible that can be hacked in the first place. This is where static sites have a significant advantage. This is a static site.⁠[2] It runs only the bare minimum software necessary for serving plain HTML pages. On the contrary, a dynamic site has to run additional software for allowing users to interact with the pages. Such additional software has always been the target of malicious bots. Of course, these bots don’t really know what a site is running or whether it’s static or dynamic. They simply know a list of vulnerabilities in various software (typically used by dynamic sites) and try their luck at exploiting them for every site they can access.

Thus, one of the most appealing aspects of having a static site is not having to worry about low-effort hacks. Nonetheless, out of curiosity, I took note of the most frequent attempts by these bots to gain illegal access to my site. The following is a small sample of their valiant attempts.

Attempts to access an admin panel
/solr/admin/info/system?wt=json
/admin//config.php
/phpMyAdmin-2.6.2-rc1/
/phpMyAdmin-2.6.3/
/phpmyadmin/
/wp-login.php
/axis2/axis2-admin/login
Malicious URL accesses
\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr
/?XDEBUG_SESSION_START=phpstorm
/?a=fetch&content=<php>die(@md5(HelloThinkCMF))</php>
/index.php?s=/Index/\x5Cthink\x5Capp/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=HelloThinkPHP21
/system_api.php
/c/version.js
/owa/auth/logon.aspx?url=https://1/ecp/
//level/15/exec/-/sh/run/CR
Other questionable accesses
/streaming/clients_live.php
/api/jsonws/invoke
/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php

I don’t have to bother protecting an admin panel. I don’t have to worry about what vulnerabilities have been discovered today in PHP or WordPress.⁠[3] I don’t lose sleep over newly found SQL injection attacks.⁠[4] I can rest assured knowing my cookies aren’t being misused, because there are no cookies.⁠[5] All this because my site is static.

It’s not all roses and sunshine though. Static sites have their limitations and not every site can be made static. But unless you need features that requires a dynamic site, I recommend trying the static approach first. It completely nullifies a whole class of attacks.

Counterbalance

Despite WordPress being the target of hackers for the last decade, the chances of your WordPress site being hacked today is miniscule. WordPress powers millions of sites and has substantially grown resiliant to hacking. More often than not, the vulnerabilities are not really in WordPress itself but in some software used by it. Unfortunately, the sensationalists in tech journalism have made quite a dent to WordPress’ reputation. As long as you keep your plugins to a minimum and install updates regularly, you should be fine.

Regardless, just the peace of mind that comes from of having a static site and its ease of maintenance is seriously worth considering.

While there’s considerable credence to the claim that static sites are inherently more secure, they’re not immune to everything (like web server vulnerabilities, erroneous HTTP configuration etc.) Website security is a vast and intricate sub-field of information technology. As always, reader discretion is advised.

1. Wikipedia - Article on website defacement.
2. My article on static vs. dynamic sites.
3. CVE Details - List of PHP and WordPress vulnerabilities.
4. CVE Details - List of SQL injection vulnerabilities.
5. CVE Details - List of cookie related exploits.