A common way to hack the site – get passwords to the administrative panel of the site.
Basically passwords obtained in the following ways:
- intercept the password that has been transmitted through unprotected HTTP protocol;
- pick the password by brute force;
- decrypting the password by accessing the site database.
The first method is based on the fact that data transmitted over unencrypted HTTP protocol. Anyone who has access to this data (and this may be the owner of the WiFi point to which you are connected, any network or server through which your data is sent to hosting, where your site is located), can read them.
The best way to protect against this type of attack is to use the secure HTTPS protocol instead of HTTP. To guard against these attacks, it is necessary that the entire site, or at least an administrative panel of your website are accessible only over HTTPS secure protocol. To do this you will need an SSL certificate. Trusted certificates cost money and have a finite duration.
You can save money and issue your own certificate, but this certificate can be used for only the administrative panel, because when its installed on the entire site the browser will issue a warning about an unknown certificate, which will significantly reduce the base of users. Fortunately, now there is an opportunity to get a signed certificate free of charge.
Recently there was an opportunity to get a certificate from the project Let’s Encrypt. The project has been specially created in order to facilitate and reduce the cost of installing certificates that will allow many websites to move to an encrypted connection. However, if your site does not work on your own server, and you use third-party hosting service, then you need to ask your host if it supports this project.