In a not so distant time, if you wanted to have an online presence, you’d either have to learn a programming language and then build a website yourself or hire a professional to do it for you. Each site being a unique piece of software, it also had unique issues that you can’t just resolve by using a generic solution. Once the site has been built you’d have to spend just as much, if not, even more, time and resources analyzing its security and hunting down vulnerabilities, lest it ended up being swiftly defaced. The modern era brings major name-brand content management systems which are programmed by professionals and thoroughly checked for vulnerabilities before being released to the public. The idea is that you get a readymade website which you can just install and then modify to your liking, not having to worry about security, coding, etc. You’d think that this solution is perfect and resolves all issues regarding website ownership. You’d be wrong.
Having a custom coded website does always carry security issues with it, and more complex the site is, more issues can arise, but those issues are specific to your case. Moreover, you can hire someone to repair them quickly. If you get any of the major brand pre-made websites (or Content Management Systems, as they are called), the vulnerability will affect thousands, if not millions of websites across the world. Now, why is this significant difference? Because a malicious hacker is a lot more likely to “sniff out” and abuse an issue affecting millions of sites. A single site, on the other hand, is not as attractive and as easy to find unless you’re specifically targeted. If that’s the case, in all honesty, there’s not much you can do but hope that they are not holding a huge grudge against you or that they haven’t been well paid to take you down. Not much else you can do about it.
The nature of vulnerabilities is very volatile, and the fact that new ones appear so often is not a hacker’s fault, in fact, it is the developer’s fault.
Hackers merely expose a point where the developers cut corners, get lazy or are simply not competent enough for the job at hand. With that said, new software is released on a daily basis and sadly new vulnerabilities are found just as often, to a point where it can be hard to keep up. However, some of the significant vulnerabilities and most devastating vulnerabilities are quite old and well known. Vulnerabilities such as Cross Site Scripting (XSS) and SQL injection are just two of the most dangerous which can enable a hacker to cause catastrophic damage to a site with no special tools, just a bit of know-how. The vulnerabilities have been known for years, and it is still shocking how widespread they are. Another vulnerability can enable the hacker to attack the server itself where the site is hosted and have it grind to a halt. Even worse, most servers nowadays are shared between multiple clients, so they host a lot of websites on a single machine. If one of them gets attacked by something like Slowloris, all sites go down and stay down until a system administrator restarts the server. Once the server boots up, the sites are online again. That is unless the attacker decides just to strike again. For a hacker, it is a single click of a button. For a system administrator, it is a lot more work to reboot a server properly.
Both cases have known solutions. For XSS and SQL injection vulnerabilities a programmer just needs to filter out unsafe characters from input boxes on the site. Clean up what the visitor types before it all go to the database, so to say. There is even a list of known unsafe characters, so not utilizing this feature is pretty much a case of laziness. For the server attacks such as Slowloris, there is even a ready-made patch for most server management systems out there. An administrator doesn’t even need to know how to program to fix this issue. Having a server with this issue is inexcusable nowadays. This is the case for most vulnerabilities, most of them have some solution, some being easier, other being harder to implement.
Sadly, there is that one thing called a Botnet which you can do nothing about. Even if your site has bulletproof security, if a hacker decides to whip out the heavy artillery as a last resort, your site goes down and stays down until they say so. The good news though is that not all hackers have access to such a powerful weapon, and even if they do, they are reluctant to use it, so botnet attacks do not happen very often, and when they do, the targets are high-profile sites from large enterprises or even governments.