We rely on websites to purchase clothes, find out about the weather, read the news, keep up with college courses, teach our kids, and communicate with each other via webmail applications. So when websites are attacked, it’s a big deal for site owners and users alike.

To help you identify threats before they take down your site, here’s our list of the top 6 current website attack threats. Any one of them could target your site, so it pays to be prepared.


Also known by the longer name Distributed Denial of Service, DDoS attacks can take down commercial websites for days at a time – ruining the experience of customers and losing revenues.

These attacks are usually orchestrated from a central hub, which allows attackers to control vast armies of bots (on what’s known as a “botnet”). These bots are stored on thousands of computers, anywhere in the world, and the majority of hosts have no idea that they are facilitating a website attack.

When they are engaged, botnets start spamming the authentication procedures of target sites. Or they simple bombard sites with so many requests that they can’t cope with the torrent. Either way, sites buckle under the pressure, and until the flood of attackers subsides, they are hard to get back online.

DDoS attacks vary in style. Some involve hijacking protocols used by hosting services, while others rely on IP spoofing, creating identities that the target website cannot verify. In more complex attacks, criminals trigger what is known as an “HTTP flood,” which attacks the GET or POST commands in HTTP instructions.

That last type is the most effective, and the hardest to pull off. However, if hackers have the patience to learn what they need to know about their target, they can usually work out a solution. This is a case where shielding your site via a VPN really helps, as the VPN encryption makes it much harder for hackers to carry out their investigations prior to a website attack.

Cross Site Scripting

Also known as XSS, Cross Site Scripting is just as damaging as a well-crafted DDoS website attack. And if anything, they are easier to customize, with potentially devastating consequences.

In XSS attacks, hackers inject code (or scripts) directly into the code used to run the target website. This code can then allow them to create tools which harvest user information, often without the legitimate website owners having a clue about what is going on.

In the past, XSS was particularly associated with browser extensions, such as Macromedia Flash (hence the periodic panics about how safe Flash players are). But JavaScript is now seen as the primary vulnerability.

How does code injection happen? Usually, hackers will target websites which allow a degree of user input – such as comment or feedback forms. They can then enter “browser side” code which triggers the injection, and lets them take control.

This is why it’s so important to design websites which avoid common JavaScript vulnerabilities. Criminals scour the web for weak sites, and when they infiltrate your site, it can ruin the trust you’ve built up with customers.

Web-based malware

This kind of website attack is a little different. In this case, a company’s own site is left untouched, but their reputation almost certainly won’t be.

Web-based malware seeks to fool users into thinking that malicious websites are actually the real deal. So they go to great lengths to clothe their front ends with accurate logos and content – whatever it takes to spoof actual business sites.

However, these sites are very different to your own. They may carry all of your actual product descriptions, but when users click on links or proceed to payment, everything changes. Instead of processing payment, fake websites tend to deliver malware which can lock up computers or steal data.

While this isn’t technically an attack on specific websites, it is still a potent way to take actual websites down via reputational damage. So look out for copycat sites. If too many appear, customers will start to feel that your cybersecurity game isn’t up to the task.

SQL injection

If you’ve ever set up an eCommerce website, you’ll have come into contact with SQL (Structured Query Language). The reason is simple: SQL is the number one programming language to code structured databases for online portals. It’s ideal for holding and manipulating vast amounts of product data and works fine with payment portals as well.

All of that sounds great, but SQL comes with a major catch: SQL injection attacks. In this kind of website attack, criminals seek to target a company’s SQL database.

To do so, they try to fool the database into thinking their queries are legitimate. If they do so, they can often bypass the authentication stages required by normal users – opening up data about finances and payment details. That’s how companies lose millions of credit card numbers – and it’s a real business killer.

Thankfully, filtering systems included in SQL packages can counteract most SQL injection attacks. But these filters need to be calibrated properly (and not turned off as many companies do).

PHP vulnerabilities

PHP is commonly used to govern the way websites work, and, like SQL, it’s a major source of website attack potential. In this case, the key weakness is known as “Local File Inclusion” (LFI).

If PHP objects are incorrectly coded, hackers can use them to make all kinds of requests, potentially providing access to confidential files. If the attackers have carried out diligent research, and VPNs haven’t prevented their work, they can easily find out what files to request. And inside jobs can’t be ruled out here, either.

This method can also be used to inject malicious code onto a website’s servers, in much the same way as XSS. Alternatively, hackers can use a PHP technique called “Remote File Inclusion”. This uses poorly coded PHP to call up files anywhere in the web.

Brute force

If your site is protected by standard password fields, hackers might simply choose to batter down the doors. In the cybersecurity field, this is known as brute forcing, and it’s a common way for unsophisticated attackers to work out login details.

In this website attack, hackers program tools to constantly enter possible login combinations. Obviously, this is the least likely method to work – but given enough combinations and weak passwords, hackers can get through.

Brute forcing is more effective when combined with intelligence about users or staff members, allowing hackers to narrow down their password search. Again, this is somewhere where encryption is vital. Remember, website attackers would love to track emails, browser activity, and location details. A VPN can make it tough to do so, making it a sensible tool to have in reserve.

Guard your site against every type of website attack

As we’ve seen, websites are vulnerable to all sorts of attack. And no website is immune, so all managers need to take appropriate steps to fine-tune their online security.

Strong passwords, watertight SQL and PHP coding, external security audits, and the use of VPNs can all contribute. And it helps to plan for the worst. Even well-managed sites can fall victim to attacks. So have a continuity plan for worst case scenarios. You may not need it, but if you do, you’ll be glad to have it there.