What a Hacker Actually Sees When They Look at Your Business
What a Hacker Actually Sees When They Look at Your Business
Before anyone attacks a business online, they do research.
Not because they are specifically targeting you. Automated tools scan millions of domains continuously, looking for the same things a human attacker would look for manually. They take seconds. They require no special access. Everything they find is publicly available.
Here is what that scan finds, what it means, and why it matters even if you have never thought about any of it.
Your Domain Registration
The first thing anyone looks at is your domain. A WHOIS lookup returns your registrar, registration date, expiration date, and sometimes contact information if you have not enabled privacy protection.
From an attacker's perspective, expiration date is interesting. A domain expiring in the next 30 days is a potential opportunity. Some attackers monitor for recently expired domains and register them immediately, then use them to intercept email or redirect traffic from anyone still trying to reach the old address.
More practically, WHOIS data reveals how long the domain has been registered. A business operating for 15 years on the same domain looks different to email filters and browsers than one registered three months ago. Your domain age contributes to the trust signals that determine whether your emails land in inboxes or spam folders.
What this means for you: Make sure privacy protection is enabled on your domain registration so personal contact details are not publicly listed. Confirm your domain is not approaching expiration.
Your DNS Records
DNS records are entirely public. Anyone can query them. They reveal quite a lot.
Your MX records show where your email is hosted. This tells an attacker which email platform you use and which known vulnerabilities or phishing techniques apply to it.
Your SPF record, if it exists, shows which servers are authorised to send email on your behalf. A missing or overly permissive SPF record is a signal that your domain may be spoofable. Someone could send email that appears to come from your address.
Your DMARC record, if it exists, tells the world how you handle emails that fail authentication. No DMARC record means no enforcement, which means a spoofed email from your domain has a reasonable chance of being delivered.
Your A records and CNAME records show where your website is hosted and sometimes reveal infrastructure details about your setup.
What this means for you: SPF, DKIM, and DMARC configuration is not just about deliverability. It is about whether your domain can be impersonated. Missing DMARC is the most common gap and the easiest to exploit.
Your SSL Certificate
SSL certificates are public records. Certificate transparency logs mean that every certificate ever issued for your domain is publicly searchable at crt.sh.
This reveals every subdomain you have ever secured with a certificate. Subdomains you thought were obscure, staging environments, internal tools exposed to the internet, old microsites from campaigns years ago. All of it is visible.
Attackers use certificate transparency logs specifically to find forgotten subdomains that may be running outdated software. A staging environment running an old version of WordPress that nobody maintains is a much easier target than your main production site.
Your certificate expiration date is also visible. An expired certificate means your site is showing security warnings to visitors, which creates an opportunity for a convincing phishing page that mirrors your site without the security error.
What this means for you: Check what subdomains are listed in your certificate history. If there are old environments still accessible that nobody is maintaining, they are a liability. An expired certificate is visible to everyone before you are likely to notice it yourself.
Your Website Technology Stack
Tools like BuiltWith and Wappalyzer identify what technology your website runs on from publicly observable signals. WordPress version, which plugins are installed, which analytics tools you use, which CDN sits in front of your site, which email marketing platform you have integrated.
WordPress version matters because every WordPress version has a public list of known vulnerabilities. If your site is running WordPress 5.8 from 2021, that list is available to anyone who wants it. The same applies to plugins.
Most automated attacks are not targeted. They scan for specific vulnerabilities across every site they can find. If your site is running a plugin version with a known remote code execution vulnerability, it will be found and exploited whether or not anyone has specifically chosen to target your business.
What this means for you: Keeping WordPress and plugins current is not optional maintenance. It is the primary defence against automated scanning attacks. An outdated plugin on a site nobody visits regularly is still a visible attack surface.
Your Public Exposure
Beyond your main website, your business likely has other publicly visible infrastructure. Subdomains, login pages, admin interfaces, API endpoints.
Some of these are intentional. Your customer portal, your booking system, your support desk. Others are less intentional: a server management interface that should be restricted but is not, a development environment that was meant to be temporary, an old system that was never properly decommissioned.
Port scanning tools reveal which services are accepting connections on which ports. An RDP port open to the internet on a Windows server is a well-known attack vector. An exposed database port is worse. Neither of these are unusual to find, especially in businesses that have grown their infrastructure incrementally over years without a formal review.
What this means for you: You probably do not know everything that is publicly accessible from your infrastructure. This is not a criticism. It is a consequence of how IT environments grow. Knowing what is exposed is the starting point for deciding what should be closed.
Your Breach History
Databases of email addresses and passwords from historical breaches are searchable. Services like Have I Been Pwned index billions of credentials from thousands of breaches.
If any of your business email addresses appear in known breaches, that is visible. If the passwords associated with those addresses are being reused elsewhere in your organisation, that is a risk that compounds over time as more breaches occur and more credentials enter circulation.
What this means for you: Check your business email addresses at haveibeenpwned.com. If they appear in breaches, the associated passwords should be considered compromised everywhere they were used.
The Point of All This
None of what is described above requires any special skill or access. These are all public signals that any automated tool can collect in seconds.
The businesses that get targeted are not usually targeted because someone chose them specifically. They get targeted because their public signals indicated an easier path than the next domain in the scan queue.
Expired certificates, missing DMARC, outdated software versions, exposed subdomains. These are the signals that move you up the list.
You do not need to be impenetrable. You just need to not be the easiest option.
What ExplainMyIT Checks
The external snapshot ExplainMyIT generates every month covers the publicly observable signals described in this article: domain registration and expiration, DNS and email security configuration, SSL certificate status, technology stack, public exposure, and breach history.
It does not fix anything. It explains what is visible and flags what has changed since last month. A dated record of what your public IT setup looked like, before anything went wrong.
See what is publicly visible about your business right now — results in 60 seconds, free, no account required.
Related reading: