Website DNS hijacking is a well known way hackers can maliciously substitute their own website content for legitimate content without having to defeat web server security. However, there are other ways most people haven’t thought much about.
By July of 2014 the average web page contained 112 objects. (See: Average Web Page Breaks 1600K) That number continued to increase, so that now the average web page has even more. A large percentage of those objects are typically supplied via live internet feeds from external third-party servers, such as Content Delivery Nework (CDN) servers.
So, if a website name server has been hardened sufficiently to make it difficult to hijack, a hacker can instead hijack the DNS address of any one of the many remote host servers supplying page content. If the internet addresses of all those domains happen to be difficult to hijack (which would be unusual), any remote content server with a security flaw can be directly hacked instead.
Consequently, where years ago it would have been necessary to either be able to hijack a particular website IP address or break access security at the web server to maliciously change website content, now web page content security is only as good as the security at the weakest remote name or content server of the many that typically supply page content. Not only that, whereas name and web server security used to be locally controlled, now the security of multiple name and content servers are nearly always controlled by unknown remote parties.
For information about a new experimental technology to reduce these risks, see Subresource Integrity (SRI).
Of Course, Hacking isn’t Necessary!
Millions of website owners throughout the world freely install WordPress plugin software written by unknown parties. Those plugins have permission to run PHP code on local web servers and can be designed to automatically install future updates.
The code is open-source, and therefore can be examined, but how many WordPress users are fluent in PHP? Even of those who are, how many spend the considerable amount of time required to read through and carefully analyze plugin code before plugin activation?
Even if plugin code is carefully studied and nothing seems nefarious, what about future updates? Will they each be examined with the same thoroughness before use? Even if they are, all that means nothing if an automatic update can change everything at any time.
All someone has to do to post a message of some kind on a million websites is write a simple plugin that displays cute-looking social media icons, a snazzy-looking weather widget, or some other such thing. Wait until there are a million users, and then auto-install an update. Some WordPress users will notice and deactivate the plugin right away, but many won’t, because they rarely look at their websites. Ten percent (100,000 websites) might still be displaying the message long into the future.
The point of all this is that while there has been lots of focus on DNS hijacking, that is only one of many ways to change the content on people’s websites.