Been Hacked Yet?

By · Filed in Websites

Has your website been hacked yet? Maybe to be replaced by a political statement or to host a virus or other malware that the hacker can spread from your site?

If not, then

a) you’re lucky and

b) there is a high likelihood that your turn will come! So, what can you do to keep the hackers out?


Let’s start with some facts and fiction…

1)      “Nobody would want to hack my site.”

Most hacking attempts are automated and are rarely personal. Your site is simply the next one on their list. Almost all the attacks we see have financial or political motives. Maybe you’re thinking “I don’t have any sensitive information. What could they possibly steal from me?” Emails, usernames, passwords, and, even worse, your reputation.

And, often they want to use your website as a way of stealing from others. We have occasionally seen sites that are apparently still functioning correctly where the hacker has added some extra code that sends malware to the site’s visitors that has not been spotted for months.

2)      “My website is 100% secure.”

No site that’s accessible on the internet will ever be 100% secure. Security vulnerabilities will always exist. If there is a way that an authorised person can get to some information then it is possible for an unauthorised person to get there too.

3)      “I only use recommended, off the shelf software, such as WordPress, Joomla, osCommerce, etc.  so my site must be secure”

These popular website platforms are checked carefully but that doesn’t prevent them from having vulnerabilities and bugs. Even the best programmers make mistakes. And, even if your website is built on one of these platforms, it almost certainly contains additional, unique, code developed specifically for your business.

4)      “I paid $35.00 for a premium theme from ThemeForest. Since it was “premium” it must be secure.”

If you purchase a theme from somewhere like ThemeForest, be wary. We’ve seen numerous themes from ThemeForest come with embedded malware in the code, infecting your site and your visitor’s computers. If you do purchase a theme from ThemeForest or a site like it, thoroughly examine it to ensure that there is not any code that does not belong. When in doubt, contact a trusted developer.

5)      “Updating my core osCommerce, WordPress, etc software isn’t urgent. It can wait.”

You need to keep your site’s core software updated at all times. Whenever a security update is released the entire internet can see what the problem is and how to exploit it. This obviously exposes any site that has not been updated.

We recommend that your site is updated to the latest core software at least annually and preferably is never more than one release behind the latest version.

How to protect your site

The first step in dealing with security is to minimise the likelihood of a hacker getting in to your site. While the news stories that we all hear from time to time confirm that no site can ever be 100% secure, if your site is more secure than average then the hackers may leave it alone and go after easier prey.

1)      Passwords

Did you know that the most common password is password? Hackers know this too. Using easy to guess passwords like your name or your business name will allow hackers in with ease. So, make sure you use strong passwords. The strongest passwords use:

  • A minimum of 8 characters (12 is even better)
  • Some lowercase characters
  • Some UPPERCASE characters
  • Some numbers
  • Some punctuation symbols/special characters (such as !”£$%^&*()_ etc) too
  • And ideally these are all combined together in a random sequence
  • And also, ideally, this password is unique. Every password you have is different so that even if one were to be found out, this would not allow a hacker in to everywhere.

It is also worth pointing out that the strongest password is of no protection if you write it down on a post-it note and stick it on your monitor!

2)      Protect your computer

Make sure you have good anti-malware software installed on your computer, no matter if it is Windows, Mac OS X, or Linux. ALL computers can get some type of malware, and that can lead to an infected website. Always keep your operating system and the software on it, especially your web browser and SFTP/SSH/FTP client, up to date in order to protect against security vulnerabilities.

3)      Connecting to your site

Logging on to the admin area of your website from an Internet Café or over a public WiFi network is usually safe. But just once in a while there will be some malicious software/hardware lurking there that will capture your login details as you type them in. Always use the most secure connections you can and do not connect if you are in any doubt.

4)      User restrictions

Everyone DOES NOT need to be a site administrator. Focus on the role that you are assigning to users and only assign a role that matches what they NEED at the current time. You can always change their permissions later.

5)      Quality hosting

Whilst it is not easy to spot better hosting companies offering more secure hosting, there are clues to look out for.

Look for reviews that genuine people have posted online about the companies you are considering (if all the reviews are glowing and give 5 stars, you might want to check out another review site!).

Speak to the support people at the hosting company and ask them what they do to minimise the risk of hackers getting in to your site and what they can do to help you if your site does get hacked. If you cannot get through to them on the phone before signing up, what chance will there be to get through to them after you have paid?

Price does not always indicate quality but cheap hosting often cuts a few corners (eg no backups or so many sites on a server that the risk of attack increases).

6)      Backup

You MUST backup your site! Disaster will strike sometime and you need to be in a position to recover from it when it happens.

Without a backup you could lose your website and all content on it plus any user/customer details stored there. Without a backup you may never be able to fully recover this information. And, even if you can recover most of this information it is always a time consuming and expensive process.

As a minimum, you should backup your site at least once a week and at least one backup per month should be stored “off-site” away from the server that the site is hosted on, maybe on your computer or on a cloud storage service. All sites on our servers have daily backups stored on-site and weekly backups stored offsite.

What to do when your site is hacked

When the inevitable happens, what should you do?

1)      Keep Calm

Stay calm! You are going to be upset, but panicking and being frantic about the situation just makes things worse.

If you are lost, or at any point and time feel uncomfortable with what you are doing STOP and contact a professional (like ourselves) to get your issues resolved. It might cost a few pennies, but it will be worth avoiding the headache, wasted time, and frustration in the end.

2)      What happened?

If possible, find out how the hackers got into your site and exactly what they did. This is not always possible. For instance we have seen scripts that hackers install on a website on a server that allows them to capture the site access details of the other sites on that same server. You would be completely unaware of this if your site was not the one that the hackers got in to first.

If you can find out what happened, get that vulnerability fixed. There is a high probability of a subsequent attack on a vulnerability once it has been found.

3)      Recover

The fastest way to recover is always from the latest good backup. Get your hosting company or your web developer to restore the site.

Rebuilding is slow, difficult and expensive and is often not fully possible.

4)      Secure

Change every password that can access any part of the site. Assume the hacker got access to all of these passwords. Make them completely different and even stronger than before.

Upgrade your core software. It may be that the hackers got in to the site through a vulnerability in your core software so update this to the latest version.

5)      Prepare to be attacked again

Just like with house break-ins, there is a high probability that a hacker will return to a site they have hacked into before. There are also websites that hackers use to share information about sites that are vulnerable. Therefore, expect another hacker to attack soon.

We know of one website that, after a hacker found their way in, the site was subsequently being hit with attacks over 300 times per day!

Consider adding extra intrusion detection and prevention software plus file and virus scanning software that can prevent the more common hacker attacks, can block hackers who repeatedly try to force their way in to your site (eg through brute-force password attacks) and can also alert you to suspicious activity such as files changing on your site. As you know, none of this guarantees to keep hackers out but it can do a great job of discouraging them.

Leave a Comment

Learn how to grow your business by 25% or more in the next 12 months - get the book free now