Like the flu only for websites
It was 4:45 pm on the Friday before Memorial Day weekend when we received an urgent phone call from a former client. We will call her Angie. Angie was distraught because the website for her small organization had a strange message on the homepage and the rest of the site was inaccessible. She was quite concerned and we agreed to take a look at what was going on. It turned out that her website had been hacked.
Unfortunately, the organization’s site was on a shared server that hosted multiple other websites, which resulted in cross malware infection. This was due to 2-3 years of outdated WordPress updates and plugins used on the website, which had caused her site to be vulnerable. This meant that not only did her website need to be cleaned and tested, but so did several other websites.
A few years ago, we encountered another situation. This time the client happened to notice an extreme spike in their web traffic. However, when they looked closer at the individual pages that had the high traffic, they realized they didn’t recognize the URLs. When they clicked the URLs those pages were full of sexually explicit images and videos. Hackers had injected code that created new pages to host and/or redirect to their adult materials that were buried and hidden in the WordPress database. Even though all of their regular website pages were fine, the hacked pages had caused the website to get blacklisted by search engines resulting in them to suffer a long-term penalty on their rankings. Not only did the site need to be cleaned and updated, but we also had to spend the time to get the website whitelisted and the client had to spend additional money on search engine optimization.
A Mostly Happy Ending
While we were able to ultimately fix the issues in both cases, it took time, cost money, and potentially impacted (at least in the short term) the organizations’ reputations with their customers. Those with no backup of their website potentially ran the risk of having to start over. Anyone who has been hacked or defaced will tell you that they wish they knew how to prevent such malicious behavior.
Think it won’t happen to you. Think again!
According to a 2013 Forbes article by James Lyne, “On average 30,000 new websites are identified every day (source Sophos Labs) distributing malicious code to any users passing by.” That was 4 years ago. Imagine how many websites are being hacked today. Better yet, don’t imagine. You can watch it for yourself on this website that tracks it live daily.
Many people mistakenly think that because their organization is smaller or doesn’t store any customer data, that they will be safe. However, it doesn’t work that way. Most hacking is automated with programs that go out and seek out vulnerabilities on a website. If the website hasn’t been updated, it can leave an opening for the program to get in and takeover the website. Sucuri.net says, “In all instances, regardless of platform, the leading cause of infection could be traced to the exploitation of software vulnerabilities in the platform’s extensible components, not its core.”
Think of it like this. Your website is your house. Not updating your WordPress core, theme, or plugins are like leaving your doors unlocked. Then when a non-stop robot (kind of like the Energizer Bunny) comes along, tries the door and finds it’s unlocked, it comes on in and sets up. You come back from the grocery store to discover graffiti spray painted on your house, which is now full of empty beer cans, toxic sludge, and 3 tons of that leftover casserole-turned-science experiment that Grandma gave you back in Christmas of 2015. You don’t want that madness.
So what can you do?
- First, make sure you regularly backup your website. In the event, it does get hacked or something else happens, you will have a copy to restore it.
- Routinely update your WordPress core, theme, and plugins. Monthly, if you can.
- Use a strong password and unique admin username.
- If you don’t already have an SSL certificate, consider adding one.
- Set up Webmaster Tools to get notifications from Google when they suspect malicious activity.
- Ask your web developer to harden your WordPress installation from attacks.
- We strongly recommend that in addition to securing your site, you should also install a firewall to protect your website against brute attacks.
Or if you don’t want the hassle and worries of doing your own maintenance, you can turn it over to the team here at Authentic Web Solutions. We have 3 different packages so you are sure to find one that fits for you and your business. Whatever you do, don’t leave yourself vulnerable to the evil Energizer Bunny Bots.
Please note that even if you take every precaution possible, websites can still be hacked.