Your Website Has Been Hacked

These days there are multiple ways of interacting with our customers and your website is a critical central tool interacting with multiple platforms and social media. But your website is also a huge target for script kiddies, hackers, fraudsters and scammers. Given how complex many web site builds have become, the ever-advancing software powering web servers as well as developments in code within content management systems such as Word Press, your website could, if not inevitably, end up getting hacked.

It’s a huge inconvenience, not to mention it’s costly in terms of business interruption and lost sales. Then there is the cost of cleaning up, removing the hack, restoring, or rebuilding your website. Perhaps the security breach is worse and confidential data and information is taken or compromised.

How do hackers access your website? Well, in a majority of cases, hackers use specialized software to scan the internet seeking websites using certain plug ins with known vulnerabilities they can exploit. Once they discover a vulnerable website, they attack it.

Attacks can be as simple as a brute force attack, meaning they attack your administrator log in area bombarding your website with an automated log in attack using a list of known administrator user names and passwords. Weak user name and password combinations such as ‘Admin’ and ‘Secret’ are quickly discovered, and the hacker has access. So, strong difficult user names and password combinations are a good place to start hardening your website security. 

Keeping access limited to just a very few people is also a good idea. Restricting who has access to your website lowers the odds of user name and password cracks. It’s a very good idea to appoint just two people with the ability to administer your website. One to administer content, and the business owner who has total control of the keys to the car. Given that some owners do not do a good job of keeping records of vital information, this might be a task you outsource to a web administration specialist such as your web hosting company, or a specialist like myself.

One very effective strategy you can deploy to defend against brute force attacks and restrict access to just very few people is to deploy Two Factor Authentication to log into your website. Two Factor authentication is a process and system where you use a user name and a password to log in, but then you must receive a secondary passcode on a secondary device that you must respond with and enter into your authentication system to gain entry to your website. A popular 2FA system is to send a 4 or 6 digit passcode via text message to your cellphone. Or, Google provides a free @FA system that sends a 6 or 8 digit passcode via an authentication app on your cell phone. While this is highly secure, its also can slow down the access process. One of the major drawbacks to this security feature is just how restrictive it is as it can limit access to your website to just one person. Putting all your eggs in one basket can slow down any work on your website dramatically. In larger operations where you might require 4 or 6 people to access web based information, it can be a huge problem.

These days, one of the most common websites hacks is vulnerabilities in the code of your content management system’s server-side script. Programing languages like PHP, CSS, java script and MySQL have all had known vulnerabilities over the years, but they have been fixed and improved with each update and new release. 

But vulnerabilities don’t end on the server, there can be a vulnerability in your content management system itself. Content management systems like Wix, Square Space, open source systems such as WordPress and Joomla, or custom systems that some advertising agencies and web hosting companies provide can be vulnerable. Security is expensive and costs a lot of money. That expense can be too expensive for some companies to invest in, so they cut corners and costs leaving your website exposed. While there are thousands of developers working on improving open-source systems such as WordPress and Joomla, even with armies of coders, there are still errors in code that occur that hackers discover and exploit.

I mentioned plug-ins. A plug in is a package of code that ‘plugs into’ your content management system to extend the basic functions and functionality of your website content management system. As an example, your website might use a pop-up generator to create a ‘pop up’ box that pops up onscreen whenever a website visitor comes to a certain page. Currently, there is a known vulnerability in a WordPress pop up plug in that allows hackers to gain full administrator access to your website, install malicious scripts and install a backdoor that allows hackers to take over control of your webserver, even take over access to other websites on that server, websites that aren’t even related to your web site or web account. Heck, you can get infected even though you are running all kinds of security protocols because someone else on the server had a vulnerability that was exploited. Yeah, some web servers are like an apartment building with multiple apartments in it. When a hacker gains access to one website, he can infiltrate the entire server and all accounts, just like a mouse getting into one apartment then infesting the entire building. 

Another good security practice is to limit the number of plugins you use. The fewer plug in, the smaller the likelihood of bad code. But, of course, this also limits the extended functionality of your website.

Updates: Keeping your server software current with updates is always advisable. If you are on a shared server, your server admin is very likely updating PHP, Mysql, etc., as updates are released. But, for scripts like WordPress, unless you have auto updates turned on, it will be your responsibility for updates and new releases. Same applies for any plugins you may have installed. Security releases are made often, so subscribe to email newsletters for plugins and your CMS so you can keep abreast of updates.

I’m sorry to bearer of bad news, but it really is inevitable that your website is going to be compromised. You can do your best making it as difficult as possible for hackers to get in. You can run a plugin like Wordfence to prevent access, but I’ve seen websites armed to the teeth fall to determined hackers despite maximum security.

One thing you can do is get into the habit of making regular back ups of your website. Every time you make a change to your website content, you should be taking a back up and downloading it to an off your webserver site, like your laptop or another PC. You should take a copy of all the files, databases and email accounts. If your webserver is running cPanel, you can set it up to automatically make a complete back up of your website daily. The trick is to remember to download the files. There are back up services you can pay to subscribe to that will automate the entire process for you including downloading the backup files. It’s money well spent.

One cheap and easy way to make a back up of your website is to access every page on your website and print a copy on your desktop printer…and put it in a file folder in your filing cabinet. I know, it’s very rudimentary, lame and so 1990, but, it’s a cheap, easy, low tech solution. And frankly, it works when SHTF.

If you do get hacked, it might be possible to recover your website. If you have a current, stable, and clean back up, you can simply restore the files which will restore your website. But, if the hack was due to a vulnerability, you might simply be restoring a vulnerable website only to get hacked again. I say clean back up because I’ve experienced situations where a hacker exploited a script vulnerability, then waited a month or more before doing damage – yeah, crafty buggers! After restoring a relatively current back up, I ended up restoring a compromised site with a previously infected file, which only left the site compromised. Yuck!

There are specialized scanning services and specialists who can un-hack a site. This might be required when hackers have installed trojans, backdoors, malicious scripts, malware, or even done database injections. If you don’t have a decent back up, you may end up paying specialists to find how hackers gained access, scan for infected files and remove malicious files and malware. In severe hacks, I’ve had to go so far as to delete entire accounts and files off my webserver and start all over. If you don’t have a backup, even an old one, you might find yourself starting all over from scratch, and that can be expensive.

So, check your website often. Do regular backups. Be prepared in case you do get hacked, Have a plan B in place just in case. And, be ready, if you are online, it’s only a matter of time.

Darcy Moen opened his first drycleaning shop at the age nineteen. Over the next sixteen years, he built his first 600 square foot plant into a chain of 5 stores, creating and testing his own marketing programs along the way. Darcy is a multi-media marketer, working in digital signage, video, print, direct mail, web, e-mail and is a social media expert certified by Facebook for Pages, Insights and Ad Systems. Please visit www.drycleanersuniversity.com.

About Darcy Moen

Darcy Moen opened his first drycleaning shop at the age nineteen. Over the next sixteen years, he built his first 600 square foot plant into a chain of 5 stores, creating and testing his own marketing programs along the way. Darcy is a multi-media marketer, working in digital signage, video, print, direct mail, web, email and is a social media expert certified by Facebook for Pages, Insights, and Ad systems. Please visit www.drycleanersuniversity.com

Leave a Reply