Your website is your business’s lifeline to the outside world. The lights never go off for a website. It is open 24/7, giving instant access to customers. Your website is critical in today’s market place.
But what happens when the lights are turned off on your website? What happens when your business’s website is hacked?
It can cost your business greatly. The average cost of a cyber attack on small to medium-sized businesses was over $180,000.
Once it’s hacked, your website could be blacklisted by Google and other search engines. That means your website may not be coming up in search results and/or when it does, there is a message alerting users that the site maybe comprised. That’s not good news your business.
One of the most common website platforms used today is the free, open source WordPress. In fact, one in six websites in the world are powered by the WordPress platform. With its popularity and ease of use, WordPress and the 64 million websites powered by it, make it an easy target for hackers. In recent months, WordPress sites have become under attack by hackers and it is unknown how many websites have been compromised. And most users are unaware that their websites have been hacked.
The motivation of hackers can vary. Some hack because they can for the thrill it or to test their skills. Others hack for darker reasons such as financial gain or disruption of business. The hacker may wish to gain data such as passwords or just spread malware.
So how are hackers able to hack your website? The most common routes are:
- Insecure passwords. Often this is what is called a brutal force attack, where bots and/or hackers will keep trying usernames and passwords until they find the correct combination. There are programs specifically designed just to do this. In the most recent attacks against WordPress sites and major hosting providers, hackers were using the very common username of admin and then entering common passwords.
- Outdated code. There are bots, which are combing websites looking for outdated or shoddy code that would allow an easy in to your site to insert malware or take other information. They can often get through outdated themes and/or plug-ins.
How do you know if your website has been hacked? Chris Wiegman, website security expert and creator of Better WP Security plug-in, says that it is key to pay attention to what your site is doing. It may not be apparent, but there are some clues if you are attentive to activity on your website.
- Upticks in traffic out of the ordinary locations
- Your site is slower than normal
- Large amounts of spam
- Numerous 404 error pages (page on found)
- Google Malware warning
Once you are aware your site has been comprised, you will to have your site fixed or “scrubbed.” The first thing you should do is to contact your hosting provider alerting them. Then change all of your passwords to your site including your FTP
password. While you can scrub your website yourself by replacing every file and restoring the databases, it is a time consuming process and requires some understanding of code and databases. The second option, the preferred option, is using a professional service such as WPSecurityLock.com or HackRepair.com. The service will scrub your website and bring your site back online. It can cost $200 and upwards and services vary.
Being proactive is importing in protecting your website. Wiegman says apathy is the biggest hurdle in thinking that hacking could never happen to your site because you aren’t a large multinational organization. He suggests these ways to secure your website:
- Update it regularly. Make sure have the most up-to-date version of WordPress, plug-ins, and theme installed. If you aren’t using a plug-in or theme, deleted it.
- Install a security plugin. It can help protect your site from a brute force attack by limiting the number of login attempts or tracking file changes.
- Use robust passwords. Create strong, varied passwords. And change them regularly.
I know firsthand about having a website hacked. It happened to my WordPress website in May and June. I used the free Better WP Security plug-in. The plug-in was able to identify I was hacked. With that security plug-in, I was alerted to questionable activity. I tried to fix my website myself, but I soon realized repairing the hack went beyond my expertise level and I got professional help. I paid WPSecurityLock.com fix my comprised website.
While experts say a website hack isn’t 100 percent preventable, you can do steps to make it harder for your website to be comprised. I learned it the hard way through an experience.
This column was originally published in the Lexington Herald-Leader on Monday, July 29, 2013.