Nothing scares website visitors quite like a message from Google that states: “this site may harm your computer” or “this site may have been compromised.” Unfortunately we live in a world when it is just a matter of time before your website is hacked. In today’s world it’s not a question of “if”, but a question of “when”.
When companies like Verizon, Virgin Atlantic, Deloitte and Equifax fall victim to cyber attacks, you’d be crazy to think that your own website isn’t going to get hit sooner or later. Your website may not house much sensitive data, but due to the massive amounts of hacking information available on the Dark Web, it has become very easy for novice hackers to exploit vulnerabilities in many website platforms, especially WordPress. Remember, hackers hack for different reasons. Some hack to extract information to sell on the black market. This includes credit card data, social security numbers, etc. Other hackers simply hack “for the fun of it”. They just want to see if they can pull it off and then leave their mark on your website.
2017 has been especially bad with the WannaCry Ransomeware attack that was literally caused due to a leak at NSA operations. As well as the Cloudflare Compromise that divulged thousands of IP addresses of its customers. By the way, Cloudflare is partially owned by Google, meaning even Google security standards aren’t safe from attacks.
Unfortunately, several of our clients have experienced security breaches themselves. Some are very minor wherein an email password is changed or a website has a denial of service message. When you have countless websites on multiple servers it is inevitable that you aren’t going to stay safe all the time. Unfortunately, we have even dealt with a high-level client whose internal office security was compromised, causing their management system to be infiltrated, which caused the FBI and the Department of Homeland Security to get involved. It didn’t even have anything to do with us, but let me tell you it’s definitely a momentous occasion when your office is visited by the FBI because they are looking for help finding criminals. So, trust me when I tell you, we are fully qualified to write about hacks because an agency our size has pretty much seen it all.
A Word About WordPress Hacks
It’s not their fault. When you are the most widely used Content Management System in the world, you have a big bull’s eye painted on your torso. WordPress is the most hacked Content Management System today. It’s no wonder, WordPress sites get hacked constantly. As of last count, there are over 38 million WordPress sites on the internet. That’s a solid 18% of all websites out there. If we were hackers, we’d focus on them too. Thus, a word to the wise: WordPress is a wonderful website platform. Just make sure you keep that sucker up to date, otherwise the hacking bug will bite you quickly.
Plan for the Worst – Website Checklists to Help Keep You Safe
As a website owner you should have two plans in place on how to deal with cyber security. First, you want a checklist of all vulnerabilities to monitor. Second you want a plan in place when you are hacked. This will assure you are as protected as possible as well as back up and running as quickly as possible when the $#!% hits the fan.
This checklist needs to be run in repetitive intervals. Our security protocol is included in our managed hosting and SEO plans, which means the site is monitored on an on-going basis. Those who host or manage websites themselves should check for vulnerabilities at least once a month, preferably twice a month. Here is a list of items that should be checked:
- Content Management System Updates
If you are running any type of content management system to run your website, you will want to assure it is up to date. Especially if you are running WordPress or Joomla. Those CMS’s tend to get attacked quite a bit. If your CMS is no longer upgradable, it’s time for a new website.
- Plugin Updates
Your Content Management System will utilize certain plugins or extensions. These plugins will require their own updates. Make sure all of your plugins are up to date as well.
- Admin Lock-Down
Lock down your admin back end. Many hacks are due to brute force attacks on websites. These hacks target the admin control panel of your Content Management System. We recommend double-authentication, non-descript passwords and not using “Admin” for a username.
- SQL Security
Protect your database from SQL Injections. A SQL Injection uses vulnerabilities in a website’s input channels to target the database that sits in the backend where the most sensitive information is stored. Make sure your webmaster validates input strings on the server side and/or uses command parameters. Never use the root account to connect the web application to the database. You may want to consider to use separate connections for code segments that read from or write to your database, and further cull down permissions and roles for each segment.
- Cross Site Scripting
Cross Site Scripting (XSS) are one of the most common types of attacks. It accounts for almost 48% of all WordPress attacks. Thus, you need to assure you prevent against them. There are 2 types of XSS vulnerabilities, Reflected and Stored. A Reflected XSS attack is usually a link that contains malicious code. When someone clicks on that link, they are taken to a vulnerable website and that malicious code is ‘reflected’ back into their browser to perform some malicious action. A Stored XSS attack is much more dangerous because it can be automated. A script can be created that visits thousands of websites, and drops a stored XSS script. Assure you always validate your data properly. Consult with your webmaster for specific details.
- Error Messages
Be careful with how much information you give away in your error messages. Provide only minimal errors to your users, to ensure they don’t leak secrets present on your server (e.g. API keys or database passwords). Keep detailed errors in your server logs, and show users only the information they need.
- Form and Server Validation
Validation should always be done both on the browser and server side. The browser can catch simple failures like mandatory fields that are empty and when you enter text into a numbers only field. These can however be bypassed, and you should make sure you check for these validation and deeper validation server side. If you don’t do this, malicious code could be inserted into your website’s database.
Keep them safe, don’t use common ones and change them often. Also make sure you don’t use the same pw all over the place. If you use the same pw over and over again, all it takes is a simple keyboard logger script to completely destroy your website or personal information.
- File Uploads
Limit file uploads. If you want to allow uploads, consider loading them to a separate server, or drive and scan all files before allowing them onto the main drive.
HTTPS secures your information transfer between a website. We highly recommend running your website with https. Basically HTTPS encrypts the data that goes from a computer to the target website and back. This makes all interaction between the website much safer. If you haven’t done so, you should switch to https immediately.
- Web Application Firewall
Add it. It’s as simple as that. It’s essentially a firewall for your website. A great option is Cloudflare, customers on a paid Cloudflare plan can activate the Web Application Firewall that will challenge or block known problematic behavior online.
- Backups & Redundancy
Run backups as often as data changes on your site. If you have data changing daily, run daily backups. If data only changes weekly or monthly, then run backups accordingly. The most important factor in your backups is your redundancy. Redundancy is how many sequential backups you have to choose from in case something goes awry. You should use whatever redundancy you are comfortable with, but we recommend keeping at least 3 versions of your website handy at all times.
Hack Recovery Checklist
- Take Site Offline
Take the site offline if need be. You can always put up a maintenance page. It’s better to take the site down and avoid further damage, especially if you are worried that prolonged website access will worsen the hack.
- Contact Host
Contact your host immediately. Have them run a full analysis of your hosting control panel to see if the vulnerability can be tracked. Often times, a quality hosting company will also help track down the malicious code that was injected. If your hosting company is not helping you within minutes of you contacting them, switch. Response times of longer than a couple of hours is completely unacceptable.
- Reset all Passwords
Reset all website passwords. If you are worried the hack came from within your office or a known source, reset all passwords at the source as well.
- Recover Site and Scan for Vulnerability
Chances are your recovered website version will have a nasty vulnerability in it. You need to get to the bottom of it ASAP. A great start is to have your host run a scan of the site. Your webmaster should also do a complete review of your CMS security. Don’t stop looking until you have determined how the hack occurred.
- Remove ALL Malicious Code
It seems too obvious to state, but we have seen in the past that people often ignore this important fact. Just because you found some malicious code, doesn’t mean you found ALL of it. All too often hackers place multiple code sets into a site, leaving one set of code in a place that is easy to find. Inexperienced web masters will find the code, remove it, and go about their business. Unfortunately they never removed the truly bad code. Thus, ALWAYS check the entire site for bad code.
- Use Mouseflow
If all else fails and you have no idea how the hack occurred, add a program like Mouseflow to your website. Then wait to see if the culprit returns. We caught a hacker logging into a client’s website control panel after stealing the username and password straight off of her personal computer. Mouseflow helped us determine how the hack occurred by screen recording all website activity.
- Webmaster Tools
Go to Google Webmaster Tools (Search Console). Your website should already have an account. Check to see if your site is on any blacklists. A blacklist can temporarily impact your site’s SEO and SERPs, so you should login and see if you have any site warnings in Google Webmaster Tools that need to be addressed. You will have to resubmit your site for review once the hack has been resolved.
Website Security For Hire
Finally, we’d like to give a shout out to Sucuri and SiteLock. Both of these products do a great job protecting your website. For a few extra bucks a month, you can utilize their services to help keep your website safe. We hope this article has helped shed some light on the not so nice part of website ownership but also provided you with the tools to manage these challenges effectively.
When it comes to your website management, always remember an ounce of digital prevention is worth a pound of digital cure.