If you run a business that doesn’t collect sensitive information like credit cards or emails, you might think no one would bother to hack your site. Sure, Yahoo, Equifax, and Target get hacked, but they have credit cards, social security numbers, and email accounts. Unfortunately, if your site’s coding has vulnerabilities, hackers can and will hack your site, regardless of the information they might be able to steal. It’s not a matter of IF, but WHEN.
Why would they, and what do you do if your site gets hacked? Here’s everything you need to know about getting hacked.
Why would someone hack MY website?
The question I hear most often when a website’s been hacked is “Why Me?” If you don’t keep sensitive information on your site (like credit cards) or have thousands of visitors a day, you might be wondering why anyone would take the time to hack your site. But surprisingly, hackers can get something in return. Here’s a few things they might be doing:
Boring, I know, but they might just be practicing how to hack. Beginners have to start somewhere, even hackers. Practicing on a site that’s too small to pursue them minimizes their risk. They hack because it’s fun.
2) Use your hosting account to send out spam
That’s right, your website could be sending out spam – even if they didn’t get into your email! If the hacker can gain access to your site’s coding, they can add their own code that sends those annoying spam emails out. This can easily lead to your IP address for your website being blacklisted, which can devastate your site’s rankings and visitor numbers even after the malware is removed.
Most good hosting companies take your site down if it starts sending out mass emails, which is helpful for long-term (your IP address has less chance of being blacklisted) but not good in the short term since your website is taken off-line.
3) Add invisible links to your site
If you know your site is hacked (a hosting company email, for example) but nothing looks different, the hackers might just be adding invisible links to your site. Adding links from your site, a legit business, to their site can cause their site to move up in Google’s rankings. Sure, Google will figure it out and penalize their site, but in the meantime, they get some serious SEO. And when they are severely penalized, they just change their domain name and start over, leaving your site to pick up the pieces. It’s “churn and burn” SEO.
4) Access to other sites
If your hosting account is on a shared server, as many are, they might be able to access other sites from your site. Those other sites can be used in the same way, or, if the hackers are really lucky, they might get access to a site with sensitive consumer information.
5) Use your site to infect computers
If hackers gain access to your files, they could add malicious code or Trojans to your site that automatically download when the user visits. These viruses, especially in unprotected computers, can do some pretty nasty things including shutting down your computer, stealing your files and locking them so you can’t gain access, or even adding a keylogger to get all of your passwords to other sites.
What to do when your site is hacked
Don’t wait! You need to get your site cleaned as quickly as possible. If you read the section above, you can probably guess why that is, but the list below includes increasingly worse penalties the longer you wait:
- Your IP address can be blacklisted tanking your Google site ranking.
- Your site’s SEO will be negatively impacted.
- Your site can spread malware to visitors.
- Google will start marking your site with this tagline in search results: “This site might be hacked”, which is not a great confidence booster for potential clients.
- Finally, the Red Screen of death: browsers will add a red (chrome) or white (other browsers) screen warning visitors when they try to visit your site. This is a “gateway” screen, so it will completely block your site until you not only remove the malware, but also resubmit to Google that your site is clean.
How to protect your site
Now that you know the very real downsides of getting hacked, you’ll want to do everything you can to keep your site protected. The majority of the items below deal directly with having a WordPress site, but can be extrapolated to apply to other CMSs as well.
1) Keep your website’s plugins and core updated
Roughly 40% of hacked sites get hacked because of known and fixed vulnerabilities. That means these vulnerabilities already have a fix; your plugin or WordPress installation just needed to be updated. This is like having a lock on your door, but not locking it!
To Fix: When you log into your WordPress site, do you see a message at the top warning you to update your WordPress version? Does the plugin link on the left have a little red circle next to it? That means your website is out of date! If your site is seriously out of date (you haven’t updated anything in over a year) updating could break your site. Talk to a web developer first. If you choose to update the plugins or WordPress yourself, make sure you have a backup of your site and a developer you can call if something goes wrong.
2) Don’t use easy usernames
If any of your users have “admin” as a username, you’ll want to change it ASAP. If hackers can guess your username, they’re half-way done hacking into your site. Also, make sure the visible username (on the user page) is not the same as the username. If you’re using Yoast SEO, make sure to remove the users from the sitemap, unless that’s a specific strategic SEO move.
3) Get a Security plugin and have someone install it correctly
I recommend Sucuri Security for websites, but Wordfence is also a popular choice. However, just installing a plugin doesn’t mean anything if you don’t apply the settings correctly.
4) Get a good website host
If you’re with a cheap hosting company, you can also get hacked through no fault of your own. Cheap hosting companies set up sites insecurely and can have many vulnerabilities. We recommend A2hosting for a balance between cost and quality.
5) Get a Security Upgrade to the whole site
White Fox Creative provides security overviews for websites to go beyond the simple solutions here to the technical aspects of security. If you’re getting hacked frequently, can’t get a hacker to stop, or want to preemptively secure your website, give us a call.
What about Squarespace or (insert your CMS system here)?
Squarespace, Wix, Weebly, and other CMSs that are NOT open-source (like WordPress), take care of security for you. This can be really nice if you’re a small company who needs a basic website with no bells and whistles and can’t afford to keep a website expert on retainer or don’t want to handle the security yourself.
However, there is a downside. WordPress has thousands of developers who have helped develop it, with multiple reviews of code by experts before the code is added to the CMS. A proprietary CMS like Squarespace has a far more limited number of developers working on it; if vulnerabilities are found, their coders are the only ones who can fix them, and you have to wait until they do. But, since WordPress runs about 27% of the top 10 million websites online in 2017, there’s a much bigger target on WordPress than Squarespace.
The Most Important Thing
The bottom line for security is that while you will most likely get hacked, that doesn’t mean you can’t take precautions to make the hack less effective. And most importantly, when you do get hacked, get it taken care of as fast as possible.