How A Hacked Website Can Destroy Your Business?

In March 2016, Google reported that over 50 million websites were victims to be being hacked. A statistic that is evidently growing. If your website is hacked it could severely hurt your rankings so acting fast is key. As a website owner figuring out what to do next is your biggest headache. This guide will help you understand why hacking can happen and ways in which you can prevent this happening. Its more common that you think…

Many websites online are built using four key content management systems; WordPress, Drupal, Joomla! And Magento. WordPress is the market leader dominating 60% of the market share. Therefore for the purpose of this article we will focus on WordPress, although much of the information will still apply to the other CMS systems

Why would anyone want to hack your website?

Quite often website owners misinterpret the importance of securing their website seeing themselves as an unlikely target to be hacked. However websites can be hacked simply because they are seen as vulnerable, some low level hackers use software that hack a mass of sites automatically. When this does happen many feel that it’s a personal attack against their business and wonder what hackers achieve from the malicious act?

Automated Black Bots

Websites can become visible targets to hackers through an automated script. Similar to how search engines crawl your website to index content hackers use black bots to identify vulnerabilities.

Website data

As an ecommerce website you will have a number of users typically making transactions online, hackers see this as an opportunity to target financial information e.g. credit card details

Blackhat SEO

This form of hacking can become very lucrative. Hackers place redirects or links on your site to generate affiliate revenue. These are not always visible.

System resources

They look to access your server so they can send out 1000’s of spam emails, which will get your site and server easily blacklisted, increase your usage bills or even get your site shut down. They may build a network off your server using botnets, which are interconnected systems across the net to attack other websites using brute force password attempts

Malware

They may infect visitors computers with malware such as viruses, keyloggers or other malicious software to capture information. Viruses can destroy or infect information on your device, including data on external storage. They can also take control of your device and use it to attack others. Keyloggers are a piece of software that monitors user activity. It allows hackers to see every keystroke users have typed, allowing them to retrieve information such as email addresses, passwords and credit card details.

Repeat and shared hacking

Hackers often upload backdoors to your website so that they can upload information to your webspace. They sometimes make this public, meaning anyone can visit a URL and also upload informatin to your webspace. Ths creates a slave server similar to black bots.

Why do hackers target WordPress?

As mentioned above, WordPress dominates the market making it the most popular CMS and website building software. This is generaly down to its user friendly interface, plethora of features and simple code making it easier for search engines to index content.

In our experience, many hosting companies do not keep their client websites version of WordPress updated. This heightens the vunerability of being hacked and therefore makes you an easier target for hacking. WordPress updates its core operating system regularly and these updates are becoming more frequent.

WordPress code is open source meaning hackers have free reign to access the code base and identify any vunerabilties, which is also the same with most plugins and themes.

Our Process

Research

Analyse

Advice

Implement

Hacking Example

We recently identified a hack that infected 1000’s of websites. Additional pages were built in every website that linked to a network of other sites. These pages had links to a Canadian pharmaceutical website.

The pages that were created by the hackers were not in the content management system nor were the links visible on the site or in Google Search Console (i.e. Google Webmasters). The only way to identify if a site has been hacked was to research the sites back link profile in Majestic.com or to type the command “site:www.domain.com Viagra”. This would list all the pages in the site containing the word Viagra, revealing the hacked website pages.

Does this sound familiar to you?
Give us a call on 0121 667 8785 and we can help/advise you.

What are the consequences of being hacked?

Hacking can result in impacting your business in the following ways:

Lose rankings

As soon as Google identifies your site has been hacked it will stop ranking your website in search results, resulting in a huge loss of rankings and traffic to your site. Regaining those ranking positions can be highly dependent on the length of period your site is down

Reputation

Although being hacked is out of your control it can cause users to percieve you in a bad light. This can happen when your hack involves links or redirects being placed on your site to inappropriate websites.

Access to other systems

Many companies are now integrating their websites to internal accounting systems. In this situation a hacker that exploits your website, may well have an open door to access your internal accounting system.

Files and Databases

Some hacks have the ability to remove files and database entries resulting in your site being destroyed. This may even be unrecoverable if you have no backups This emphasises the importance of a reliable hosting company who will invest time in making updates and creating daily backups.


137 Golden Cross Lane,
Catshill, Bromsgrove,
B61 0LA

Contact Us

    What can you do to prevent being hacked?

    In different circumstances there are alternative solutions that fit best, below are some basic actions to consider:

    Quality Website Hosting

    Invest in a quality hosting provider who will: Create daily backups of your website, Scan for any unusual activity, Avoid shared servers, Ensure your CMS version is updated – being on a really old version can break your site when you come to update to the most current version so it is important to maintain updates regularly

    Maintain themes and plugins

    Themes and plugins should be updated regularly to eliminate the risk of being hacked. Especially when adding new plugins its important to check these are trusted as the code could be unsecure leaving you open to vunerability.

    Fortify your login

    Limit login attempts – there are plugins available that will constrain certain ip addresses if they have 3 failed login attempts

    Two-step authentication – you can add an authentication stage after the user tries to login with a message or call

    Whitelist IP addresses – these users are the only users that will be able to access the login page

    Passwords

    Web base password generators – never use these unless the generator belongs to the server that is producing passwords.

    Frequently change passwords – hackers can run scripts that inputs random passwords until one fits. Create one that’s strong using a range of upper/lower case with symbols and be careful who you give those details to. Store passwords in secure place e.g. lastpass.

    Additional security

    Add SALTs to wp-config.php – create random lines of text to make it harder to crack

    Set a unique table prefix rather than wp-posts

    Remove version meta tag

    Set correct file permissions

    Disable your plugin and theme editor – this will mean you can only adapt code with FTP details

    Turn off PHP reporting: if a plugin or theme displays an error, the message that gets displayed can contain information about your directories and file system – add code to disable

    Guide on how to fix WordPress hacks

    • Identify the type of hack
    • Check with your hosting company
    • Use your backup and restore your site
    • Update wordpress core and plugins
    • Check folder pemissions
    • Update all of the passwords
    • Beef up security

    How to ‘Beef Up’ your security?

    • Use a Firewall, install a security plugin and Monitoring System
    • Use a Managed WordPress Hosting solution
    • Remove editors for plugins and themes
    • Limit the number of Login Attempts
    • Password Protect your Admin Directory
    • Hide directories like (wp-includes).
    • Change the MySQL database table prefix.
    • Never use the “admin” username.
    • Make sure the .htaccess and wp-config.php files are protected.
    • Do not allow directory browsing.

    137 Golden Cross Lane,
    Catshill, Bromsgrove,
    B61 0LA

    Contact Us