Website Security Warning: Your Site is Getting Mugged!
When it comes to website security, Santa Rosa business owners probably don’t think they have much to worry about… After all, we’re just a small city with a lot of small local businesses. Why should anyone want to hack one of our websites?
That was a comforting belief, and I held on to it for as long as I could. Too bad it wasn’t true.
Here’s reality. If you have a modern website, chances are your website is getting mugged, and you don’t even know about it. If it hasn’t happened yet, give it time.
If you think I’m making this up, here are some sobering statistics:
- Google announced last year that website hacking was up by 32%.
- Over 40% of small business websites get hacked every year.
- More than 30,000 small business websites are hacked DAILY (this number is from a couple years ago, and my guess is that number is double that today…)
- The Globaldots Q3 2017 State of the Internet Security Report noted “a significant jump” in web attacks. The overall number rose by 30% in Q3 2017 while the number of attacks in the US jumped 48% over documented cases in the second quarter. And most alarming, the overall number jumped 69% year over year! Wow!
- Small business sites like yours are getting hacked right here locally.
Why am I giving attention to website security? Because it’s hitting close to home.
In the past 90 days, five of my clients’ sites have been hacked. (Note: in ALL cases, these sites were not being professionally maintained and updated… We’ll address this later.)
One respected security pro put it this way, and I’m paraphrasing, “There are two types of business owners: those who know their websites are under attack and those who don’t know their sites are under attack.”
Why and How Hackers Do it
Most hackers today ply their craft because it pays. Cyber criminals make money by compromising websites—even small ones like ours.
Hacking a website can earn them a substantial amount of money by distributing malware, injecting SEO spam and setting up phishing sites and e-mail spam servers.
But, contrary to popular belief, hackers today are not manually working to gain entry on most sites.
Rather, they use automated scanning programs (“bots”) that crawl the Internet seeking vulnerabilities at light speed. They crawl many thousands of websites in a very short amount of time.
Depending on their programming, they will use different methods to compromise websites. Some seek entry through a login process by trying hundreds of password combinations, while others attempt entry by exploiting vulnerabilities in site software. Examples of the latter are generally outdated themes, plugins or even core WordPress software.
10 Telltale Signs that Your Website has been Hacked
You may not even know your site has been hacked, but there are some telltale signs. Here’s a list:
- Your content is defaced or replaced. Most hackers today are more subtle, but hackers used to leave a “mark.” One of my clients once reported that she found porn displayed on her website. Not a good thing for a professional reputation.
- The “red screen of death.” If your browser bars you from displaying your own site, it is probably because malware has been detected.
- Spam user accounts. You may see this if you log in and examine the User Accounts section.
- Site traffic falls off noticeably. This can happen if site traffic is being intercepted and sent to other, probably spammy sites. Or, if Google blacklists your site for malware or phishing, it can be removed from search results. (Use Google’s Transparency Report tool to check this.)
- Site crashes or suddenly loads very slowly. Although there may be other causes, it can also mean your site is slowed by sending spam emails.
- Erroneous search results. Google on your site occasionally. If it ever shows the wrong site title and meta description, malware may be present in your site.
- Inability to log in to your site. Hackers may have jiggered the admin account you usually use to log in, and even a password re-set can’t fix this.
- Strange files and scripts in your host account. Unless you are a geek, you won’t know about this. However, there are plugins that can monitor your host files and report the presence of questionable files, usually found in the /wp-content/ folder.
- Email troubles. While most email issues are not related to malware on your website, some are. If you suddenly cannot send or receive emails, contact your host provider, since hackers may have taken control of your site and/or your email. The same may be true if your own emails start being marked as spam, which may be due to your site—and your email address—being used as a spam generator.
- Unknown plugins. Hackers can inject malware by disguising them as plugins. Make a list of the ones you or your web designer authorize, and research any new ones that crop up to make sure they are legitimate.
9 Ways to Protect Your Website from Getting Hacked
There is no guarantee that your site will never get hacked. Sorry. That’s like a doctor promising that you’ll never catch a cold. That said, there is a LOT you can do to minimize the chances that your site will get hacked. Here is a partial list, and most of these steps are within reach for less technical site owners.
- Update all site software regularly. This includes the theme, all plugins and core WordPress software. (You might want to seek qualified assistance, since untrained users often crash their site by simply clicking the red “update” buttons…)
- Create a unique login. The default “admin” login is the first one hackers will try. Use something else. Already use that login? Create a new one, then delete the admin account.
- Create a strong password. Use a combination of characters, including letters, numbers and symbols. The longer, the better, but 10-15 characters is probably a good range.
- Install a reCaptcha plugin. This forces a check that the user is human and helps prevent bots from gaining entry.
- Review your user accounts. Make sure that you or your web designer have approved all the users on your site. If you don’t recognize a user account and can’t verify it, delete it.
- Apply an SSL certificate. The “secure socket layer” protocol encrypts data sent between your site and users or visitors, which adds a layer of protection. It’s also STRONGLY RECOMMENDED for sites that accept user data of any kind, such as email names, passwords or credit card data. The HTTPS prefix before your domain name gives people a greater assurance of safety on your site.
- Delete unused themes and plugins.
- Use a security plugin. Plugins like Wordfence and Defender can detect and help identify suspicious activity and prevent unauthorized site access.
- Use malware scanning. A regular malware scan is an excellent investment in website security. Be sure to heed any warnings the system generates and respond to them immediately.
Concerned about Website Security?
Note: If you’re ready to do something about website security, consider subscribing to our WordPress website maintenance service. We take care of all software updates, implement regular malware scans, optimize for page speed and provide advice that helps keep your website safe and healthy. We also issue a monthly report of all service that was performed.