The Web For Business.com Blog

Internet marketing observations, perspectives, tips and tricks for your education and enlightenment.


What Hackers Want From Your Website

Mark Kawabe - Monday, January 30, 2017

What hackers want from your websiteSmall business owners often downplay the risks of their websites being hacked. Yet, thousands of sites are hacked every day. Here are a few thoughts about what hackers might find valuable beyond your website itself.

Server Resources

There's a lot going on behind the scenes to put your website online. The computer that hosts your site (web server) has internet connectivity and resources beyond most personal computers. If hackers can place their software into your site, they can use the server's resources to launch more vulnerability scans, hacks and attacks against other sites. You've probably heard about Distributed Denial of Service attacks (DDoS) that take down large sites. They do that by using thousands of computers (botnets) to flood another site with traffic, ultimately overwhelming it. Your website's server resources has value to a hacker, thus giving them a reason to want to hack your site to access the server.

Compromising Your Visitors' Computers

If a hacker can put some software into your website's code, they can surreptitiously infect computers that visit your site. If your site receives 100 unique visitors a day and 10 of their computers get infected, that's 10 opportunities for hackers to retrieve sensitive data from your customers. You may think that because your site doesn't store sensitive data that it's not a target. Hackers think of your site as a means to an end. 

Web Traffic

Some common hacks involve redirecting visitors to one site to another. One customer came to me to let me know their site (created by another developer) had been hacked and that it was intermittently redirecting visitors to a porn site. It's also possible for hackers to redirect visitors to a webpage that tries to install malware on the visitor's computer. Gaining access to your website gives hackers easy access to visitors they wouldn't otherwise get.

You're Not Paying Attention

Small businesses generally don't pay as much attention to their sites as do larger companies. As a result, small business websites are often easier targets for hackers. Especially when it comes to self-managed WordPress websites which may not have core components, themes or plugins updated regularly. I did some checking on WordPress-based websites to see what version they were running. Out of 13 sites checked, 6 were running current versions of WordPress (4.7+). 3 were running version 4.6.3. The others were versions 4.5 and earlier, including one running version 3.5.1. If you think nothing's changed from a security perspective since WordPress 3.5.1, you're mistaken and your site is a sitting duck unless you've taken other steps to secure your site.

Your website by itself probably isn't that valuable. Hackers aren't going to deface your website and make it obvious they've been there. Instead, they'll rely on stealth and subterfuge to get access to the information and resources they're after.

How Do I Secure My Website?

If you have a static website, assuming your host has done a good job of security the web server and all of its software components, you will have somewhat fewer vulnerabilities than a dynamic, CMS-based website. Access passwords for FTP and any scripts you run may provide opportunities for hackers to get into your site. With a CMS-based site, your usernames and passwords to access the CMS are common ways to access sites. Make sure your passwords are strong. Additional approaches for all sites is to use a service like Sucuri to filter visits to your site so those trying to access it improperly are taken out of the mix. With WordPress specifically, ensure the WordPress core, themes and plugins are all updated regularly. You can add additional security plugins like iThemes Security Pro or WordFence to help bolster your site's defenses.

Websites get hacked every day. You can help secure your site and protect your visitors by being aware of the risks and taking the appropriate steps before you get the call saying your site's been hacked. It's the best thing you can do for your business, and it could even protect you from being sued by a site visitor because you didn't take appropriate steps to secure your website. I'm not sure if that's possible, but it's a question I've posed to my LegalShield team. I'll have an answer in an upcoming post.

And So It Begins

Mark Kawabe - Monday, January 09, 2017

The Most Valuable Real EstateToday's the day most of us find ourselves back in the office after a well-deserved holiday break. Welcome back! For your new year's pleasure, I present a few thoughts on what will be important to think about when it comes to your business' online presence.

Security

I spent a lot of time over the break helping a former client deal with their hacked WordPress website. Resolving the hack required professional help beyond my level of expertise, and in the end, the site is now clean. While we weren't able to discover the root cause of the hack, I discovered many things that were troubling.

  • There was no license for the theme used for the site, so there had been no theme updates since 2015.
  • The theme came with a number of bundled plugins. These had also not been updated since 2015.
  • Many non-theme-related plugins hadn't been updated.
  • Backups had not been done on a regular basis.
  • Yada yada . . .

My Suggested Resolution For WordPress Site Owners: Make security a priority. Here's an action plan.

  1. Check to make sure everything's been updated. Themes. Plugins. Verify you have licenses. Many are good for a year. If they're only good for a year, make sure they get renewed.
  2. Backup your site regularly. I use BackupBuddy, but it doesn't really matter what you use, as long as you back up. By regularly, I mean a full weekly backup of your database and files at a minimum. If you have a site that changes daily, then do a full daily backup. Store your backups on a different server than your website is on if possible.
  3. Install security software. I use iThemes Security Pro. Wordfence is another one that seems to be good.
  4. Change your passwords. If you don't know what a strong password is, then you probably don't have one. Get one. WordPress will make one for you. I suggest you use it. Call me if you have questions.
  5. Stay on top of things. WordPress, themes and plugins are updated regularly. Hacks evolve regularly as well. Vigilance is important.

If you have a WordPress website and you're not sure if it's secure, contact me and I'll be happy to help.

Here's wishing you a happy, healthy, prosperous and hack-free 2017!