It’s a beautiful day. The early morning sun is shining through your window as you sit down at your desk. You smile as you inhale the fragrant steam from the freshly brewed coffee in your cup, and open your email ready for anything– Except this! Your inbox is full of frantic messages from customers demanding to know if their information is safe. Your company website has been hacked, and in its place is a seething mess of advertisements for off-brand Viagra, pornography, and political messages in support of terrorist organizations.
This scenario happens to thousands of business owners a day. And though I don’t want to sound alarmist, it could happen to you if you don’t take proper precautions. In fact, if you have a dynamic website that lets you make updates to it whenever you need to and you haven’t thought about how to protect it, it’s likely to.
Many people falsely assume that because their site gets little traffic, or is small, or because it does not store personal information, it won’t be a target for hacking, and therefore they can afford to save a little money and time by not securing their website.
Although it’s true that larger sites see more hacking attempts, and sites that store personal information of any kind (including simply email addresses) experience more intense hacking attempts, that does not mean that if you don’t have these components on your website that your hacking risk is zero; in fact, we find that the average 5 page informational website experiences a minimum of 10 hacking attempts per day.
There are three main places that a hacker can target your website:
- The server on which your website is hosted
- The website files themselves
- The connection between the person accessing the website and the site itself
Every day, an uncountable number of hack-bots crawl the web, visiting websites great and small simply by following every link they come across. These bots test every site for dozens of common vulnerabilities in one or more of these areas, and if they detect one, either execute the attack immediately or add the site to a list of sites for later hacking.
One of the most common questions that I’m asked when I’m contacted by someone who wants help cleaning their website up after a hack and securing it so that it doesn’t happen again is, why would someone do this? What could the possible benefit be from defacing a site like mine? There are many answers to this question.
- Some hackers are seeking to make money by driving traffic to their websites or sales affiliates. Since bots are doing most of the work, and operate continuously, for pennies a day, even while the “hacker” themselves is asleep, every website they take over costs them a fraction of a fraction of a cent to gain control of. If even one of those sites succeeds in re-directing someone to their sales page to buy their product (or have their information stolen when they think they’re buying a product!) they’ve made a profit on their efforts.
- Other hackers are seeking to spread political messages and/or scare people. Many terrorist organizations now employ their own groups of hackers whose job is to deface websites with upsetting or terrifying content in order to make people overseas feel unsafe.
- Because it’s easy for anyone with some computer programming knowledge to set up a hack bot that looks for at least one common vulnerability, some hackers are literally teenagers who think it’s fun to cause mayhem and get a rise out of people.
This is why we urge all of our clients to take security very seriously. It costs hackers that fraction of a fraction of a penny to take your site over, but it can cost you thousands to regain control, fix the hacked content, and most damaging of all, to regain your lost reputation with your clients.
For years, we were able to secure only two of the three potential hacking avenues for our clients: Their website files and the connection between the person accessing the website and the site itself. But once we’d done that, whether or not the server on which their website was hosted was properly secured was up to the chance of whatever hosting provider the client decided they wanted to use. Some would choose notoriously insecure hosts, and when we raised concerns, we’d hear that old chestnut: My site is so small, who would want to spend the time to hack it?
But bots don’t worry about wasting their time. They have nothing but time. And that reality often led to very hard lessons being learned.
That’s why this year, we’ve changed up our website security and maintenance packages. Because it’s so critical that all three attack vectors be secured at once, we now include hosting with every single one of our website security retainers. That way, we can finally have total confidence that our clients’ sites are as safe as possible, and no one needs to learn how important web security is the hard way.
If you have website security and hosting concerns, we’d love to chat with you. Lock it down, speed it up and give your site the attention it deserves with specialized WordPress security & maintenance retainers.
Once the three main avenues for hacking are covered, that leaves only password hygiene to worry about. Read on to the second post in this series to learn the basics of password hygiene and how you can bring those practices to your whole company.