There are three main places that a hacker can target your website:
- The server on which your website is hosted
- The website files themselves
- The connection between the person accessing the website and the site itself
Every day, an uncountable number of hack-bots crawl the web, visiting websites great and small simply by following every link they come across. These bots test every site for dozens of common vulnerabilities in one or more of these areas, and if they detect one, either execute the attack immediately or add the site to a list of sites for later hacking.
One of the most common questions that I’m asked when I’m contacted by someone who wants help cleaning their website up after a hack and securing it so that it doesn’t happen again is, why would someone do this? What could the possible benefit be from defacing a site like mine? There are many answers to this question.
- Some hackers are seeking to make money by driving traffic to their websites or sales affiliates. Since bots are doing most of the work, and operate continuously, for pennies a day, even while the “hacker” themselves is asleep, every website they take over costs them a fraction of a fraction of a cent to gain control of. If even one of those sites succeeds in re-directing someone to their sales page to buy their product (or have their information stolen when they think they’re buying a product!) they’ve made a profit on their efforts.
- Other hackers are seeking to spread political messages and/or scare people. Many terrorist organizations now employ their own groups of hackers whose job is to deface websites with upsetting or terrifying content in order to make people overseas feel unsafe.
- Because it’s easy for anyone with some computer programming knowledge to set up a hack bot that looks for at least one common vulnerability, some hackers are literally teenagers who think it’s fun to cause mayhem and get a rise out of people.
This is why we urge all of our clients to take security very seriously. It costs hackers that fraction of a fraction of a penny to take your site over, but it can cost you thousands to regain control, fix the hacked content, and most damaging of all, to regain your lost reputation with your clients.
For years, we were able to secure only two of the three potential hacking avenues for our clients: Their website files and the connection between the person accessing the website and the site itself. But once we’d done that, whether or not the server on which their website was hosted was properly secured was up to the chance of whatever hosting provider the client decided they wanted to use. Some would choose notoriously insecure hosts, and when we raised concerns, we’d hear that old chestnut: My site is so small, who would want to spend the time to hack it?
But bots don’t worry about wasting their time. They have nothing but time. And that reality often led to very hard lessons being learned.
That’s why this year, we’ve changed up our website security and maintenance packages. Because it’s so critical that all three attack vectors be secured at once, we now include hosting with every single one of our website security retainers. That way, we can finally have total confidence that our clients’ sites are as safe as possible, and no one needs to learn how important web security is the hard way.
If you have website security and hosting concerns, we’d love to chat with you. Lock it down, speed it up and give your site the attention it deserves with specialized WordPress security & maintenance retainers.
Once the three main avenues for hacking are covered, that leaves only password hygiene to worry about. Read on to the second post in this series to learn the basics of password hygiene and how you can bring those practices to your whole company.