Posts

Has your website been hacked?

Hacked WebsitesEvery day, somewhere in the vicinity of 10,000 websites are hacked or compromised in some way.

What do we mean by hacked and compromised? Well what we mean is that someone has breached the security on your website and inserted some malicious content. That malicious content can be in the form of viruses, trojans, worms, keyloggers, spyware and so on.

Typically, if your website has been hacked or compromised in some way, and a visitor views your website, they will be redirected to another website that contains malware, or malware on your own website will attempt to exploit vulnerabilities in the visitors Browser and or Operating System.

Once your computer has been infected, it can be used to send out Spam, or information can be stolen from you and used for fraudulent activities and Identity Theft.

This is why it is so important to keep your computer up to date for things like Java, Flash, the Browser itself and Windows. To further complicate matters, if you are using Windows XP, it is inherently less secure that Windows 7 and 8, but worse still, Microsoft will cease to support Windows XP after April 2014.  So at this time, expect to see a spike in infected PC’s.

So back to whether your website has been hacked or compromised.

If your website has been hacked, it is likely that the first time you will know about it is if a visitor notifies you that they have received a message in their Browser informing them that your website is a known attack site. Google for example scan millions of websites looking for malicious content, and will mark your site as an Attack Site and warn visitors.

Reported Attack Site

The other way you may become aware of it is through the Google Webmaster Tools website, if you have your website setup there of course.

Google have a series of videos explaining what it means to be hacked and how to remedy the hack and get your website off the Blacklist.

Here is the first video in the series:

This video and links to the other videos in the series can be viewed at https://www.google.com/webmasters/hacked/

 

CMS Websites at risk from Hackers

Content Management Systems (CMS) websites like WordPress have long been a target for Hackers.

CMS systems like WordPress are popular because they are free and Open Source, and very flexible to such an extent that just about anybody can create a Website, or Blog, or eCommerce website with relative ease.

The problem is that a lot of website owners either fail to keep their CMS and plug-in’s up to date.

New versions of the platform and plug-in’s are regularly released, not just to improve functionality, but to plug security holes.

This is why Hackers love to target CMS websites.  It’s because they know there is a high chance of discovering an unpatched website.

Even if you do keep the platform and plug-in’s up to date, you must also do a few other things.

Here is a checklist:

  • Use a strong Password – You must not use easy to guess and simple passwords.  Never use “Password” as your password for example.  Also avoid using dictionary words, pets names, family members names etc.  Use Upper and Lower case letters in combination with numbers and keyboard characters like @#$%^&* if possible.  If you find it difficult, try substituting some letters with characters or numbers.  For example MyPassword2013 could become MyP@55w0rd2013.
  • Use a good Security Plug-in – My favourite Security Plug-in is Better WordPress Security.  Among the things it does is:
    • Change the urls for WordPress dashboard including login, admin, and more
    • Rename “admin” account
    • Change the ID on the user with ID 1
    • Change the WordPress database table prefix
    • Change wp-content path
    • Ban troublesome bots and other hosts
    • Ban troublesome user agents
    • Prevent brute force attacks by banning hosts and users with too many invalid login attempts
    • Enforce strong passwords for all accounts of a configurable minimum role
    • Detect and block numerous attacks to your filesystem and database
  • Add CAPTCHA to your User Log-in – I like to use another Plug-in called SI-CAPTCHA Anti-Spam.  Not only does it add CAPTCHA to your Log-in, but to WordPress forms for comments, registration, and lost passwords too.

It may sound daunting, but if you have your website hosted and maintained by Spotty Dog Computer Services, all the updates are included in our Monthly Maintenance Fee.  And as an added bonus, if a Hacker does manage to compromise your website, we make regular backups so we can restore your website if it all turns pear shaped 🙂