Has my WordPress website been hacked?
WordPress is the single most popular website platform in the world, at about 31% of all websites. So you may have a WordPress website and that is a good thing, as it is Open Source,
and relatively easy to use. And there are loads of great innovative plugins available, if you want to add a booking engine, or a contact form or eCommerce. WooCommerce is the most popular ecommerce plugin or solution in the world at about 30%. The innovation within WordPress is second to none, because so many third party developers of plugins have opted to develop for WordPress integration. So pat yourself on the back if you are using WordPress. But just like having a Ford or an Opel, you now have some responsibilities, such as insurance, servicing, fueling, tyres and so on, in order to avoid accidents.
Be aware, that this popularity of WordPress lends itself to attack by hackers, who are very familiar with the WordPress platform and they know how to find any vulnerabilities, any flaws or any open doors. They target WordPress because it is so commonly in use, therefore it is very important to ensure that you are not exposed to such hacks. Generally, these hackers will find a vulnerability in a plugin that has not been updated or where a version of the WordPress platform being used has not been updated. These ‘updates’ should be applied regularly. Most responsible plugin developers will send out an update if a vulnerability or flaw is found in their code. So that update should be applied asap. Hackers who find a flaw will post it on forums or in groups, so that they can all have ‘fun’. They generally target every site, not yours in particular.
Why would anyone hack your site? 8 reasons
There are a few reasons including:
1. Using your resources – you are paying for hosting and hackers can use your hosting resources rather than pay for their own.
2. Anonymity – Hackers like to use other peoples websites to send out spam, whilst they remain ‘hidden’. Once they hack your site they can spam people in your name, which leads to credibility or reputation damage for your website with Google. Obviously it will also damage your standing in the community if you are seen to be sending out spam. The search engines will punish any site that is seen to be spamming. So you can be dropped in the rankings or dropped totally from their search. The hacker does not care, they just move on to another victim. They usually spam from a multiple of sites at the same time, so you become collateral damage. By inserting their code to your website, they can spam, but they can also promote products, that are not yours. This becomes obvious, when you go to the site of a legal firm and notice they are also selling or promoting ladies clothing. But usually it does not present itself in such an obvious way. Good hackers will stay hidden, whilst they suck up your resources and do reputation damage with Google.
3. Self promotion – some hackers want to promote a cause, a political aim or a viewpoint. So they use your site to make their statement seen, with impunity. Sometimes that cause is themselves, just to say look at me, I hacked this site. It is just like spray painted graffiti, but in a digital format.
4. Reputation damage – This is usually reserved for the bigger websites, but hackers can do damage to websites of any size. Adding a bit of code to a site to negatively affect its rankings. Sometimes, the hacker gains access and takes control of the website, then publishes a negative message, to simply do damage to your reputation.
5. Backlinks – Many spammers will add a bit of code to your website simply to generate a back link from it to add credibility to some other site that could be selling Viagra or worse. Again, your reputation will be damaged in Googles eyes. You might think this is not your fault, but Google works on the basis that it is up to you to keep your website secure from hackers. These people generally make money from doing this, otherwise they probably would not bother.
6. Malware – Hackers can also hack your website and demand a ransom. But worse again your website can be used to infect your visitors with Ransomware. The hackers attack your customers/visitors and after infecting their machine demand around €250 to have it unlocked. It is not a lot of money, but paying it once usually leads to a second and third demand at a later date.
7. Kudos – Some hackers will hack your site, just to show their mates what they did. It could be a group of hackers around the world, playing games with your website, to display their skills to their friends. They will try to outdo each other, by hacking tougher sites, some which have seemingly been protected. In that case they would be looking for a site with a lot of traffic, but on a local scale, you will find hackers in every small town, so you are exposed to the local kids playing with your reputation.
8. Revenge – Hopefully, you will never be hacked by a disgruntled past employee, but it does happen. In fact a disgruntled past web developer is more likely. But either way, always change your website access passwords when someone leaves your employ, who did have access to your website and hosting. And make the password hard to crack.
How do they decide who to hack?
It could be a site with a lot of traffic, just to show off. But usually it is to hijack your good name in Google or to use your resources. Much like having a car, it just goes where you want it, until that fateful day when someone crashes in to it. Then it becomes a major upset. If you have insurance in place, that will make a massive difference. Without insurance, much like the car, you expose yourself to serious stress and loss of earnings. Plus if you are not insured or are not taking precautions, you could be liable for the damage and be punished by Google.
If your website is used to do damage to someone else’s business you could also be sued for those damages.
With over 50,000 WordPress plugins available, your web developer will have used a number of them in your website. Every single one has to be scrutinised, monitored and kept up to date. Many are created by people who can string a bit of code together and make their plugins or shortcuts available at no charge. They may mean well, but they are unknowingly creating a door for hackers, who find these vulnerable add-ons in websites.
The WordPress platform is much like a large plugin, in so much as it is a large piece of code that is continually being added to and therefore the WordPress developers do publish updates and security patches when needed, which is quite frequently. These free patches or updates need to be applied to your website and then tested to see that the update does not affect any of the legitimate plugins, such as your contact form or booking engine. Every one is an access point to your website. The developer of the plugin should be continually doing updates to their core code to avoid hacks, but many are given away free and never maintained.
Steps to avoid being hacked – a simple checklist
1. Avoid free plugins and simply pay for the annual subscription or lifetime support.
2. You will probably need or want some plugins, but do keep your plugins to a minimum.
3. Many hackers get in at the subscription form or in comments section, so add a little recaptcha to check that you are not the subject of a Brute Force hack attempt.
4. Likewise invest a small amount in to a security plugin such as Sucuri or Wordfence.
5. SSL is almost standard now, so check that your website has an SSL cert, which means your website will be https://meanit.ie rather than just http:// . Avoid any free SSL cert, if it does not automatically broadcast that your domain has been checked and is clean.
6. Keep your plugins up to date. Appoint someone to be responsible to apply any updates when the updates become available. It can be done during your monthly maintenance at a minimum.
7. Always keep a clean back up of your entire website and create a new one before applying updates or adding new plugins.