Know when your WordPress Website has been hacked.
WordPress is the single most popular website platform in the world, at about 39% of all websites. So you may have a WordPress website and that is a good thing, as it is Open Source and relatively easy to use. And there are loads of great innovative plugins or extensions available if you want to add a booking engine, a contact form, or eCommerce.
WooCommerce is the most popular eCommerce plugin or extension in the world at about 30%. The innovation within WordPress is second to none because so many third-party developers of plugins have opted to develop for WordPress integration. So pat yourself on the back if you are using WordPress.
However, just like having a Ford or an Opel, you now have some responsibilities, such as insurance, servicing, fueling, tires, and so on, in order to avoid accidents.
Be aware, that this popularity of WordPress lends itself to attacks by hackers, who are very familiar with the WordPress platform and they know how to find any vulnerabilities, flaws, or any open doors. They target WordPress because it is so commonly in use, therefore it is very important to ensure that you are not exposed to such hacks.
Generally, these hackers will find a vulnerability in a plugin.
A plug-in that has not been updated or where a version of the WordPress platform being used has not been updated. These ‘updates’ should be applied regularly. Most responsible plugin developers will send out an update if a vulnerability or flaw is found in their code. So that update should be applied asap. Hackers who find a flaw will post or ‘share’ details of it on forums or in groups so that they can all have ‘fun’ with their hacker friends. They generally target any or every site, not yours in particular.
Why would anyone hack your website? 8 reasons
There are a few reasons including:
1. Using your resources
You are paying for hosting and hackers can use or piggyback on your hosting resources rather than pay for their own.
2. Anonymity
Hackers like to use other people’s websites to send out spam, whilst they remain ‘hidden’. Once they hack your site they can spam people in your name, which leads to the credibility or reputation damage for your website with Google. Obviously, it will also damage your standing in the community if you are seen to be sending out spam. The search engines will punish any site that is seen to be spamming. So you can be dropped in the rankings or dropped totally from their search. The hacker does not care, they just move on to another victim. They usually spam from multiple sites at the same time, so you become collateral damage. By inserting their code into your website, they can spam, but they can also promote products, that are not yours. This becomes obvious when you go to the site of a legal firm and notice they are also selling or promoting ladies’ clothing or adult toys. But usually, it does not present itself in such an obvious way. Good hackers will stay hidden, whilst they suck up your resources and do reputation damage with Google.
3. Self-promotion
Some hackers want to promote a cause, a political aim, or a viewpoint. So they use your site to make their statement seen, with impunity. Sometimes that cause is themselves, just to say look at me, I hacked this site. It is just like spray-painted graffiti but in a digital format.
4. Reputation damage
This is usually reserved for the bigger websites, but hackers can do damage to websites of any size. Adding a bit of code to a site to negatively affect its rankings. Sometimes, the hacker gains access and takes control of the website, then publishes a negative message, to simply do damage to your reputation.
5. Backlinks
Many spammers will add a bit of code to your website simply to generate a backlink from it to add credibility to some other site that could be selling Viagra or worse. Again, your reputation will be damaged in Google’s eyes. You might think this is not your fault, but Google works on the basis that it is up to you to keep your website secure from hackers. These people generally make money from doing this, otherwise, they probably would not bother.
6. Malware
Hackers can also hack your website and demand a ransom. But worse again your website can be used to infect your visitors with Ransomware. The hackers attack your customers/visitors and after infecting their machine demand around €250 to have it unlocked. It is not a lot of money, but paying it once usually leads to a second and third demand at a later date.
7. Kudos
Some hackers will hack your site, just to show their mates what they did. It could be a group of hackers around the world, playing games with your website, to display their skills to their friends. They will try to outdo each other, by hacking tougher sites, some of which have seemingly been protected. In that case, they would be looking for a site with a lot of traffic. But on a local scale, you will find hackers in every small town, so you are exposed to the local kids playing with your reputation.
8. Revenge
Hopefully, you will never be hacked by a disgruntled past employee, but it does happen. In fact, a disgruntled past web developer is more likely. But either way, always change your website access passwords when someone leaves your employ, who did have access to your website and hosting. And make the password hard to crack.
How do they decide who to hack?
It could be a site with a lot of traffic, just to show off. But usually, it is to hijack your good name in Google or to use your resources. Much like having a car, it just goes where you want it, until that fateful day when someone crashes into it. Then it becomes a major upset. If you have insurance in place, that will make a massive difference. Without insurance, much like the car, you expose yourself to serious stress and loss of earnings. Plus if you are not insured or are not taking adequate precautions, you could be liable for any damage and be punished by Google.
If your website is used to do any damage to someone else’s business you could also be sued for those damages.
With over 50,000 WordPress plugins or extensions available, your web developer will have used a number of them in your websites, such as a Contact Form plugin or a Gallery plugin. Every single one has to be scrutinised, monitored, and kept up to date. Many are created by people who can string a bit of code together and make their plugins or shortcuts available at no charge. They may mean well, but they are unknowingly creating a door for hackers, who find these vulnerable add-ons in websites.
The WordPress platform is much like a large plugin.
The WordPress platform is much like a large plugin, in so much as it is a large piece of code that is continually being added to and therefore the WordPress developers do publish updates and security patches when needed, which is quite frequent. These free patches or updates need to be applied to your website and then tested to see that the update does not affect any of the legitimate plugins, such as your contact form or booking engine.
Everyone is an access point to your website. The developer of the plugin should be continually doing updates to their core code to avoid hacks, but many are given away free and never maintained.
Steps to avoid being hacked – a simple checklist
1. Avoid ‘free’ plugins
And simply pay for the annual subscription or lifetime support.
2. Keep your plugins to a minimum.
You will probably need or want some plugins but do keep your plugins to a minimum.
3. Add a little ReCaptcha
Many hackers get in at the subscription form or in the comments section of your site, so add a little ReCaptcha to check that you are not the subject of a Brute Force hack attempt.
4. Invest in a security plugin.
Likewise, invest a small amount into a security plugin such as Sucuri or Wordfence.
5. SSL is pretty much a minimum standard now.
SSL is pretty much a minimum standard now, so check that your website has an SSL cert, which means your website will be https://meanit.ie rather than just http://. Avoid any free SSL cert, if it does not automatically broadcast that your domain has been checked and is secure.
6. Keep your plugins up to date.
Keep your plugins up to date. Appoint someone to be responsible for applying any updates when the updates become available. It can be done during your monthly maintenance at a minimum. And ensure there are no conflicts between plugins.
7. Always keep a clean backup of your entire website.
Always keep a clean backup of your entire website and create a new one before applying updates or adding new plugins. That way, when something goes wrong or you get hacked, you will be able to restore it from the backup.
Find out more about WordPress maintenance to protect your website or see our full Security Checklist.