Yesterday we investigated and cleaned a hacked website for a catering company in London. Nothing unusual in that – but it did remind me of a question another customer asked me the other week when we were discussing the need to update their site to be compatible with PHP 8. They asked, “why would anyone want to hack our site“.
Why do websites get hacked? It is a great question, so I thought I’d share my thoughts on why your small business website might be targeted and why we focus on website security as a core pillar of our Website Care Plans.
Why and how does a website get hacked?
Websites are attacked in a number of ways and for a number of reasons.
Automated tools are the most common ways to get hacked. This approach is popular among hackers as it offers the best results for the least effort.
Exploiting software vulnerabilities is a common way in for a hacker. This is what happens with WordPress sites; hackers try to exploit vulnerabilities in popular themes and plugins and search for websites using specific themes and plugins that have vulnerabilities.
how often do websites get hacked? Are you ready? Around 30000 websites are hacked every single day.
More rare are targeted hacks. The lone hacker, staying up all night, guzzling energy drinks while he pores over code, creating the perfect attack tool
You are more likely to see these on TV than you will in real life.
We’ve listed some of the most common reasons for websites to get hacked below, ranked in the order we think a small business website is most likely to be exposed to it.
For SEO Spam
If you own a site, you probably understand the importance of search engine optimisation. One of the common SEO benefits is having other sites link to yours – Google sees this as a sign of trust and ranks your site favourably.
Unfortunately, sites are hacked for just this purpose, allowing the attacker to install software or run code to generate hundreds or thousands of backlinks to other websites.
If your site is the source of spammy backlinks, Google will penalise it.
To add pages for Phishing
A phishing web page is designed to capture secret information. Phishing web pages are designed to look like legitimate pages. For instance, you may discover one that looks identical to a financial internet site. Should a visitor inadvertently try and log in, their details are stolen and can be used on the legitimate site to log in as that user.
Google actively monitors and counters phishing and the first you might know is when your site is blacklisted and displays a red warning in browsers, eroding customer trust.
For Spam Email Delivery
Nuisance emails still have a big role to play online, making sites that can deliver them worthy prizes.
Your website can become a source of spam email until typically the site is taken down by hosters. Your domain could also become blacklisted, negatively impacting your own ability to send emails and causing reputational damage to your brand as your recipients of the spam emails believe you are the source for the nuisance emails.
To spread malware
Malware is simple to build and widespread. It’s freely traded among cybercriminals The hardest part of a malware strategy is convincing people to download it.
This is where your Google-approved and reputable website comes in. Who wouldn’t trust you? Would you notice when your PDF brochure download is replaced with malware?
To access payment details
If you use your website take online payments then it can become an obvious target for attackers. Even though sites nowadays should not be storing card details on the site, supporting customer information can be taken and either used directly by the hacker or sold on to someone else.
There are also hacking methods to log user details as they are being entered into a web page..
To steal information
Sites usually accumulate individual details from visitors. For example, if you have an e-mail list, you might gather details through your site. Users may access restricted content or other membership benefits. Even marketing plans waiting for release may have commercial value. There is often nothing different to how hackers steal data from websites compared to other types of attack, but weak passwords are an old and proven means of entry.
Any one of these may have value to a hacker and be shared or even sold on the internet or dark web so is another reason for hackers attacking websites.
As a website owner, if you are processing personally identifiable information, you are responsible for managing this in line with UK data protection laws.
As a source of free Ads
If your site attracts enough website visitors, it might be a worthwhile target for ad hacks.
Advertisers pay based on ad views, so criminals like to install those ads on hacked websites to pump their numbers up. Easy to spot so not a great long-term strategy.
A more subtle hack involves diverting your traffic to another site. Many years ago we came across a website that hackers had targeted for this type of attack. 50% of all visitors from Google were sent to a Chinese website selling fake Ray-Ban sunglasses.
The website owner was unaware as his visits were always direct. Most worryingly, he was paying for Google ads too, so his money was benefitting the counterfeit sunglasses website, not his.
Despite having his own SEO expert, this wasn’t picked up until the customer signed up for one of our Care Plans and we found the site had been hacked 18 months previously.
For practice or just for fun
Hacking is a skill that takes practice so your site might be a good training aid used by a hacker on their journey to bigger and more lucrative targets. After all, practice makes perfect and hackers are always looking to perfect new ways to hack websites.
Some hackers do it for fun, to boast they can. Others carry out malicious attacks, not for profit, they just like destroying websites.
To Take You Down
Sometimes. websites get hacked to take them offline. Maybe you made an enemy, or your business has become a target for those who disagree with your practices. Maybe it’s just for revenge or paid for by a competitor. If it’s a revenue stream, you might be targeted for a blackmail payment to restore it.
Whatever the reason, these are very obvious and destructive attacks
How might I know if my website has been hacked?
If you don’t actively look at your website security (or have someone do this for you), you might be forced to rely on the following indicators that your small business website has been hacked.
- You see a warning in Google that your site is hacked or contains malware
- Your customers contact you
- Your hosting provider gets in touch or simply takes down your site
- Your traffic plummets and Google blacklists your site
- Your site is suddenly very slow
- You see links directing to ‘fishy’ sites from your website
What can you do to prevent your website getting hacked?
We always say there is little defence against a determined and skilled hacker. These types of individuals attack the biggest targets for the richest rewards or peer recognition. The good news is it is highly unlikely your small business website will be on their radar.
You are more likely to be attacked for the more common reasons above, and some common defences for those types of attack are:
1. Keep your website software up to date
It’s crucial to keep WordPress, themes and plugins updated to the latest recommended versions. Security exploits are reported and routinely fixed with software updates. Our Site Basics Care Plan will take of this for you for pennies a day.
2. Use reputable plugins
With over 54000 plugins in the WordPress plugin directory, it’s important to choose the right ones for your business website. Software should be selected from a trusted developer who updates security vulnerabilities regularly.
If a WordPress theme or plugin hasn’t been updated in over a year, there is a good chance it is littered with security exploits and a replacement should be identified.
3. Use a security plugin
Security plugins make improving WordPress website security simpler so we recommend using them on your small business website. iThemes Securuity and Wordfence are 2 of the most popular.
4. Keep an eye on admin users
Make sure you set a strong password that is unique to your website for your admin account. Delete the build in administrator account, too. Regularly review your Admin users and make sure you recognise them and that they still require WordPress admin access to your website.
5. Get assistance if you suspect hacking
Whilst your hosting provider might be able to help with restoring from backups – they are just as likely to take your site down if it’s sending spam or is malware-infected. Get assistance if you suspect hacking – often sites are hacked and sit waiting for signals to become active, so a quick response can save lots of pain.
Our Developers can help recover your site for you, just send us a message.
