How Websites Get Hacked
Suffering a hack to your website is an extremely frustrating setback any business owner can experience. Some hacks are more difficult to recover from than others. While they can be scary to deal with, understanding how hacks happen is a great first step to ensuring that your business website is secure from hackers. As a digital marketing agency that specializes in creating high quality websites for small businesses, we’ve worked with businesses in multiple industries to help them clean up their site after a hack. While it’s usually possible to recover what is ruined, it can take a lot of time, and money, to recover from a hack.
More often than not, websites are hacked due to one of four reasons.
- Weak Login Credentials. You should never leave your username as “admin” and your password must be secure. This means that using your dog’s name or spouse’s birthday is not a good way to secure your website. Make a strong and complex password that no one would be able to figure out.
- Out Of Date Plugins and Themes. If you’re using a site such as WordPress, be sure to stay up-to-date on all updates that they recommend. Having an outdated site is one of the quickest ways to allow hackers into your site.
- Comments Turned On. Most of the comments that we see on sites are spammers who are looking to redirect your customers, or you, to sites that are there to capture your information and expose you to malware.
- Not Paying Attention To Vulnerabilities. Most inexperienced and lower cost hosting services are not watching for vulnerabilities, which, in turn, puts your site at risk.
Suffering a hack to your website is an extremely frustrating setback any business owner can experience. Some hacks are more difficult to recover from than others. While they can be scary to deal with, understanding how hacks happen is a great first step to ensuring that your business website is secure from hackers. As a digital marketing agency that specializes in creating high quality websites for small businesses, we’ve worked with businesses in multiple industries to help them clean up their site after a hack. While it’s usually possible to recover what is ruined, it can take a lot of time, and money, to recover from a hack.
More often than not, websites are hacked due to one of four reasons.
- Weak Login Credentials. You should never leave your username as “admin” and your password must be secure. This means that using your dog’s name or spouse’s birthday is not a good way to secure your website. Make a strong and complex password that no one would be able to figure out.
- Out Of Date Plugins and Themes. If you’re using a site such as WordPress, be sure to stay up-to-date on all updates that they recommend. Having an outdated site is one of the quickest ways to allow hackers into your site.
- Comments Turned On. Most of the comments that we see on sites are spammers who are looking to redirect your customers, or you, to sites that are there to capture your information and expose you to malware.
- Not Paying Attention To Vulnerabilities. Most inexperienced and lower cost hosting services are not watching for vulnerabilities, which, in turn, puts your site at risk.
What To Look For When Checking Your Site Security
While each hack has its own individual fingerprint, there are ways to check your own site security to ensure that everything is working properly.
First and foremost, check your site often. Not only should you go directly to your website and click all of the links, but search your business online and click the links that show up on search results, and check all of the links that you’re driving to from your paid ads or marketing ventures.
While it’s easy to assume that if the link is working from one site to another, many times, hackers will attack the places that the owner is least likely to check, which could mean that it could be months before you notice a hack and by then, it could be so bad that it takes months and a large amount of money to correct everything that was ruined.
While each hack has its own individual fingerprint, there are ways to check your own site security to ensure that everything is working properly.
First and foremost, check your site often. Not only should you go directly to your website and click all of the links, but search your business online and click the links that show up on search results, and check all of the links that you’re driving to from your paid ads or marketing ventures.
While it’s easy to assume that if the link is working from one site to another, many times, hackers will attack the places that the owner is least likely to check, which could mean that it could be months before you notice a hack and by then, it could be so bad that it takes months and a large amount of money to correct everything that was ruined.
A Few Website Hacking Stories
In order to truly understand the effects that a hack can have on your small business website, and what to do if your website gets hacked, here are a few stories of clients that we’ve had who had their website hacked and reached out to our team for help.
1. WordPress Site Inappropriate Content Hack
Years ago we had a WordPress client discover that her website had been hacked and reached out to us asking for help. Turns out, her site was compromised due to a weak password. Once the hackers gained access they replaced her site content with inappropriate content not suitable for her audience (or any audience for that matter). She was shocked and embarrassed after one of her customers brought it to her attention.
Not only can a hack like this negatively affect her reputation but it can also have other less than ideal impacts on her business. She reached out to us pleading for our help and we came to the rescue. We immediately helped change her password, remove the source of the hack, and lock down the site moving forward so it couldn’t happen again. Later in this article we’ll share other steps we took that anyone with a WordPress website can take to protect their site from hacks. Let’s move on to another scary website hacking story.
2. WordPress Site Redirect Hack
Years ago we had a WordPress client discover that her website had been hacked and reached out to us asking for help. Turns out, her site was compromised due to a weak password. Once the hackers gained access they replaced her site content with inappropriate content not suitable for her audience (or any audience for that matter). She was shocked and embarrassed after one of her customers brought it to her attention.
Not only can a hack like this negatively affect her reputation but it can also have other less than ideal impacts on her business. She reached out to us pleading for our help and we came to the rescue. We immediately helped change her password, remove the source of the hack, and lock down the site moving forward so it couldn’t happen again. Later in this article we’ll share other steps we took that anyone with a WordPress website can take to protect their site from hacks. Let’s move on to another scary website hacking story.
3. Shopify Website Hacked – How One Hacker Stole Over $3,000
We recently had a new client reach out and they let us know their Shopify website had been hacked. This particular client had an E-commerce business and woke up to discover some startling news one day. The hacker got access to their Shopify back office login due to a very weak and easy to guess password (hint: don’t make your Shopify login or any login easy to guess).
Once the hacker cracked their password he was in the back office and had free reign to do what he wanted.
The Shopify hacker then proceeded to update the payment gateway information to an Amazon Pay account the Hacker owned, shut off the other payment options for the site owner, and updated the admin email to one they owned as well.
This essentially diverted any funds generated from sales on the website to THEIR bank account.
By the time the site owner had noticed what had happened they were out $3,000 in sales (that money was deposited into the hacker’s Amazon Pay account and not theirs). Not to mention, the business owner was out for the cost of the products sold and the cost to ship those products as well.
We helped the client lock down their site by updating their username and password to a much more secure login, fixed the payment gateway settings to how they were before, and most importantly enabled two-factor authentication. If you are a Shopify site owner that has been hacked we recommend checking out these steps to securing a hacked account.
Tips For Protecting Against Hackers and How to Protect Form Hacking
Preventing website hacking is not a topic many small business owners think about but they should. The costs, hassle, and issues associated with website hacking can be extensive so avoiding getting hacked is well worth thinking about up front when you get your website designed or redesigned. Here are some tips that can help to lock down your site and protect it against hackers.
Change Your WordPress Login Username From “Admin” To Something More Secure
Many people who build their website leave the username as admin and if you do this you are just making it easier for the hackers. Take a few seconds to change this username to something harder for the hackers to guess
Have A Strong WordPress Password
Many people who build their website leave the username as admin and if you do this you are just making it easier for the hackers. Take a few seconds to change this username to something harder for the hackers to guess
Update The Core WordPress Theme On A Regular Basis
This is a big mistake we see small businesses make with their WordPress sites. Once they have their site built they never update the Theme and this eventually leads to issues. As mentioned earlier, this can lead to vulnerabilities that can leave an open door for potential hacking attempts. For our website maintenance clients we take care of updating the Core WordPress theme on a regular basis.
Update Plugins Regularly
Plugins, just like your WordPress theme, need to be updated on a regular basis to ensure your site stays secure. Not updating plugins on a regular basis can lead to your site getting hacked. Out of date WordPress plugins open up vulnerabilities in the defenses of your website.
Shut Off Comments On Your WordPress Website
Comments are not helpful on most WordPress websites these days and even if you have a blog on your site the majority of the comments are Spam. This can be another way hackers can break into your site so don’t take the risk and shut off comments.
Have Daily Back Ups On Your Site Done
When our agency hosts websites for clients, we do daily back ups on our clients’ sites just in case something breaks (or the client breaks something) we can revert back to a recent back up that was working and fix the site. Not every web host does this and you get what you pay for. Cheap shared hosting accounts through Godaddy or Hostgator do NOT do daily back ups. Most cheap hosting providers do not do daily back ups and this can leave you in a very vulnerable position with your business website. If something goes wrong, and you lose your website, without a back up you could be forced to start over completely.
Have A Good Website Host That Monitors For Vulnerabilities And Hacking Attempts
Cheap website hosts will not tell you when something goes wrong on your site and this is a prime reason why hackers can get away with hacking a site. It may take multiple months for a small business owner to discover that their website has been hacked. By then, the damage is done and they may have some challenges ahead fixing the hack and solving their problems. When our agency hosts a website we monitor all our client sites for vulnerabilities and hacking attempts.
Use Two-Factor Authentication Whenever Possible
Two-factor authentication is an additional layer of security for your website. WordPress currently doesn’t offer this by default however there are some plugins that can enable this functionality on your site. Some site platforms like Shopify do offer this and you should absolutely turn this feature on to protect your website. I would also recommend turning on two factor authentication on your email account and even your Facebook business account as well. I heard a recent story of a small business who had their Facebook Ads account hacked and before they knew it hackers had racked ups. $10,000 ad spend on their associated credit card before they caught it.
What To Do If Your Website Is Hacked
If your site has been hacked, or if you want to ensure that your site doesn’t get hacked in the future, book a time to chat with a member of our team. Our team of digital marketing experts are here to help you have a great quality, and secure website for your small business.
Time To Meet With Kyle Battis
Kyle Battis has been involved in advertising and marketing since 1999. He has a background in Website Design, Direct Marketing, Online Media Buying commanding $150,000 per Month Ad budgets, Live Presentations, and he has extensive experience designing Marketing Campaigns that make money for small businesses.