What is website ‘hacking’? And am I at risk?

Most people approach us not knowing what has happened, or why it’s happened, and asking how they can make sure it doesn’t happen again. It’s not usually something people want to let happen twice!

This blog will take you through a brief overview of hacking to hopefully answer some of these questions for you. And, as always, we will try to keep jargon to the minimum.

In 2012, it was reported that 30,000 websites were being hacked EVERY day (Sophos Security Threat Report). Given that was 12 years ago, we don’t want to even imagine what that statistic might look like today!

More recently, in December 2017, Google deemed over 1.2 Million sites as being ‘dangerous’ (containing Malware or Phishing…this is due to hacking!) with over 50,000 often being added to these blacklists weekly. (Source: Google Transparency Report)

The word ‘hacking’ sounds scary, right? And it is. But what does it actually mean to have your website hacked?

Take a deep breath and let us explain.

What does ‘hacking’ mean?

Being hacked means that someone (or something) has gained access to your website files without your permission. There are many things a hacker might do once they are inside your website:

• Steal personal information like client data and credit card details
• Remove your content and your access and hold you to ransom to return it
• Add links to their own site to increase traffic to the website or to help SEO
• (this could be by inserting links into your existing copy or by adding popups)
• Add Malware that could attack computers that view your website
• Communicate a political message
• Just vandalise your website for fun
• Use the site to generate mass spam emails

Why are they doing this?

If you don’t know why or how hackers operate, you might be incorrectly assuming that you are not at risk from hacking – “Why would they target me? I’m small fry. There’s nothing of value in targeting my website.” – is the type of reasoning we hear from people whose websites have been compromised. You are not too small. Being small, does not mean you’re safe. Most hacking is actually carried out by a series of automated bots developed by hackers to crawl through the internet looking for vulnerabilities in code or infrastructure. All successful attempts can be added to the hackers ever increasing portfolio and used for any of the reasons listed above. Hackers don’t care how big or small your website is. 10,000 hacked websites, just like yours, is like winning lottery for them.

How do they do it?

There are several main ways in which websites get hacked…and they are all preventable:

• Your password has been compromised – probably due to it being too weak or from a leak from another source.
• Holes are found in code because security updates haven’t been installed leaving the site vulnerable – these could be web server software, CMS (Content Management Systems, e.g. WordPress, Joomla, Drupal etc.) updates, plugin updates, theme updates.
• Vulnerabilities are identified and exploited in plugins or themes that are no longer supported or updated by the creators.
• Phishing – not the type with a rod, but where you have given your login details to the hacker yourself by clicking links in malicious emails.
• Poor security policies (too many administrators, no HTTPS, allowing weak passwords etc.).

What can happen if your website is hacked?

Having your website hacked can be a terrible and distressing experience. However, the damage can go much further than the distress and inconvenience it causes. And with GDPR coming in May 2018 it’s more important than ever to keep your website and data secure

• A Data breach could, in theory, land you with a hefty fine form the ICO (Information Commissioner’s Office) – although it’s not yet clear how likely it is that these sanctions will be issued.
• Your website could be blacklisted by Google and other search engines if malicious code is found on there – and you’ll have to request to be removed from each blacklist once you can prove your site is clean again.
• You can lose trust from your current clients and customers.
• Your brand’s reputation could be in tatters.
• Your website will obviously have downtime which will lose you sales/leads.
• It can cost a considerable amount of money to get your website cleaned and restored.
• It can be emotionally and mentally traumatic.

It’s not always immediately obvious that your website has been hacked, so how do you know if your website has been compromised?

• If registered on Google Search Console, you will receive a notification that your site is deemed dangerous.
• Malicious links have been placed on your website.
• Your website has been defaced.
• Your website is being redirected to another site.
• You could also find out by scanning your website using one of the tools available on the internet (e.g. https://sitecheck.sucuri.net).

What can you do to protect your website?

We take great pride and pleasure in protecting the websites of business owners whose websites, and reputation, are critical to the running of their business. Our Website Care Plans include everything that is required to keep your WordPress website safe, secure, and always available to the next potential client who is ready to view, contact, sign up, or buy from you

My website is my most valuable asset

and their support has made such a difference to my business.

Rosie Letts

If you’re the sort to roll up your sleeves and get stuck in, we have have also prepared a short list of simple things that you can do yourself to lower the chances of you getting hacked. These can be viewed in our previous blog 6 ways to reduce your chance of getting hacked.