Your website is one of your most important business assets. With today’s interest-driven culture, a majority of your current and future customers use your website to learn more about your company and the solutions you provide. While many business owners have come to realize the importance of having a web presence, many have neglected website security.
The variety of attacks a website may encounter on any given day can vary. In fact, a 2019 Clark Study states that hackers attacked computers at University of Maryland 2,224 times a day which averaged to every 39 seconds. The report states “Some 43 percent of all password-guessing attempts simply reentered the username. The username followed by ‘123’ was the second most-tried choice.”
The 2019 Sophos Security Threat Report, explores the shift from automated to manual spam attacks. The report explains “For nearly three years, a small but dedicated group of criminals attacked a wide variety of organizations using manual techniques to deliver a ransomware called SamSam.”
What’s worse is many site owners have no idea that malware or spam was added to their site. Having a compromised website impacts your users, your business, and your marketing efforts.
In 2016 “hacking” took center stage. From the DNC getting hacked to the internet outage that affected the East Coast, the public saw first hand the power and the negative implications of hacking. Since then the reports have escalated with the most recent information as of July 2019 reporting that election systems in all 50 states were targeted. This highlights the fact that the impact of hacking is not always immediately known.
For business owners, big or small, having your website hacked can pose huge issues. For e-commerce sites, not having the right security can compromise your customers’ precious personal data. For other sites, malware can be added that will place hidden links on your site or even cause redirects of your domain to “less than desirable” places. If you are investing in marketing your business online, making sure your site is protected is essential to getting the best results.
Table of Contents
The Open Source Problem
WordPress is the world’s #1 CMS (Content Management System) on the web. According to the newest data from W3Techs, WordPress now powers 25 percent of the world’s websites, including sites like TechCrunch, Sony Music, Best Buy, Time Inc. and a number of other notable sites. What makes WordPress so appealing to many developers is the open source platforms. This allows for the continual growth and innovation of WordPress from others in the community. While open source platforms are amazing, there is one flaw. If you don’t stay up to date with the latest software and plugins, you leave yourself vulnerable to an attack.
There are a number of ways your site can get hacked. Here are a few of the most common points of entry into WordPress websites According to an infographic by WP Template:
- 41% get hacked through vulnerabilities in their hosting platform
- 29% by means of an insecure theme
- 22% via a vulnerable plugin
- 8% because of weak passwords
3 Common Hacks
There are a number of ways your website can be hacked. Most the time you’re not being attacked by a real person, but rather by a bot. Here are three of the most common types of WordPress hacks.
Brute Force Attack
A brute force attack is the most common attack on any site. During this attack, the hacker is “guessing” your password over and over until he figures out your password. Hackers no longer limit themselves to doing this manually. Instead, they use several scripts running at the same time that are trying to figure out passwords to many sites.
SQL Injection Hacks
SQL Injection is when a hacker enters malicious words and characters into a form that is unsecured to exploit the database. Depending on the site, a hacker could use SQL injection to retrieve usernames and passwords, retrieve credit card numbers, alter data, or even delete data.
Cross Site Scripting
Cross Site Scripting, or XSS for short, is when a hacker adds his malicious script to your site. The hacker enters some malicious code into a form which then adds their script to every page on the site. This can cause unwanted redirects from your site to a site that the hacker wants to send your traffic to.
The Impact on Your Business
Having your site hacked compromises not just your information, but the information of your users as well. As a business owner, this can result in a number of negative consequences. Now, some of you may be thinking, “Well I am a small business, no one would want to hack me.” Unfortunately, you’re dead wrong. Forty-three percent of all data breaches in 2019 involved small and mid-size businesses, according to The Verizon 2019 Data Breach Investigations Report. The main reason is that smaller businesses are just easier to hack but still return a ton of value to the hacker. It’s also important to note that Inc.com reports 60% of small businesses that are hacked go bankrupt within 6 months.
Another area in which having your site hacked can hurt your business is in your marketing. Having malicious code on your site will directly impact your search rankings. Google and other search engines crawl your site for more than content and links. They also look to see if the sites are safe for their users. If your site has been compromised, this will lead to a devaluation of your domain until you clean it up.
Cross Site Scripting can hurt your reputation badly. With this type of attack, the hacker can redirect your site to anything they want. So when someone goes to visit your site but instead gets pushed to another unrelated site, your visitors will lose trust in you and may never come back.
How Can You Protect Yourself
There are a number of things every website owner should do in order to protect their site from exposure. Protecting your online assets begins with being proactive. Many business owners know they need to beef up security but just can’t find the time. This is why we add maintenance and security to every site we work on. We know that good online marketing begins and ends with a good and secure web presence.
Here are 7 things you must do to keep your site protected:
1. Stay Informed: Make sure you know what the threats are and what they are targeting. Follow updates at a tech site such as The Hacker News.
2. Strengthen Access Control: Make sure all usernames and passwords cannot be guessed. Also, change the default database prefix from “wp_” to something random and harder to guess.
3. Update Everything: Make sure you have the current version of your CMS and plugins.
4. Tighten Network Security: Office computers may be inadvertently providing an easy access route to your website servers. So ensure that,
- Logins expire after a short period of inactivity.
- Passwords are changed frequently.
- Passwords are strong and NEVER written down
- All devices plugged into the network are scanned for malware each time they are attached.
5. Install Security Applications: WordPress has a number of great security plugins. Here are a few of the top rated ones.
6. Hide Admin Pages: You should never have your admin pages indexed. Use the robots_txt file to discourage search engines from listing them.
7. Use SSL: Use an encrypted SSL protocol to transfer users’ personal information between the website and your database.
For more tips, check out this post.
I have seen firsthand the impact this can have by getting hacked myself and also from helping others clean up their websites. No site is too small and no niche is safe from being attacked. If you want to protect your investment and reputation online as well as get the most out of your marketing efforts, you need to take security seriously.
Editor’s Note: This post was originally published in January, 2017 and has been updated for freshness, accuracy, and comprehensiveness.