Today we discuss not only what to do if your website has been hacked, but also briefly explain why anyone would want to hack your site and how your website (most likely) got hacked in the first place.
1. Why Would Anyone Hack My Site?
Before we discuss how to fix the issue of a WordPress site being hacked, let’s discuss why anyone would want to hack your website in the first place — especially if you are a small business or church.
- It is not just you. (More than likely) no one is targeting you and they don’t have it out for you. Sites are usually hacked in bulk by freelancers who usually get paid out of some marketing budget for exposure, or to steal as much information as possible.
- Compensation. For example, say a hacker uses a bot to find 100,000 websites that use a certain plugin. They will use an algorithm that sends millions of attacks per second. If he/she gets into 5 sites and installs an ad for a performing enhancing drug, he/she will be paid accordingly. The hacker may not ever even see your site or know the name of your business. Hackers also hack for the reward of identity theft.
- Practice. Many hackers (usually younger ones) hack for practice. WordPress, Jumla, SquareSpace, and Wix websites (just to name a few) are typically the sites with the least amount of security. Starting small and moving to more challenging activities is how anyone becomes great at anything.
- Read more about “Why Websites Get Hacked” here
2. How Did My Website Get Hacked?
There are many ways your website could have been hacked. The following are the most common ways that small businesses and the vast majority of the web is hacked.
- Brute force. As mentioned above, hackers primarily target in bulk using automation. This automation primarily uses “brute-force” technique. This means that the hacker has created an algorithm to guess as many username/password combos as it possibly can each second.
- Weak Password/Username. Since these algorithms work off of probability, the more common your username or password, the more likely your website will be compromised. For example, “admin” or your business name are examples of weak usernames.
- Outdated Software. Think of it this way: You build a house but never make repairs to the doors, walls, or roof. Or, you buy a car but never change the oil. Eventually holes appear and no matter how strong your locks are, intruders (humans, rust, bugs, etc.) can slip in. Software is the same way. Updates are the modern-day “repairs” or “oil-changes”.
Check out our post “Your Website is Like a Car” for more information.
- Read more about “How Websites Get Hacked” here.
3. What Do I Do If My Website Has Been Hacked?
- Move quickly. This is no time to dilly-dally. Google doesn’t care if you are the most selfless and giving non-profit in the world; if your website is hacked, you’re going to lose a whole lot more than just money. Google flags sites that have been hacked (this is what that looks like) and that destroys all of your hard-earned SEO. Not only this, but if you saw a store that had broken windows and bugs flowing out of the cracks, would you go in? Would you EVER return? We didn’t think so.
- Contact your host. First of all, this is not your host’s fault. Your contractor may be able to tell you you have termites, but that wasn’t his fault. Get in touch and ask their opinion — quite frequently they have very efficient ways of fixing this issue.
- Were you blacklisted? Check Google Webmaster Tools and make sure you weren’t blacklisted. If you were, get in touch with their support team to try to remove it ASAP.
4. How Do I Prevent My Website From Being Hacked?
Now that you understand what has happened and have figured out how to clean up the mess, let’s discuss how to prevent this nightmare from ever happening again.
- Use strong usernames & passwords. Check out the app 1Password — it’s a few bucks but it remembers each username and password on every site you visit. It unlocks using a “master password” and is compatible on all of your devices. NEVER use “admin”, “wp-admin”, “wordpress” or other similar usernames. NEVER user “password” or anything that may be found on your site as your password including your company name — no matter how clever you think you’re being.
- Update. Software is updated, many times, daily. Log in and update. Think of it as a weekly website oil change.
- Backup. Hosts make mistakes, passwords may be broken, hackers could find another way in… Backup your site so that if anything does happen, you have a (recent) full backup that can be restored on a moment’s notice.
- Block malicious IP’s. You may notice that your admin page is visited hundreds (if not thousands) of times a day by an IP overseas. Block it!
5. In Conclusion…
Now that you know why you were hacked, how that occurred, and a few recommendations to make sure that never happens again, don’t delay!
Does this seem a little too hard to understand? Maybe you don’t have the time or skill to prevent hacks in the future?