At WopeDigital, we’ve seen a recent increase in people contacting us with a major problem – their website has been hacked. We believe that most of these hacks can be avoided with just a few website security tips and maintenance practices.
A hacked website can be a major source of frustration, financial loss and also severe embarrassment for the victims of the hack.
If your site has been hacked, you’re probably going to notice something funny or very odd when you visit your domain.
It could manifest as a redirect to a different website, or an actual message informing you that you’ve been hacked, or a new tab opening up when you click on certain links, showing unrelated ads, Google warning people not to visit your website, etc.
A few years back (in 2015 to be precise), the government of Ghana had their website hacked and completely defaced.
After having to take down the entire server and all the other sites on it, with a lot of hard work, the government regained control of their sites.
The then deputy Minister of Communication, Mr. Edward Ato Sarpong said that work was being done to help “…put in place the right and secured softwares and infrastructure to prevent this from happening going into the future”
As they say, prevention is better than cure. A hacker infiltrating your website can cause a tremendous amount of havoc on so many levels, it’s something you best want to avoid as much as possible instead of trying to remedy after the damage has been done.
So before you ever (hopefully never) encounter your website hacked, we’ve got a list of actions you can take to reduce that possibility.
(This article is part of our series on the 25 Most Common Website Problems And Their Solutions.)
Why Hackers Hack Websites
Many people wonder, “Why would anyone want to hack my website? I’m not a bank.”
Well, there are actually many reasons:
- To use your website to send thousands of spam emails around the world
- To harvest usernames, email addresses and passwords to spam other users or hack into other accounts where they use the same passwords
- To hold your website hostage and request a payment or ransom in order to release your website.
- For security purposes, in order to identify vulnerabilities in your system and report them to you (that’s a rare good hacker)
- To install malware on your website so that all visitors to your website can end up also getting hacked
- To prevent you from spreading a particular message that they find offensive (usually done by state-sponsored hackers)
- To steal trade secrets and information that can help the competition get an edge over you.
- Just for fun or to prove a point that it’s possible. Some hackers hack just because it can be hacked. (Just like the guy who installed Microsoft Windows on a watch just to prove it could be done.)
If you really want to learn more about why hackers hack and their incentives, you can read Why Do Hackers Hack? – 3 Reasons Explained
9 website security tips to keep hackers out
Now that you know there doesn’t even need to be an incentive to be targeted by a hacker, let’s dive into methods of prevention.
Some of these touch on technical stuff. You’re going to need to be a technical person yourself, or call on the team/person that handles your website to implement them for you.
But a lot are actually simple rules and things you can do even right now, to make it exponentially more difficult to see your website compromised.
Protect your login details
The easiest way for a hacker to take down a website is to have administrative access to that site, usually via the site’s login details.
Anyone who has that level of access can do as they please with your website. To avoid this situation, you have to ensure that people who don’t need to access your website aren’t able to, that they don’t have more permission than they require, and that any usernames and passwords you provide them are promptly changed once their job is done.
Someone you may have given your login details to for them to make a quick change on your website or to solve some problem for you, might still have those details later and that’s a security risk.
One of the easiest ways to get hacked is to log into your website in an Internet cafe or on public WiFi.
Both Internet cafes and public WiFi are used by hundreds and even thousands of people. And by using various techniques including packet sniffing, man-in-the-middle attacks and keyloggers, a hacker can obtain the username and password to your website.
A minor concession is to ensure that you have Two-Factor Authentication (2FA) enabled for any account you log into publicly.
Two-Factor Authentication is where after entering your username and password (first factor), you are also required to enter a one-time password sent to your phone via SMS (second factor) or some other method.
With Two-Factor Authentication, even if someone succeeds at stealing your password, they won’t be able to log into your account because they won’t have your phone to complete the second step in the process.
You can learn more on Two-Factor Authentication here: Cybersecurity 101: Two-factor authentication can save you from hackers.
Don’t use stolen or nulled themes or plugins
Whilst it’s true that the best things in life are free, almost everything else comes with a price tag.
And this applies to your website also. The nicer or more complex your website is, the more expensive it likely is. The problem arises when an unscrupulous website designer decides to make an outsized profit by stealing a theme or plugin, or buys it from a shady source at a ridiculous bargain.
The Bible says that the workman is worth his wages. What that basically means is that someone who works is entitled to be paid for the work he does.
Let’s consider the life of a typical developer. He has an idea for an amazing new and impressive plugin or theme that will make websites around the world more beautiful and functional.
He invests weeks and even months into learning some of the latest technologies that have been launched and starts working on his new idea. He encounters issues that have him scratching his head.
But he perseveres.
Finally, after ironing out all the bugs in his brand new creation, he opens it up to the world and sells it for $99. It’s his product, he sets the price and decides that that’s what his time and energy and skills are worth for his product.
Sadly, some people including website designers and freelancers may say to themselves,
“Why should I pay $99 to this guy when I can get it for free?”
And off they go to scour the web to find some shady corner where they can download someone’s precious product free of charge.
But that’s only half the story. Just as they say that not all that glitters is gold, the same way not everyone who is generous to you is genuinely being generous.
People who distribute free (or nulled) themes and plugins have usually compromised the product they are distributing for free. They will add their own malicious code in a corner and obfuscate it.
And whilst it will operate beautifully and normally, it holds a serious kicker. Every single person visiting your website could now be compromised by malware. Or your site would now be vulnerable to the hacker who gave away someone else’s product for free and that can end up giving you problems upon problems.
The solution to ensuring that you are not hacked because of stolen plugins or themes is to actively be involved in ensuring that all the themes and plugins you use for your website are purchased from a reputable or the original source and have the necessary licence.
In the event you have no idea where your designer got the themes and plugins for your site from, a security audit of your website would certainly help.
Keep all plugins and themes updated to the latest version
The world of technology moves really, really fast. Did you know that your smartphone is more powerful than the computer that sent astronauts to the moon?
Whenever something is changed and improved, you need to update it at your end to get the latest and greatest. This happens with your website as well.
If you have a WordPress site, you probably have new updates to install every single week. One week, it’s a WordPress security update, the next is a theme update, and almost every other day, some plugin has an update.
As much as these updates can be a bit annoying and even disruptive, they are usually very important.
Just as technology is advancing, hackers are advancing also. What they couldn’t break a little while back, give them a few weeks and they’ll have found a way to break it.
And so because of that, updates come to nullify those threats, tighten other security and website issues, and the cycle starts all over again.
The risk of your website being hacked increases every time you don’t update a plugin, theme or WordPress itself.
If your website designer provides some technical maintenance including updates, that’s great and you won’t have to worry your head over that.
If not, you can sign up for a maintenance package or you can run the updates yourself. You can actually even have some of these updates automated or by signing up with some services.
We won’t lie to you though, the quickest way to break something on your website is also to update it. 😀 You update a plugin here only to find out it’s not compatible with some other plugin elsewhere and the two conspire to take down your site.
We strongly recommend that you take a backup of your website before you make updates and do ensure that you know a sufficient amount of what you’re doing so you can resolve arising conflicts, or are able to revert your site to its working condition until you can successfully update your site.
Upgrade from shared hosting
It just so happens that probably the saddest way to be hacked is when you’ve done absolutely everything right, yet you still get hacked.
“How can this be?” you say.
Well, one of the flaws of shared hosting in particular is that your website is situated on a server with hundreds, and even thousands of other sites.
A hacker who is at the top of his game won’t need to hack you with your strong security. All he has to do is find the weakest link.
By hacking a single website on the server (probably even just a test site that someone abandoned months ago) and depending on the level of security at the server level, he can move sideways and continue to take down all the sites on that server.
Avoiding this comes down to going with a hosting company which has the highest security available for shared hosting, or simply moving up to more secure hosting like VPS, Dedicated or Cloud hosting.
At WopeDigital for example, we provide all our clients with our secure managed hosting services. What this means is that their sites are constantly protected from hackers, malware, their sites are updated to the latest versions of plugins, and are continually backed up.
Implement website security tips and best practices
Driving is generally speaking, risky. To reduce the risks involved in driving, there are a lot of best practices.
- Wearing a seat-belt
- Passing the licencing exam
- Driving below the speed limit
- Understanding and obeying road signs and signals
- Regular car maintenance
- Having a driver’s licence
- Having insurance
- Not driving when you’re tired or sleepy, and so on.
All these things and more contribute to ensuring that as many passengers and drivers reach their destinations safely.
It’s quite similar with websites. A hacker may want to attack your website just because it’s out there, but that doesn’t mean you should make it easy for them.
There are so many best practices and website security tips you or your developer should consider to give hackers a really tough time if they choose you as a target. You should make it so hard for them that the next time they see your site, they’ll just leave you alone and go some place else.
- Make sure you use strong passwords. p@ssw0rd is not a strong password. That can be broken in a matter of minutes. You can rather use a password generator to generate complex passwords (which you should remember to store securely).
- Make sure you keep all your themes, plugins and platform updated to the latest available version.
- Make sure you limit login attempts. Don’t give a hacker the chance to try a billion different passwords until they’re successful. Lock them out after a few wrong attempts.
- Make sure you are regularly backing up your website. Always prepare for the worst, just in case it happens.
- Make sure you’ve installed and are using a firewall or security plugin. This helps scan, detect, block and also neutralize a host of malicious attempts on your site.
- Make sure your site has an SSL certificate and always shows https in the url.
- Make sure you disable and never use the username ‘admin’. It’s the default username and usually the first guess when hacking a website.
- Make sure you’ve hardened your server and locked down its website security settings. You can learn a lot more about hardening your WordPress site to secure your website.
- Make sure you’ve disabled file editing. File editing enabled just makes it all the more easy for someone to do damage to your website if they succeed in getting in.
- Make sure you regularly check your website and server logs to uncover any patterns that might point to malicious activity.
If you want more information on the in-depth security practices for your website, you should read: The Ultimate WordPress Security Guide – Step by Step.
Password-protect your laptop or phone
It is fully understandable that some people choose not to put a password on their laptop or on their phones.
“I have nothing to hide!”
is usually the answer, or
“It’s just more convenient than having to type a password all the time.”
And whilst that is true, the problem isn’t about the people around you who you trust, it’s about that rare possibility that you leave your phone in a taxi by accident, or someone makes off with your laptop.
Thieves and hackers certainly know the value of data, and so when they get a hold of a device with no password or pincode, they’re going to look through anything and everything they can find for value. Be it images to blackmail you with, email accounts, card details and much more.
If your browser stores your passwords so you can automatically login into various sites easily, then it’s important you have a password on the device itself just in case it falls into the hands of the wrong person.
Use a good anti-virus program on your devices
A thief having physical access to your computer is bad, but him having virtual access is almost as bad.
Viruses, malware, Trojans, spyware, keyloggers and a host of malicious programs have become easier than ever to transmit online nowadays.
Just by visiting an infected or compromised site, malware can be downloaded to your device, allowing someone halfway across the world to do literally anything they want with your computer or phone.
Alternatively, having a good and up-to-date anti-virus program dramatically reduces the risk of that happening. They will even abort a connection to a website if they detect a problem with the website.
We do recommend having good anti-virus/malware software that regularly scans and blocks malicious programs from ever getting to be installed on your computer or phone. You’ll find a few to consider below.
Delete unused onsite backups, files, themes and plugins
An important task in website maintenance of any sort is getting rid of the old and making way for the new.
Not done properly, this immediately creates a security risk that can lead to your website being compromised.
Consider this scenario. A company decides that it’s time to redesign their website. The old one was great when it was launched, but it’s now outdated and needs to be refreshed.
A new and absolutely beautiful website is created and uploaded to the hosting platform, a few tweaks are made and the new website is live. But what happens to the old site? Well, someone decides to put it in a folder on the server, called /oldsite/
Whilst this may be convenient, it’s a huge security risk! This is because the old site is not going to be maintained, it’s not going to be upgraded, it’s not going to be protected and many times, it’s not even hidden.
Want proof? Here’s a quick search we ran in Google for the keyword “oldsite” and it pulled up OVER 7 MILLION RESULTS!!!
Certainly not all of these are old versions of new websites, but we weren’t surprised to follow some of the links to see actual working versions of their old websites.
And as mentioned, because it’s been decommissioned, it becomes such an easy target for a hacker to infiltrate and start working sideways to compromise everything else they can get their hands on.
But this doesn’t happen just with entire sites, it happens with plugins, themes, backups, files and more.
The security rule is that if you are not using that theme or plugin or module you installed, deactivate it and delete it. Don’t keep it around on your server. You can either download it or move it to an inaccessible location.
Unscrupulous Website Designer
One of the saddest cases we heard of a site being hacked was a situation where it was the website designer himself who was ‘hacking’ his client’s website.
Whilst (hopefully) rare, an unscrupulous website designer can tweak something on the website and make the site go down.
When asked, his response is, “You’ve been hacked ooh! Send some money so that I can repair it for you.”
And that’s a true story we know about. The unscrupulous website designer, whenever he needed a little extra income, would take down the client’s site under the guise that it had been hacked, only to “work on it” after being paid.
You can certainly avoid such heart break and headache by trying as much as possible to go with a reputable website designer or firm for your website.
(Disclaimer: there is a difference between an unscrupulous website designer and one who just doesn’t know better. Whilst the latter may have your website hacked by accident, the former is making sure that happens on purpose for his own personal gain.)
A note on backups
Just as an extra caution though, we want to remind you that there is no substitute for an excellent backup program. You can end up doing every single thing right, but still have your website down or hacked.
And that’s why you need to take your own backups and save them somewhere else, far from your hosting account, because if the very worst happens, you can always just take your backups and move to a different hosting provider and get your website back online.
Many people believe it is the responsibility of the hosting company they are with to take backups but it actually isn’t. If you read their terms and conditions, all of them will tell you they do this only as a courtesy and cannot be held liable if they can’t retrieve a backup for you.
Here’s an example from Hostgator’s Terms of Service:
A terrific hosting company A2 Hosting, experienced a hack not too long ago. It was one of the most catastrophic hacks of a reputable hosting company that we’ve witnessed in recent times.
It started looking like just a little down time for a few sites. That little down time eventually translated into servers being down for months! Even their backups were compromised and they couldn’t get their clients back online.
Many clients who were paying big bucks had years worth of information literally wiped out.
That’s why you should consider having backups both offline and online. Offline, may be stored on your computer or hard drive, and online in a cloud storage service like Google Drive, Dropbox, etc
Your web hosting control panel will usually have an option for you to take a backup of your website, files and databases.
But besides that, we also recommend using a plugin for taking backups as well.
Make sure you are taking regular backups of your website and keeping them in multiple safe locations. If you need help with that, there are many different services you can sign up for that will backup your website monthly, weekly, daily and even hourly if you require.
With the Internet continually playing a more and more important role in our lives, we want you and your business to stay safe and functional all year round.
Wishing you the very best with your website.