If you’ve ever found yourself in a hacking situation, you are not having a good day. Not only do you have to deal with an unfamiliar and urgent technology problem but, as a result of your predicament, your business may take a hit too. In addition, kind folks will email and text you repeatedly to inform you about the issue, keeping it in the front of your mind for days.
“I’m soooooo sorry to bother you on a Saturday. My website/mailchimp was hacked and someone sent out an email to my entire list promoting Viagra. Ugh! People are unsubscribing and marking me as spam. Can you help?”
If this is your day today—I’m sorry, I feel for you. Michele is a blogger and speaker who has worked for years to gain over 7,000 subscribers. A drop in subscribers as a result of a hack can be confusing and disheartening, but on the bright side, I also have some tips for you to make this process as painless as possible and prevent it in the future.
First, let’s talk a little bit about WordPress. WordPress is an excellent platform for a website because it is an easy to use content management system and it’s free. That said, it has been around for a long time and has some issues. If you’re using WordPress—as Michele does—it’s really important that you keep it updated. WordPress and plugin updates are not just about adding new features, but about adding vital security patches that can prevent you from getting attacked in the first place. The same principles also apply to other website platforms like Joomla.
In Michele’s case, she had three installations of WordPress on her server for two different sites. The first was for her main website, the second was on a site backup and the third for a book launch site for her last book, Undone: Making Peace with an Imperfect Life . (The irony of this book title in this post is not lost on me.) Since the book launch, the site had been largely neglected and contained an old version of WordPress. Though we don’t know for sure if this is how the site was accessed, this was definitely a point of weakness on her site.
After looking through the site, we found malware files that not only created that lovely, little-blue-pill-promoting blog post, but also hid it from her in the content management system. So even though the Viagra post was sitting there, ready to be mailed out to her all her subscribers, there was no way for her to know it was there. The first time she saw it was the same time as all 7,000 of her subscribers.
While Michele did a great job at patching up any confusion with her readers, we removed the malware and scanned the site for issues, using a security service called Sucuri,* which scans customer’s websites every day and emails them with alerts to any suspicious files or activities on their sites. After the initial clean-up of the site, my experience has been that clients rarely have recurring issues after installation. The basic package on Sucuri is $199 a year, and in my opinion is absolutely worth it. Another great plugin to install is one that limits the number of login attempts. This will protect your site against Brute Force Attacks, where login attempts are repeatedly made until access to the site is gained.
An additional area that frequently affects site security is password sharing. Everyone has to share passwords these days, but you do not have to share your passwords over email or social media. By that I mean, DO NOT SHARE YOUR PASSWORDS OVER EMAIL OR SOCIAL MEDIA. Everyone knows they aren’t supposed to do this, but everybody still does, it’s just easy, but it is absolutely not secure. Also, don’t use the same password for everything. If someone dodgy gets one of your passwords, they’ll test it out on a few common platforms and soon enough, take over your online presence and hold it for ransom!
Unfortunately, I’m not joking. Online ransom is serious business with high stakes. A while back, a fellow who works with a friend of mine, and who runs a sizable online company had his email hacked. After the dubious party accessed his email, they simply searched for the word “password,” and were thus able to access his Facebook and Paypal accounts. They cleared out his Paypal balance and then sent him a message on his own Skype account offering to return the money and tell him how they did it, if he paid them $500. Folks, this new internet economy is not always pretty.
To prevent password faux pas and have a great place to store them, I’ve been using Lastpass* for years. With Lastpass, you only have to remember your login credentials for Lastpass and the program securely remembers the rest. On a free account, you get random password generation, password storage and secure sharing. You won’t even have to think about what to make your password at WhatsThisRash?.com, because Lastpass will make it up for you and store it securely. Hopefully, you won’t need to continue visiting that particular site, but if you do, you can do it with Lastpass. And Lastpass isn’t the only option— 1password also gets great reviews.
One other feature that is so useful in password sharing programs is the unsharing feature. During all the drama with Michele’s hack her hosting provider notified me that the number reason for sites being hacked is a former disgruntled employee looking for a little payback. While I hope that no one reading this has string of unhappy discarded co-workers, I do hope you’ll stop and think before throwing your login credentials around to anyone and everyone.
One last area to keep your eye on is input forms. Any input boxes you use on your site in contact forms, email collection or commenting can be used for ugly things if they don’t have validation built into them. Validation sanitizes any entered data of dodgy contents and encrypts it before it is transferred to your site. This can prevent forms from being used to add snippets of bad code to your site. Ninja Forms is a great option for adding forms to sites and includes that crucial validation step.
Site security is so important. It’s like having a door with a lock on your house. You wouldn’t just go out of town and leave the door wide open, would you? Don’t do that with your website either. It is website is your business, it is your investment, and it is your responsibility to protect it.
Keep your site software–Wordpress, Joomla, themes and plugins–updated.
Add a security feature to your site, like Sucuri* and a plugin that can protect against Brute Force Attacks.
Do not share passwords over email or social media. Use a reputable password storage program instead, like Lastpass* or 1password.
Do not add any forms or input fields to your site that don’t include validation.
* In the spirit of full disclosure, this is an affiliate link, which means that I may get a commissions if you decide to purchase anything from this particular vendor. That said, I only recommend products & systems that I use and love myself, so I know you’ll be in good hands.