I do website security for about 150 clients. It’s a lot of work for one person.
Each year, roughly 30 of those sites go down because of hackers. They’re not really serious hacks because there’s no obvious prize. I make a point of not storing sensitive personal, sensitive or financial data on client websites. So most of the time the attacks are for fun.
Depending on the severity of the breach, resurrecting a website can take hours, days or even weeks to fix.
What do hackers want?
Free money. Ultimately. Once they’re trained up to get it.
In most cases hackers are youngster geeks out to impress Mafia bosses. The best hackers are promoted to credit card fraud, identity theft and finally, the cream of the crop attack international banks and institutions. Oh. And extortion. In other cases, your hacker just wants to use your website and server as a spam farm – sending out thousands of ads for porn, Viagra, sex or cigarettes.
If this has happened on your web server (usually it only happens to sites which have been neglected for many months) your domain name – and all associated domain names sitting on the same server – may have been blacklisted by Google. This means that Google will no longer index your site. If this I the case, you might find it much easier to move your site to a new domain (and server) rather than jump through the many hoops required for a successful Google health check.
But don’t take my word for it. Here’s what Matt Cutts from Google has to say about bad domains.
Bad domains get de-listed by Google regularly.
The Big End of Town
Ever had an email from your bank saying “We’re excited to inform you about a new way of doing business with us . . .”?
I groan when I read this sort of rubbish because I know that it invariably means they’ve been hacked. Some online security muppet is out there chasing lost millions while other suited muppets argue with insurance companies. Insurance fees go up and muppets cost money. Your bank’s exciting new system will invariably hit your back pocket.
As far as hackers are concerned, Geoffrey Multimedia sites; websites for doctors, builders, events industry people, tradies, artists, small businesses and lawyers (if you want one) are a training ground for hackers.
What does a hacker do?
One hacker posted a picture of himself dressed as Michael Jackson while Billy Jean played in the background. Where the album title (Thriller) should have been, the words “You haz bin hacked by the Bangladesh Kiddie hakrz,” – or words to that effect were diplayed. And could I get into my own site? No chance.
I had to put days aside (unpaid) to resurrect several similarly affected websites.
To be fair, the Bangladesh Kiddie Hackers are training us webmasters in the art of security. I try to think of t as free education. If you can beat the kiddies, you can probably beat Credit Card and Identity fraudsters. You might not be able to lock Big Mafia out of international banks, but you are well on the way to learning the basics about
10 Steps to Hacker-free Living
This is my generic approach to successful hacks. If you are a web developer who knows of other fail-safe ways to eradicate hacking, please leave a note in the comments.
Let’s assume you’ve been hacked (and it’ why you’re here). let’s also assume you run a CMS such as WordPress, Joomla or Drupal. If you don’t, this approach should still make sense. Okay. You’ve been hacked…
1. Change usernames and passwords
Change all Admin passwords, especially the FTP or Master (Cpanel) password to your site.
Make them strong passwords.
Here is a great password creation walk-through by Microsoft.
Along with the master password, change the Admin username and password for the CMS of your website. Invariably, you password is how the hacker got in to your site – by using a password cracking script to crack your password with software. But to get to that part, the hacker also needed your username. So be sure not to reveal CMS usernames publicly on your website if that’s possible.
If you have more than one Admin user in your CMS, consider demoting everyone else so that there is just the one. You. Hackers want Admin access to your site and won’t settle for anything less.
If you can’t get into your site because the hacker has locked you out, create a new Admin user in the database directly, or try to log in using the lost password feature.
There are other options such as
- hiding your administration login
- using a captcha to stop bots trying log in or register
- using 2 factor authentication
2. FTP clean-up
Once you have changed the main account username and password, plus other associated CMS Admin passwords, FTP into your site and look for hacker footprints. Mostly they are pretty easy to spot. Compare a fresh CMS install on one of your healthy sites and remove all unnecessary folders.
In one site I found a file called “x” and a folder called “index”. Delete!
In another (WordPress) site, I found an entire WordPress theme that had no business being there at all. Delete such nonsense. In another site backend, I found thousands of tiny PHP files uploaded to the clients’ content directory. Delete, delete, delete! (Deleting a large number of files is probably best done on the server using File Explorer rather than FTP as most servers will restrict FTP speeds).
An alternative approach would be to re-install the CMS entirely. In most cases that means over-writing the core files.
3. Keep all software up to date
Many sites these days use open-source software (e.g. WordPress, Drupal or Joomla) or news modules / 3rd party plug-ins. Make sure each of these plugins has been approved in an official way. Or if not, read online reviews to see if the plugin is really worth having. If you don’t need the plugin, lose it. It’s another way a hacker can gain entry to your site. Stay slim!
Try to keep every bit of software up to date to within about 2 weeks of the latest version. Sometimes you have to ait – say for a plugin to catch up with a new theme release, but in most cases, CMS and good plugin updates are security patches designed to seal cracks to prevent hackers getting in.
4. Can’t log in to your site?
Sometimes hackers make it difficult to log back into your site. The longer they keep you out, the longer that bot can keep sending out spam messages. Create a new username and Admin password in the database, but use the password recovery tool to get in. Why? It’s just another way to circumvent the lockout. Sometimes a hacker will prevent new user passwords from working, but the password recovery tool on most sites seems to circumvent that niggle. If you still can’t log in, you probably have suspicious files working on your server.
You’ll need to virus check your site (or subscribe to a virus checking service).
Or get your server people to roll the server back.
5. Back everything up
Once successfully in – back things up. Rather than a database backup, I usually export and save an XML of all site data (this is for later – when you get a serious hack – you can then re-install the CMS and resurrect the files). You can save and export the database, too, but in my experience, different operating systems, programming languages, servers and database iterations prevent re-importation and I’m usually left with the XML file anyway.
An XML file might feel like a clunky way to back things up, but in my experience, database resurrections are fraught with compatibility issues.
Your CMS software should have a simple way to export an XML file of your content easily. Look for this option under setting or tools.
6. Install Security Software
Install free (or premium (i.e. paid for / subscription)) security software on your site. There are many options out there and I’m loathe to list them as each hack attack is different and requires a different kind of dissuasion.
You could talk with your server people about adding a little extra for software which will allow you to roll back your site to say, a week ago. I have a fellow Webby who uses www.Site5.com servers. They provide an option to backup any website on a daily basis. It might be worth the extra annual cost.
7. Unique usernames / passwords
Never use the same username or password twice. If you find one username easy to remember, chances are it will be just as easy to hack.
Make sure, if you run or access a lot of sites, that you use different usernames for each one and as mentioned earlier, make sure that username does not display publicly on any site. By using the same username over and over, you save hackers 50% of the battle.
8. Obfuscate the log-in
I don’t know anyone who does this technique but you can delete all the access pages / login forms on your site and then FTP them to the sever as you need them. This is a drastic measure to be sure, but just short of that, hiding the access or login page is second best. Of course, if your client accesses the site regularly, you can’t do this so it may not be an option.
9. Timetable site updates
This is a bit annoying, but try setting yourself a reminder or at least date the last time you updated the website. With numerous sites to manage, I’d find myself updating sites week after week. If a site’s last update is approaching 3 months, that’s probably too long. Not updating the CMS and software on your websites is very easy, but these days you will get hacked.
Third party plugins are often targeted in the second stage of an attack, so popping in to a site to see what needs updating on a regular basis is your best line of defense.
10. Sleeping viruses
Be mindful that if your site has been hacked, it may have been hacked months (or years) ago and could still be lugging a virus around. One fellow web developer (who shall remain nameless) moved a site several times between servers over a 6 month period and during that whole time, she didn’t know the core site files were infected with a serious virus.
No coder knows everything about hacking.
If you haven’t been hacked – and hopefully that’s most of you – it might be an idea to go through preventative steps 5-10 as soon as you have a moment. My bet is that you use the same username across a series of sites. Changing that alone will double the difficulty for hackers.
If your site is very old, uses a framework like WordPress, Drupal or Joomla, and the core files haven’t bee updated for say, 3 months or more, chances are you have already been hacked and don’t know anything about it yet. Most CMS software updates are security patches, so get on top of those at least.
I had a client once ask me to take over the running of their site as it was “a bit old and needed new content.” The site hadn’t bee updated in 2 years. Just visiting the home page had my PC’s AVG security software pinging away with Trojan alerts. Unfortunately, the server had been ruthlessly hacked many months ago and was probably now happily serving out spam.
The only way to fix a site like is to salvage the site text (into a text editor) and images (Yup, right-click save, right-click save etc.) and rebuild the entire site on another server under a different domain name.
What about traffic stats?
If you’ve been hacked some time back, most of your traffic information (if Google hasn’t got around to banning your site yet) is no good now. The traffic will be bot-traffic and not representative of normal human surfing. For such seriously breached sites, the quickest way to fix things for your web developer is to start over. I guarantee you’ll spend less time building a brand new client website than it will take to fix a badly hacked one.
And just think of the benefits to your client.
“[Such and such enterprise] is excited to inform you that we have a brand new way of conducting business. Just visit our new website to experience the difference!”
Author: Edwin James Lynch
Edwin wrote his first (Harrier Jump-jet) computer program in 1982. Today he builds websites and guides companies through best practice, future-proof web development. He lectured 15yrs+ at Curtin University where (in 2007) he was voted 5th best tutor out of 2,500+ Open University Australia tutor / lecturers.