It seems that every day now we wake up reading news about a new company having their website / service / database hacked. Macy’s, Desjardins, Planet Hollywood, Marriott, Adidas, to name a few, were all hacked recently. Unfortunately, hackers are not restricting themselves to large multinational organizations. Small businesses can also be victims of hacks. Recently, we had 3 hosted websites attacked  here at 14 Oranges. You may say to yourself “my business is so small, there is no way we will be on their radar” and unfortunately you will be wrong. The reason is that hackers use automated scripts or bots to scan the internet for sites that have known flaws or deficiencies much like Google scans the internet for keywords for its search algorithm. Once a site is flagged with a specific deficiency, the site moves to the second step which is likely automated for another round of tests or automatic hacking of your site. It is possible that that step or further steps require manual intervention from the hacker but in general, a lot can happen while they sleep. So what can one do to prevent such attacks and also mitigate the effects of the attack? In this article, we will cover simple tricks you can do to help and save you money in the long run. Note that the focus of this article will be on WordPress; however, the statements will also be valid for other CMS such as Joomla, Drupal. 

14 Oranges Man with Hand out and Mask on

Prevention:

Here are some simple things you can do to help protect your website:

1. Update Early – Update Often

Make sure WordPress and its plugins are up to date. That’s simple enough. Log in once a month and check that your WordPress installation is up to date. In many cases, WordPress will update itself which is great. Lately the biggest issue seems to be with plugins. One of the benefits of WordPress is how extendable it is. Unfortunately, that flexibility comes at a price. Plugins are written by a variety of developers large and small and for some of them, security isn’t always their first priority. Make sure your plugins are up to date. 

2. Remove Unused Plugins

Again with the ease that WordPress makes it to install plugins, it can be easy to have a lot of plugins installed but only a few that are actually in use. It is best to keep this list to a minimum and only install plugins that are actively required and in use. In fact, there are chances that reducing the number of plugins installed on your website will also help your site speed and SEO. If you can’t remember if a plugin is required or not, maintain a list. You can also install a plugin (Plugin Notes Plus) to help you keep your notes right inside the list of plugins in WordPress which is useful. And yes we get the irony here. 

3. Replace Admin Username

It is a well known fact that the default username for WordPress is “admin”. Hackers are making use of that fact in their brute force attacks of your site. By simply replacing that username with something different, you make it just that much harder to have your site hacked. 

4. Change Passwords Early – Change Often

It is important to change your passwords often specially if you are the type of person that reuses the same passwords everywhere. The reason is that if a password is obtained via a hack at one site, hackers will then try to use the same username and password combinations on other sites. I know that keeping track of passwords can be a pain but there are many apps and tools you can use to help on that front. Keeping a notepad at your home is also a simple secure way to do so. Make sure to use strong passwords as well as brute force attacks by large botnets are constantly occurring. Usually a combination of words, numbers, special characters. 

2024 UPDATE: In recent years, most agencies are no longer recommending changing passwords often. You can read more here or if you suffer from insomnia, you can read the full NIST guidelines here. You are best to use a strong password and use a password manager to handle it.

5. Install a Firewall

There are many firewalls that can be installed on WordPress that can help reduce the attacks. WordFence, Succuri, and Fail2Ban are all good ones. One of their important features is that they can notify you when your site is being attacked allowing you to act right away instead of 4 weeks down the road when you realize you haven’t received an order from your website. 

Mitigation:

So you took all the steps required but your site still got hacked. 

14 Oranges Signs with Don’t Give Up and You Are Not Alone

Don’t feel bad. If Facebook can get hacked, so can your site. Recovering your site to all its glory can be simple if you have taken the following steps:

1. Backup Early – Backup Often

It is CRUCIAL to maintain backups of your website. If you are using WordPress, that means to backup your files AND your database. One without the other is not that useful. You should back up at least once a year if you have a site that is fairly static. If you are making changes often (which is good for SEO purposes), then you should back up more often. Basically think of this “what would be the effort if you lost all the changes you have done in the last day, week, month, year?”. Based on that, you can get a feel for how often you should back up. In some cases, it may be daily and it may require automation. You can read more about WordPress backups here.

2. Offsite Backups

Make sure your backups are not stored on the same server that your site is running on. Yes, it may be very convenient to have them there but if your site is hacked, there is no telling if your backup file(s) will still be there or not affected. Store it in 2 locations. A local drive on your computer and a thumb drive / removal hard disk. Drives are notoriously bad at getting corrupted over time so that’s why we recommend 2 locations. Dropbox or Google Drive could be another good option if your site is not too big. 

3. Keep Your Passwords Handy

You should know who is hosting your site, and what the credentials are so that at the 11th hour if your site is hacked, you can respond quickly. We’ve had many customers attacked on weekends (likely on purpose) and they didn’t know their hosting details and couldn’t act until they spoke with us. Even if we offered 24/7 support, it would still take time to have them contact us, us retrieve the information, and get back to them so that they can go and perform their disaster recovery procedures. That time can be pretty crucial. Best that you have all the information handy with you. 

4. Prepare a Disaster Recovery Plan

It kind of goes hand in hand with #3 above. If you find your site got hacked, you should have a plan in your head of what you are going to do. Who will take care of it, have their phone numbers handy. They will likely ask you what is wrong as well. Any details you can provide will help. “The site doesn’t work” is not enough. Try to remember the last time it worked properly (that can help knowing which backup to use), what exactly is wrong, if you received any weird emails, so on. 

We hope that with those steps taken, you will be well prepared should the unexpected happen. If you are not sure on how to perform these steps, we would be happy to help. Note that we prepared this article with a view of educating you with what can be done to reduce and mitigate the effects of hackers and not to sell new services. If you are interested, we do offer additional services on that front (think of it as insurance); however, what we are trying to achieve here is to reduce the number of phone calls we receive where we tell them “sorry there is nothing we can do”.

Protecting Your Website: Simple Tricks to Reduce and Mitigate the Risks of Hacking on Your Website