Hackers vs. Your Website
Be Afraid, Be Very Afraid
I’ve already written about the importance of updating your website software because hackers take advantage of sites running older, out of date software often containing well known bugs and vulnerabilities.
If you’re a website owner running WordPress, Joomla or other popular CMS, this is a serious issue that shouldn’t be ignored. We’re not just talking about Joe Schmo, amateur hacker here. We’re talking about large-scale, sophisticated attacks using sophisticated software on sophisticated networks. Did I mention they’re a sophisticated lot? And don’t be fooled into thinking hackers wouldn’t be interested in your small or obscure site. Hackers will attack any website regardless of size or purpose.
In fact, they’ve probably attempted attacks on your site already – I get several attacks per week. You would only know it if you looked at your website access logs or if you have some sort of security plugin installed that reports attacks. It’s extremely typical for WordPress and Joomla sites to receive multiple attacks. Most are unsuccessful. Of course, you’ll know when they succeed, but trust me, you don’t want to let it get that far.
What motivates them?
In a word… $$ MONEY $$. These clever hackers do this because it’s worth it for them. They profit off of websites like yours because they can place affiliate links or pharmaceutical links (Viagra anyone?) or comment spam or paid links to improve SEO, and various other nefarious and lucrative techniques. Their goal is to maximize the number of attacks to increase their chances for profit.
How do they do it?
It’s fairly easy to determine what kind of software your site runs be it Joomla, WordPress, or other CMS, and then attack the known vulnerabilities of said software. These vulnerabilities are well publicized. For example, here are a couple of simple searches for – WordPress vulnerabilities and Joomla vulnerabilities. Many of these issues get fixed in a timely fashion, BUT the problem is that website owners are primarily responsible for updating their own sites. When is the last time you applied updates to your site? It’s certainly an inconvenience, and in some cases, software updates can break your site. Still, it’s imperative that website software is updated regularly to keep it secure. Put another way, would you rather be inconvenienced with software updates or have your website hacked with almost certainly unpleasant consequences and recovery costs? Ok, that’s what I thought!
Sure, there’s automated software updates in WordPress (since version 3.7), certain plugins, or managed hosting and software update services provided by vendors, but due to the fact that every website is a unique combination of core software, plugins and themes/templates, the task and complexity of updating the software will vary for each site. There’s no “one size fits all” solution.
Brute Force Attacks
Another common attack is called the “brute force attack”. There’s no software vulnerability involved. This attack usually attempts to login to your website with the username “admin”. Many websites have a username of “admin” because it used to be the default user and was very commonly used. Because of the rise of the “brute force attack”, “admin” is no longer recommended as the default username when you set up a website. Unfortunately, the user “admin” remains on many websites and so all a hacker has to do is guess the password.
They write programs that can automatically try thousands upon thousands of passwords, often times right out of a dictionary. If the “admin” user has a weak password, then there is a reasonably good chance the hacker will eventually get in. Once in the site with administrator access, there is practically no limit to what could be done to your site including installing malware, implementing other profit making links or ads, adding or removing pages or posts, or complete destruction or defacement of your site.
Large-scale attacks are carried out using illegal botnets to attack websites. They can be programmed to search for software vulnerabilities or perform a “brute force” attack. These botnets are made up of hundreds or thousands of computers from around the world that will perform whatever the hacker asks them to.
Hackers can easily grow their botnet armies by using various tactics including email spam, phishing, Drive-by download, and other techniques to deliver malware to unsuspecting victims’ computers. These computers then become part of their growing botnet, usually without the knowledge of the owner.
So these illegal botnets that provide large profits to hackers and regularly attack our websites are made up of computers like yours and mine. Hmmm… Have you run a malware scan lately?
What can I do to secure my website from hackers?
Ensure that your website software is up to date. This includes the core software (WordPress, Joomla, etc.) AND all the plugins and themes (WordPress) or templates (Joomla). In fact, it’s usually the plugins, themes/templates that have the most vulnerabilities.
Delete any unused plugins or themes/templates. If you don’t need them on your website, delete them. Even deactivated plugins or themes/templates could pose a danger to your website if they have any type of vulnerability. It’s best to delete all unused software.
Don’t keep a user named “admin” or “Admin” or “administrator” or “Administrator” on your website. This makes it easier for a hacker to access your site via “brute force attack”. So, create a new user with a different name and with administrator access. Then log in with this new user and delete the old user named “admin”.
Use strong passwords for all users on your website (especially administrators). Ideally, passwords should not be a word and should be made up of numbers, letters (lowercase & uppercase) and special characters. The longer the better (15+). A password manager is highly recommended so you don’t have to remember every password. Examples: LastPass, RoboForm, 1Password, KeePassX, and more…
Only use the administrator account when you need it. Use it only to install or remove plugins, themes/templates and to update software. You shouldn’t use an administrator account for posting articles. Instead set up authors or editors for this purpose. Ideally, there is only one administrator account and the others assigned a role (e.g. contributor, author, editor, etc.) depending on their needs, having only the level of access needed and no higher.
Don’t login to any unencrypted sites (including your WordPress/Joomla site) while on public wifi. You know you’re on an encrypted site if you see a lock icon in your browser or the address starts with https://. When you login on an unencrypted site, your username and password pass through the network in easy to read, clear text. Hackers often steal login credentials this way.
Don’t email passwords or sensitive data. Is your email encrypted fully from sender to recipient? If not, sensitive data can be stolen. If your email is hacked or compromised, any sensitive data in any messages can be easily copied.
Perform regular virus and malware scans on your computer. This will help you avoid being part of the problem (i.e. your computer is part of an illegal botnet without your knowledge).
What should I do if my website has been hacked?
Scan your computer for malware. As a first step, ensure you are working through this cleanup process on a clean machine.
Change your passwords. Change your administrator password on your website AND your web hosting account password.
Backup your current site. Even though it’s hacked, you can save everything possible and some of it, like raw data files for instance, may still be usable after investigation. So you should backup your files and folders and the database. Be sure to label it as “HACKED” so you know not to use it for anything else.
Do you have a good, malware-free backup? This is not an easy question since you may not be able to pinpoint when the site became infected. You don’t want to restore with a backup that contains infected files. Carefully weigh the options of restoring from backup vs. a fresh install.
Start from scratch – fresh install. Chances are good that there are malicious software files floating around somewhere in your website root folder or sub-folder(s). The safest option may be to start from scratch, deleting all current files and folders and installing fresh, malware-free software. You may be able to salvage some data files from backups, but it would be on a case by case basis.
Joomla and WordPress specific instructions
There are many articles on the web regarding post-hack cleanup for these platforms. I suggest starting with the official documentation sites: codex.wordpress.org and docs.joomla.org.
Trackback from your site.