“My website has been hacked!”
No one wants to imagine that this could ever happen to their website(s). We comfort ourselves thinking it only happens to the big sites that gather a lot of sensitive, personal information like credit card or banking information. Right?
Dead wrong! As you will soon see.
It happened to me a number of years ago. I’ve been there. Done that. and it WAS NOT fun. It took HOURS of time and effort to fix the mess that the hacker created. As a result, I’m on a crusade to help all of my clients keep their websites safe and secure. It really bothers me that they are blissfully unaware of what’s involved in keeping their websites secure.
They think that because they have a strong password, they’re good to go. Actually, it’s more likely that they’re so busy with growing their business and creating content, website security isn’t even on their radar of things to do.
Well…let me tell you my story of when my website was hacked.
Early one glorious spring morning, I made the long commute to my office ( Just joking. I’m referring to the distance from the living room to the office, since I work at home). As I do every morning, I logged into my email inbox, checking to see what my clients need me to do this day. I wanted to get it done and get out and enjoy the sunshine. But that was not to be…
Nestled In among the emails like a rattle snake in my hens’ nest box was this notification from Google – “Security Alert – Site Compromised”.
Those words exploded in my brain sending shock waves through my body. “What Do I Do Now?!!!” echoed over and over again in my head. Tension gripped me in its tight claws.
You see, I’d created my own websites using WordPress theme. (Yes, I have multiple websites and FOUR of them had been hacked.) Over the years of experimenting with them, I’ve learned the ins and outs of using WordPress themes.
But life had gotten busy. My mom’s health was deteriorating and I was helping dad care for her. My SEO copywriting business was taking off and my days were filled with just keeping up. I had no time for maintaining my own websites. Or so I thought.
I should have made the time.
Because now I HAD to find time to fix them.
In the meantime, I forwarded the email notification to my tech savvy brother. He’s helped me through the many questions in setting up my websites. If he didn’t know how to do something, he always found out how to do it. So I knew he could help me now.
He told me to look in my Google Webmaster Tools (an invaluable resource) and see exactly what was going on. From there we could plan out what needed to be done next.
If you’ve never verified your website through Google Webmaster Tools, also known as Google Console, it’s vital that you do so right now.
Numerous pages had been hijacked (the technical term was they were suffering from URL injection). Now my pages were diverted to a Japanese site. Since, I couldn’t read Japanese, I can’t tell you what it was about. But it was certainly disturbing.
I had to immediately take my websites off line until I got them fixed. Here’s a sobering question: What would happen to your business if your website suddenly disappeared? I’m blessed that my business is generated by word of mouth, so I wasn’t dependant on these websites. But it certainly damaged my online visibility because my ranking in Google plummeted.
Every spare moment I had on the weekends and evenings was spent figuring out how to get back online. I searched through Google Webmaster instructional videos and gleaned a lot of great information. I read until my eyes felt like were falling out.
Long story short, I had to go into my c-panel files, search for the compromised ones, and delete them. Let me tell you, that was a job and a half.
I was stressed and panicky, and I’ll be honest, I deleted more than I should have. And I lost one website altogether. Why? Because I didn’t have any clean backup files for it. How crazy is that? I thought for sure I’d done it. Maybe I had. But I’d lost them somewhere along the line.
If I had had a clean backup of my websites, I could have removed the hacked files and replaced them with the clean ones. But, nooooo. I had neglected a regular backup. I didn’t think I had the time and that I’d get to it later.
If ever I learned the truth of the saying: “an ounce of prevention is worth a pound of a cure.” The difference between doing security maintenance versus cleaning up after a hack attack has been likened to the difference between having an annual routine checkup and having heart surgery. Which would you prefer?
It took me weeks to get everything back online.
Then I had to petition Google to search my websites again and verify that they were clean.
All in all, it took a lot of hard work to get my websites back. And I lost that one all together.
It was a horrible experience.
I thought no one would bother with my small websites. I was a nobody. But that obscurity didn’t protect me from the hacker’s attack. Please, don’t think it can’t happen to you.
Why did my website get hacked?
- I only have myself to blame.
- I didn’t keep my plugins updated.
- I didn’t keep core WordPress software updated.
- I didn’t keep the WordPress theme updated.
- I didn’t delete inactive plugins.
- I didn’t delete unused WordPress themes.
- I kept my multiple websites within one server on my web hosting account.
What did I learn about Website Security from my experience with being hacked?
Here is my baker’s dozen tips on website security.
- Don’t use “admin” as your user name for your WordPress website.
- Use a secure password.
- Do a full backup of your website regularly. (If you add content weekly, do a backup weekly. If you add content monthly, do a backup monthly.)
- Store your backup in a secure place other than on your server. (If the server is hacked, it’s all gone. Using Amazon s3 or DropBox are good alternative.)
- Keep only one website per server.
- Keep only one theme on your site.
- Delete the rest of the unused themes that come with the original setup.
- Keep your theme updated.
- Keep your WordPress Core software updated.
- Keep your plugins updated.
- Delete inactive plugins.
- Use Wordfence plugin for website security.
- Have a brother who’s a Website Security Consultant.
Okay, maybe not everyone can have a brother who’s so valuable. But I’ll share. You first need to know your vulnerabilities, before you can lock down your website. It doesn’t do any good to lock the front door if you leave the back door wide open. Contact us to take advantage of our Website Security Audit. We joined forces to create a comprehensive Website Security Checklist. While you can’t protect yourself from everything, you can plug the vulnerable spots of your website.