The simplest way to understand a Cyberattack is to relate it to thieves breaking into your house. They get access to your personal items and can steal your belongings. Similarly, hackers who orchestrate a cyberattack on your site get access to its files and admin privileges. They can wreak havoc- they can redirect your traffic, sell your data and even launch attacks on others by posing as you.
But have you noticed that it is always the site owner who gets blamed when their site gets breached? While it’s your responsibility to “not leave the keys under the doormat”, how far should you go to secure your site and why?
In this article, we will understand why and how cyberattacks happen. It’s helpful to know what its consequences and what measures you can take against it.
The first step is to understand the WHY – why do hackers even hack? What do they get out of it?
Top Reasons Hackers Attack Websites
Hackers attack websites of all sizes, shapes, and colors! Contrary to popular belief, they aren’t biased to only popular sites and big brands. You may be wondering why anyone would target a small site. What could they possibly gain? Here are the top reasons why hackers hack:
1) Your site is their testing ground
Hackers may be playing around with your site security in order to understand how to breach a bigger site built on the same software. If they find a vulnerability or a loophole that can be exploited, they can replicate the same attack on a bigger site.
2) They want to make money
If you own a site that collects data from visitors, you can be sure that there is someone willing to pay for that data. This is one of the simplest and biggest motives for a hacker to hack, to sell the information and make dollars! In many cases, hackers use the infected site as a medium to sell illegal drugs and fake products.
3) They want to bring attention to some Company Practices that they don’t like
Let’s understand this through a real-life instance. In 2018, the Restaurant-Delivery Giant Zomato suffered a serious data breach. Data of 17 million accounts were stolen and later put up for sale on the Dark Web. The hacker asked the company to improve its bug bounty program and give ethical hackers more recognition and monetary benefits. After Zomato agreed, the hacker destroyed all copies of the stolen data and took it down from the Dark Web.
4) “Just cuz” and “I wanna be famous”
Some hackers hack just because they can. Internet vandalism is common, with some hackers leaving behind random files on the sites they’ve hacked without any seeming motive. Hackers also hack to “get famous” and alleviate their status in the hack culture. This is why many hackers tend to leave behind a signature – to show off their handiwork.
These intentions point towards one fact – Irrespective of size or nature, ALL websites are vulnerable to cyberattacks.
The next thing to understand is the HOW – what are the common ways that a hacker hacks? Listed below are the most common hacks explained through simple analogies.
Common Methods used to Hack WordPress Sites:
1) SQL Injections
Imagine your website database is a salesperson at a store. When a new customer comes to the counter, the salesperson is instructed to ask “What can I get you?” Now imagine the customer says “A box of cereal, and give me $100”. Unlike a salesperson, the database can’t tell the difference between data and instructions. It would understand that it needs to hand you a box of cereal and give you $100.
Without proper security protocols in place, your database can be easily tricked by a hacker. Your website may have English on the front-end but in the backend, i.e your database, everything is MySQL code. Since your database can’t differentiate between data and commands, a hacker can simply add instructions in MySQL.
2) DDoS Attacks
Imagine your Web server to be a local train which can accommodate 100 people at a time. What if I hired 200 people to get on the train all at once? This would overload the train and bring it to a halt. It would also not leave any space for genuine commuters to get on.
In a DDoS attack, hackers break into hundreds or thousands of smaller websites. They could sit idle for a long time unnoticed. These small sites are only pawns to take out a bigger target.
When they are ready, they use these smaller sites to send millions of traffic requests to the target’s server. This would overload it and deny service to actual users. The target site could crash and could be suspended by the web host for exceeding web resources.
These attacks usually target big brands in a bid to ruin their reputation or cause massive financial losses to them.
3) Phishing
Phishing attacks are the age-old method of tricking a user into sharing personal credentials by posing as someone else. The most successful phishing emails are where the sender poses as someone the user trusts or as someone from the user’s bank. They may ask the user to fill out a form or reply with specific information.
How many Princes of Nigeria have emailed you asking for help? Or have you ever got an email from Apple iTunes which requires you to make automatic payments? It is one of the most common phishing scams and is extremely deceitful as you can see in the images below.
As you can see, the email seems to be a routine email from the Apple Team asking you to make payments for iTunes. However, a few things are amiss. For instance, they are addressing the user by the User’s email ID instead of the User’s name. Their sender email ID is all sorts of wrong and the link to their “Review Center” does not lead to the official Apple Website.
4) Man-In-The-Middle attack
An MITM attack occurs in places with an unsecured wifi router. Say you’re using the free unsecured wifi of a restaurant. If the hacker finds a vulnerability in the router, he/she can easily intercept all data being transmitted over that network. The hacker can place tools between the wifi users and the websites they are visiting. These devices can enable them to see and record any personal information shared by the user. Websites without an SSL certificate are most vulnerable to this attack. This is because their data is in plain text format. Any credit card info or contact details can be intercepted and stored by the hacker. An SSL certificate would encrypt any data transmitted across a network.
5) Exploiting password reuse and weak passwords
Let’s address the biggest blunder people make! Everyone knows you shouldn’t use ‘password’ as your password. But, it’s still the most commonly used password, along with ‘123456’.
Using a weak password and getting hacked is the equivalent of leaving the main door open and complaining when you get robbed. To avoid such a situation, it is always best to use passwords which are a mix of letters, numbers, and symbols.
Example of a commonly used password
You may ask – what’s the worst that can happen if you get hacked? Is it as bad as it seems?
What happens when you get hacked
I’m going to recount an incident that happened years ago to one of the folks at BlogVault.
Alex started blogging at the age of 14. He wrote about the latest phones and computer gadgets. A year later, life seemed good. The hosting was cheap and his articles were ranking high on Google. He was also making a decent income from affiliate commissions. And then he got hacked.
Overnight, his website was blown off the face of the earth. A random hacker had hacked his website database using an SQL injection and all his traffic was redirected to an adult site. Soon, his web host suspended his account as it was a security threat to other sites on their network. As Google’s primary intention is to give users the best experience in the shortest time, his site was also blacklisted.
With the costs of recovery being too high at that time, Alex decided to scrap his website. If he had MalCare’s protection back then, he could’ve recovered his website in minutes – at a fraction of the cost!
It’s quite clear that a hacked site can be devastating. Thankfully, Alex wasn’t depending on his site for his livelihood. But what if he was?
The Consequences of a Hacked Site:
- The site goes down and is inaccessible to the visitors resulting in lost orders or engagement.
- Visitors may be redirected to unsolicited sites causing a loss in reputation and trust.
- Your web host might suspend you if it thinks your site could affect the other sites on its network.
- You can be blacklisted by Google or at the very least face a significant drop in your SEO ranking.
- The hacker can gain access to your sensitive information and importantly, your customer data – which can be sold or misused.
- Not to mention, the costs of recovery are high. Depending on the severity of the hack, it could cost anywhere between $100 to over $1 billion.
In just 2019, over 4 billion successful hacks were carried out. If a site gets hacked, It can take anywhere between 3 months to a year for the website to recover its losses. This prompts us to ask the question, what can you do to stay vigilant and keep your site secure?
How to keep your WordPress Site from being Hacked
1) Keep your site updated
Ensure your WordPress Core, Plugins and Themes are updated to their latest versions. Staying on an outdated version could risk exposure to bugs and vulnerabilities that can be exploited. You can see which plugins and themes have available updates from the WordPress Admin Dashboard.
Besides keeping your plugins, themes, and core updated, we strongly suggest that you keep your WordPress salts and security keys updated.
2) Prioritize quality over price when it comes to hosting
Though shared hosting is cheaper, it comes at a cost – your site could be affected by other sites on the network. If another site on your network is hacked or is using too many server resources, it could impact your site security and performance. Also, use a host that is smart enough to identify a DDOS attack and distribute or block the requests.
3) Use unique and strong usernames and passwords
Use longer passwords that are not based on any publicly available information. We recommend using a password manager in case you’re not able to remember the passwords. It’s best to change your passwords every few months.
4) Evaluate and remove any unused plugins or themes
As a website owner, you tend to install many themes and plugins and forget about the ones no longer in use. You probably forgot to update them too. Unused, outdated plugins take up space and also pose a security risk.
5) Use Login Protection to prevent Brute Force attacks
Brute force attack is when bots try to login to your Admin dashboard by trying to guess your credentials. The hundreds of requests can easily overload your server and make your site slow or even crash. Captcha based login protection or 2-factor authentication can identify and block these bots (recommended read – WordPress login page protection guide).
6) Regularly scan your site for malware and remove them
Make sure to run daily scans to check for any malicious code or suspicious activity on your site. You can nip the malware when it’s a bud and prevent any potential hacks.
7) Keep your site backed up
In case your site goes down for any reason, a backup allows you to immediately restore your site and at least get it back up. This minimizes your downtime and lets the site visitors explore your site without any noticeable interruption. However, it definitely doesn’t fix the hack, it only lessens the severity of its consequences.
Important: In case your site was affected by malware, there’s no saying when it occurred. There is always the chance that your backup might also be corrupted. Always remember to test your backups before restoring!
8) Always use secure internet connections
Try to avoid free wifi spots that you are not sure of. On your end, you can get an SSL certificate to ensure that any data you transmit to another site is encrypted.
9) Do not click on any suspicious links
Be wary of any links in emails you receive, especially those that ask you to fill out any personal details. Do not add any transaction details unless you’re sure that’s it a verified Company website.
10) Use a Powerful Security Plugin like MalCare
MalCare acts as your all-in-one line of defense and rids your site of malware. Here are some of its features that give your site the Ultimate Protection.
- MalCare’s Deep-Clean Scanner was built after examining 200,000 websites. It is programmed to check the pattern and behavior of code to identify if it’s malicious.
- It’s Advanced Firewall checks all traffic requests to identify and block any bots or hackers.
- In case you have a hacked site, you can use MalCare’s One-Click Malware Removal function to clean your site immediately. No more waiting around for your site to be cleaned, you can do it yourself – instantly!
Taking these steps is sure to increase the security of your site significantly. If you’d like to go one step forward, here’s a more in-depth Guide to Secure your Site.
You can have some of these measures in place and still run the risk of getting hacked. What are the tell-all signs that you may have some malware or someone has unauthorized access to your site?
How to know if you’ve been hacked
- Your homepage has been defaced or is showing an error
- And your site speed has slowed down and some of your pages are unresponsive
- Your website is redirecting to another site
- There are pop-ups on your site that you haven’t configured
- Your site gets blocked by your web host
- You’re unable to login to your WordPress Dashboard
- Google will alert you in the Search Console under the “Security Alerts” section
- There is a sudden drop in website traffic
- Search results for your site yield Chinese links or links to illegal medicines
- If you’re using any security plugin that runs regular scans on your site, it may notify you that it has found malware
- Antivirus solutions of your visitors are flagging your site as insecure
- Search Engines blacklist your site
- There are new admin users in your WordPress dashboard that you do not recognize
Merely identifying the hack is not enough. Once you have concluded that your site has most probably been hacked, how can you deal with the aftermath?
What to do if your WordPress Site is Hacked
1) Get your site back up
If your site has been down, find your last backup and use it to restore your site. Getting your site back up and running should be your #1 priority so as to not lose any visitors or cause alarm for them.
2) Inform your host
Most hosting companies would have certain procedures in place to deal with a hacked site. You should get in touch with your host and let them know that you are compromised. Together, you can get some clarity on how the hack may have happened. This would also help your case if the web host were to consider suspending your account.
3) Scan your site and clean the malware
Use a security plugin like MalCare to scan and identify the malware and then remove it. You just need to install the plugin and run a scan – MalCare will then show you the files that have been hacked. You can then click on “Auto-Clean” to remove this malware in seconds! MalCare also offers an Emergency Malware Removal option in case you do not have access to your dashboard to install the plugin.
If you are tech-savvy, you can also find and remove malware manually. Here is a Guide to Clean your site manually. However, the manual process is tedious and risky as it involves modifying important WordPress files.
4) Remove unsolicited users
Check your admin accounts and see if any new ones have been added without your knowledge. From the” Users” in your WP-Admin, click on “Administrator”. If you don’t recognize any users as your own, select them and click on “Delete” from the Bulk Actions list.
5) Change all your passwords
If you are anything like me when I started out, you probably use the same password for all web accounts. In case the hacker has guessed even one of your passwords right, he could soon access all your other accounts as well. In case of a hack, you should reset your SFTP password, web hosting account password, wp-admin login password and your database password.
These are just some of the measures you can take. If you really want to tighten up security on your website, we recommend referring to our Complete Guide on what to do if our site has been hacked.
A cyberattack is nothing less than a nightmare. Yet, many website owners do not have cybersecurity measures in place. Less than 25% of WordPress users are running on the latest version of WordPress. This goes to show there is a lack of understanding of how important security really is.
Why would one not take cybersecurity seriously?
1) Your site hasn’t been hacked, yet.
2) You assume that by complying to certain policies like PCI, your site is secure enough.
3) You think your site is not big enough to be a target.
As we have discussed before, hackers do not discriminate. And neither should you when it comes to your web security. If you are running an organization, here are a few things you can do to keep your organization data intact and your website protected.
Preventive Measures to protect your Organisational Data
1) Make sure every employee is aware of the online risks and follows good cybersecurity practices. Educate them about phishing emails and push them to use secure passwords. They have to be mindful of who they’re sharing company information with.
2) Have a proper website backup plan in place. Use a plugin like BlogVault that offers automated, encrypted and easy-to-restore backups.
Pro-Tip: Be sure to maintain one copy of your site on a secure local computer too!
3) Secure your site using a tool like MalCare.
4) Apply basic security measures discussed above and Harden your Site.
In conclusion
It’s like someone famous once said, “It’s not about if you’ll ever be hacked, it’s about when”. While fighting against the evils of the online world is a continuous struggle, it is up to you to have good armor and weapons.
With more and more cyberattacks taking place every day, it is now more important than ever for website owners to take protective measures and secure your site. I hope this article has highlighted the serious need for better cybersecurity and pushes you towards getting protective cover for your site.
If you want a simple solution that takes care of all your security needs, I would suggest you try out MalCare. It is a comprehensive tool that was built by us after analyzing 240,000+ websites. It’s equipped to scan your site and detect any form of malware – hidden or disguised (for instance, WP-VCD malware). If you have a hacked site, MalCare has an instant malware removal feature. It will also prevent known hackers from visiting your site altogether.
You can rest assured your site will be safe as long as MalCare is on it. Find out more here.