And if this isn\u2019t worrisome enough, consider these stats from Symantec\u2019s 2016 Internet Security Threat report:<\/p>\n
- \n
- More than 75% of legitimate sites have unpatched vulnerabilities<\/li>\n
- 15% of legitimate sites have vulnerabilities deemed \u201ccritical\u201d, which means a cybercriminal can attack those sites with minimum effort<\/li>\n
- 1 in 3,172 websites were found with malware in 2015, almost triple to 2014.<\/li>\n<\/ul>\n
So any webmaster who fails to secure their website should be aware that hackers will take any vulnerability as an open invitation to gain access and manipulate a site.<\/p>\n
Now, would it surprise you to know that the number one reason why websites get hacked is not to steal customer data?<\/p>\n
Believe it or not, SEO spam is one of the main reasons why hackers target vulnerable websites. Why? Because they can just hijack a vulnerable site and redirect visitors to malicious sites, causing you to lose customers.<\/p>\n
While losing customers at the time of the hacking is painful, the long-term impact is even worse.<\/p>\n
Imagine a potential customer runs a search for your site on Google and what they see is this:<\/p>\n
![\"\"](\"https:\/\/www.heartinternet.uk\/blog\/wp-content\/uploads\/SEO-snippet.png\")
<\/p>\nIf that happens, this can not only affect your reputation but also your SEO efforts because:<\/p>\n
- \n
- Google can penalise your website as an \u201cattacked\u201d site or site hosting malware. When that happens, that costs you money because your rankings will drop, which means your site traffic and sales will drop as well. Also, Google will continue to show the above message in search for 30 days for repeat offenders.<\/li>\n
- Customers will lose trust in your site. If your website security is compromised, people will no longer feel safe on your site, knowing that all activity and confidential data they share with you may no longer be as secure as they thought. Regaining that trust is not easy.<\/li>\n<\/ul>\n
So, no matter how much work you put into optimising your site for users and search engines, if security is not a priority all that hard work will be gone in an instant the moment a hacker gets into your site and compromises everything.<\/p>\n
How hackers get in<\/h3>\n
To protect your site and prevent cybercriminals from attacking it, you must first understand how they act.<\/p>\n
So, how do hackers get into a site?<\/p>\n
The three most commons ways are through:
\n1. Access control
\n2. Software vulnerabilities
\n3. Third-party services<\/p>\n1. Access Control<\/strong><\/p>\n
Access control doesn\u2019t just refer to how you log into your website but into other areas as well such as:
\n\u2022 Hosting panel
\n\u2022 Server (i.e., FTP, SFTP, SSH)
\n\u2022 Your computer
\n\u2022 Your social media networks<\/p>\nIt\u2019s like that host that holds a guest list at the door, taking responsibility for checking who is allowed entry, but leaves their post to enjoy the party. Why even bother if anyone can stroll straight through?<\/p>\n
With this type of attack, hackers usually attempt to guess the possible username and password combinations in an effort to log in as the users.<\/p>\n
There are also more complex social engineering attempts phishing pages designed to capture a users\u2019 log in information, or some form of Cross-Site Scripting (XSS) or Cross Site Request Forgery (CSRF) attack where the hackers tries to intercept the user credentials via their own browser.<\/p>\n
And, of course, there\u2019s also the well-known Man in the Middle (MITM) attack where the hackers intercepts your username and password while working via insecure networks and your credentials are transferred between one point to another via plain text.<\/p>\n
2. Software vulnerabilities<\/strong><\/p>\n
Most site owners, no matter how skilled, are unable to address today\u2019s software vulnerabilities. That\u2019s because most of us use things as they are designed. That includes web servers, infrastructure, even your browser. So, anywhere there\u2019s a system, there\u2019s a potential software vulnerability that attackers can exploit.<\/p>\n
The two most common ways for hackers to exploit software vulnerability is through:<\/p>\n
- \n
- Uniform Resource Locator (URL) or<\/li>\n
- POST Headers<\/li>\n<\/ul>\n
With these two methods, a hacker can run a number of attacks, such as: Remote Code Execution (RCE), Remote \/ Local File Inclusion (R\/LFI), and SQL Injection (SQLi) attacks. Of course, there are many other, but these are the most common ones that are affecting today\u2019s websites.<\/p>\n
So, if a hacker can get into your software they can probe your SQL database for vulnerabilities, install malicious HTML code, and make changes to your website.<\/p>\n
3. Third-party services<\/strong><\/p>\n
Third-party integrations and services are extremely popular and widely-used, especially in CMSs like WordPress, Joomla! And Drupal.<\/p>\n
Now, the problem with third-party services is that they\u2019re beyond a site owner\u2019s control. When you integrate third-party providers you usually assume that they\u2019re safe, but that may not always be the case.<\/p>\n
![\"Someone](\"https:\/\/www.heartinternet.uk\/blog\/wp-content\/uploads\/worldbackupday-laptop.jpg\")
<\/p>\nWays to prevent an attack<\/h3>\n
But enough of this scare fest. There are things you can do to protect your website against these attacks.<\/p>\n
Here\u2019s a roundup of the easiest steps to take:<\/p>\n
1. Make sure your passwords are secure<\/strong><\/p>\n
This one seems obvious, but it\u2019s extremely important.<\/p>\n
It may be tempting to use a password you know will always be easy for you to remember, and to use it for almost everything \u2013 from gaining access to your website to logging into your social media accounts. You can and have to do better than that if you want to keep your site secure.<\/p>\n
So come up with a strong, secure password. Make it long and use a combination of special characters, numbers, and letters. And definitely steer clear of easy-to-guess keywords like your birthday or your dog\u2019s name. If a hacker is trying to gain access to your site, you can be sure they\u2019ll have no trouble finding this information about you so don\u2019t make their job easier.
\nIf you\u2019re working with a team, have them do the same. It only takes one weak password to make your entire website vulnerable.<\/p>\n2. Toughen up access control<\/strong><\/p>\n
Apart from enforcing passwords, you should also limit the number of login attempts within a certain name, even with password resets. Also, avoid sending login information via email, in case a hacker gains access to the email account.<\/p>\n
3. Keep everything up-to-date<\/strong><\/p>\n
Delaying an update can expose you to an attack so if there\u2019s one simple thing you can do to protect your website that\u2019s to make sure that every piece of software you run is up-to-date.<\/p>\n
Why is this important? Because many of the tools and plugins we use are open-source, which means the code is easily available to everyone. This includes malicious hackers who can scan the code looking for security loopholes and weaknesses that allow them to take control of your site.<\/p>\n
So make sure you always have the latest versions of your platform and scripts to minimise the risk of an attack.<\/p>\n
At the same time, you should clean out your website of any old, unused plugins because these are like sitting ducks for hackers. They\u2019ll not hesitate to use them as a gateway to gain access to your site and wreak havoc on it.<\/p>\n
4. Use SSL<\/strong><\/p>\n
For both SEO reasons and user security reasons, set your site up over HTTPS with an SSL certificate. An encrypted SSL protocol will prevent any transfer of users\u2019 personal information between your site and database from being read in transit and accessed without the proper authority.<\/p>\n
The cost to you is minimal, but the extra level of encryption it offers to your customers goes a long way to making your website more trustworthy and secure.<\/p>\n
5. Use parameterized queries<\/strong><\/p>\n
One of the most common ways for hackers to attack a site is through SQL injections. SQL injections can occur when you have a web form or URL parameter that allows outside users to supply information. So if you leave the parameter of the field open, a hacker can insert code into them to gain access into your database.<\/p>\n
There are steps you can take to protect your website from SQL injection hacks, and one of the most important and easiest to implement is the use of parameterized queries. These types of queries ensure that your code has parameters that are specific enough so hackers can\u2019t get in. This guide explains how and why to use parameterized queries to avoid SQL injection attacks.<\/p>\n
6. Install security plugins, whenever possible<\/strong><\/p>\n
There are plugins you can use to enhance your website security and protect it against hacking attempts. If you\u2019re working with WordPress, you can use free plugins like BulletProof Security or iThemes Security. If you\u2019re using a different CMS, it might be worth investing in a website security monitoring tool that can scan your site on a daily basis for malware, viruses and vulnerabilities.<\/p>\n
7. Hide your admin pages<\/strong><\/p>\n
You really don\u2019t need your admin pages to show up in search engines. One thing you can do is to add the URLs to your robots.txt file, which will prevent them from showing in the search results but only if there are no other links pointing to those URLs.<\/p>\n
If you want to reliably block a page from showing in the search results, you\u2019ll need to use a robots meta tag set on \u201cnoindex\u201d. This way when the search engine finds the page and sees the noindex tag, it will know not to show that page in the search results.<\/p>\n
8. Limit file uploads<\/strong><\/p>\n
File uploads are a major concern because it\u2019s one of the ways hackers can gain access to your site\u2019s data. So the easiest solution is to prevent direct access to any uploaded files. Store them outside the root directory and use a script to access them whenever necessary.<\/p>\n
![\"\"](\"https:\/\/www.heartinternet.uk\/blog\/wp-content\/uploads\/sysadminrecruitment-laptop.jpg\")
<\/p>\nWhat to do if your site has been compromised<\/h3>\n
In the event your site gets hacked, there are things you can do to fix it. Just make sure you act fast.<\/p>\n
Google\u2019s in-depth guide explains the steps to follow to assess the damage, identify the vulnerability and clean up your site.<\/p>\n
Here\u2019s an overview:<\/p>\n
Step 1: Verify ownership of your site<\/strong><\/p>\n
The road to recovery starts with verifying ownership of your website in Search Console. So sign into Search Console using your Google account (or create a new one). Click add a site, enter in your site\u2019s URL, and click continue. Then choose the verification method that works for you. Once you\u2019ve clicked Verify, you\u2019ll see a screen mentioning you\u2019re the verified owner.
\nThis step is very important because with a verified website you can get notified of any security issues.<\/p>\nNext, go to your Search Console account, click Manage Site, then Add or Remove Users. This allows you to check and see whether the hacker already claimed ownership of your site. If there is a user you are unaware of, delete them immediately.<\/p>\n
Step 2: Inform your host<\/strong><\/p>\n
The second thing you should do is to let your host know that your site has been attacked. This allows them to take measures to ensure their other customers on the same server won\u2019t be compromised. They may also help you find out how your site was compromised and how to recover.<\/p>\n
Step 3: Take your site offline<\/strong><\/p>\n
You should do this for two reasons:<\/p>\n
- \n
- Prevent the hacker from causing further damage to your site<\/li>\n
- Prevent visitors from landing on your site only to see a scary malware alert<\/li>\n<\/ul>\n
So stop your webserver or point your site\u2019s DNS entries to a static page on an entirely different server that uses a 503 HTTP response code. This code is a useful signal that the site is temporarily unavailable. According to Google, taking your site offline briefly is unlikely to affect your site\u2019s future rankings in the search results.<\/p>\n
At the same time, you should review your user accounts, especially the newest ones as one of them could be the hacker\u2019s. Look into these accounts and delete the ones that look suspicious. Also change the passwords for all site users and accounts, including logins for FTP, database access, system administrators, and content management system (CMS) accounts.<\/p>\n
Step 4: Determine how you were hacked<\/strong><\/p>\n
Once verified, check the messages in your Search Console to see whether you received any information from Google regarding whether your site was used for 1) serving spammy pages, text or links, 2) phishing, 3) distributing malware. You can also go to the Security Issues tab to get more information on the type of attack on your site.<\/p>\n
Was your site hacked with spam? This Google video highlights spam techniques, how to investigate your site for spam, and how to find all the affected files.<\/p>\n