Update:
Since writing this blog, it has become even more apparent that website hacks have increased still further - there's a particularly nasty ongoing attack on Wordpress based websites right now. For specific information regarding this 'botnet' attack and what you can do to safeguard your site, this is a good blog post that covers most of the info you need. We will continue to update and monitor all sites that we maintain to ensure that none of them are compromised.
How safe is your site?
Ok, so that sounds like some marketing scare headline to get you to buy something, but it's important to raise awareness of an issue that seems to be becoming more and more prevalent at the moment.
Here's the story...
We created a website for a client last year, who recently contacted us to find out why the site was suddenly being flagged as potentially 'compromised' on Google - although confusingly, the site itself still looked absolutely fine.
However, after some investigation we discovered that the site had in fact been 'hacked'. This was a particularly sneaky attack as it showed itself only to search engines – and as the site itself looked fine, the owner assumed all was still ok.
Fortunately, our hosting provider (see below) was able to discover when the site was compromised and was able to restore a backup of the clean version of the site - within 24hrs its Google listing was back to normal and everything was fine. We reset all admin passwords, updated the CMS software and checked any files for security issues. That should plug any possible security holes, but of course there are never any 100% guarantees. It looks like this was a rather advanced, automated attack that was designed to detect and exploit any newly discovered vulnerabilities.
After doing some more research into the matter - primarily to ensure this doesn't happen to any of our other clients' sites, we quickly came across plenty of similar stories, and it's not just limited to the smaller / lower cost sites. Let's face it, if the US Federal Reserve can get hacked, there's not much a small business can do to stop a genuinely determined cyber attacker.
Worryingly, whilst these hacking attempts are nothing particularly new, there does seem to be a significant increase in attacks to smaller websites over the last few months (especially those based on common, open source CMS such as Wordpress or Joomla – which power around a third of the world's websites between them).
So, how do you know if your site's ok or if it's actually been compromised – whose responsibility is it and what can be done?
How can I tell if my site's ok?
Well, the simplest thing will be to make sure you check your own site regularly - if there's anything that looks odd, out of place or broken, it's always worth investigating. Search engines will sometimes pick up on site hacks before you or your visitors so it's a good idea to do a search for your own site every now and again and make sure it still appears and its listing is correct. Also, take notice and take action if anyone contacts you to let you know your site is behaving 'strangely'.
If your suspicions have been raised, we recommend using this free site checker (it's a bit like anti-virus for your website). Type your website in and wait for it to tell you if everything is ok. This is a manual, one off process - but you can subscribe to their service for around £60 per year for constant site monitoring (they also claim to be able to fix site hacks too).
As an alternative, you can also sign up to Google's Webmaster Tools. Simply sign up, add your website URL and you then need to add a verification code to your site. Once added, Google will notify you if there are any issues with your site - ie. if it detects any viruses or malware.
What can I do if my site's been compromised?
This will largely depend on the type of attack and how badly it's been affected. For most of the time the hack itself is easy to remove - often there's simply been some additional code 'injected' into the homepage - removing this *should* fix your site, but if the hack is more severe, you'll need to get your developers on the case. Once the site is back up and running, you'll need to make sure you get them to check any possible security risks, upgrade your software /plugins/extensions etc. and change your access passwords.
Whose responsibility is it to fix?
Once your site has been designed and launched, it's usually down to you to manage and maintain it. If you have a maintenance contract with your development company, then you'll usually need to check what this covers, as most of the time this simply covers simple bug fixes and content updates. In general, it can be quite tricky to determine exactly how hackers gained access to your website files, as there are new security 'holes' being discovered and patched all the time. So, unfortunately, unless you're paying someone to manage your site AND site security - then keeping it running, up-to-date and virus free is down to you!
So what can I do?
One option is to sign up with a company such as Sucuri.net, who claim to be able to fix malware attacks, but this is no guarantee and will depend on the type of attack your site was subject to.
Similarly, you'll also need to check to make sure that your site is being regularly backed-up to ensure you can restore an older version should something go wrong - sometimes, if a site has been extremely compromised, a backup restore is the only way to make sure it's fixed properly.
In general and certainly with regard to the open source Content Management Systems, it's a good idea to keep the software that runs your site updated to the latest version as that can often contain security fixes. Sometimes (especially in the case of Wordpress) that's as simple as logging in and clicking 'update' - but be warned, with each update can come changes that might not sit so well with some of the custom features you may have on your own website - so it's usually best to check with your developers before upgrading.
Keep a tight control over access to your site:
- be very careful with your admin passwords and the number of users who have admin access.
- remove access for anyone who leaves the company, or who should no longer have direct access to your site. This also includes third parties who are no longer contributing or maintaining the site.
- use secure passwords that can't be guessed easily. Do not use the name of your company, service or website.
- passwords should ideally be 8+ characters long and include upper case characters and numbers.
- try to change your passwords on a regular basis - but at least once a year.
What else you need to do:
Consider taking up a maintenance package for your site which includes regular security checks and daily backups. The exact services will depend on the package you choose, but extended contracts can include 24/7 monitoring for any file changes and suspicious activity, verifying new CMS or plugin updates, and archiving monthly backups for two years so that any attack can be fully investigated. Our hosting partner, Didgeroo, also offers maintenance packages, including high-speed dedicated web servers with daily backups, monthly archives, website security updates and 24/7 monitoring.
And of course, we're also here to help, so if you're looking for an audit of your current website, to refresh it or redevelop it completely, get in touch.
We're certainly a little wiser now and will be adding additional security systems into every website we create (large or small). Unfortunately, that also means admin passwords will now be both long, complicated and difficult to remember - there's always a down-side!
