What if my website gets hacked?

Not everyone out there on the world wide web has the best intentions with you … or your website in mind. Publishing your website to a worldwide audience, means that you expose yourself and your business to hackers, phishers, identity thiefs and just about anyone with a harmful ideology, criminal intention or too much time on their hands. Whatever the case, your website is vulnerable. Fact.

I would understand – as I have in the past – that when an attack on your website occurs, your first reaction would be “It’s the hosting company,” or “I’ve never liked that web designer’s shoes anyway”. But alas, the biggest vulnerability in your website is … you. In an internet that is largely run by amateurs (“I can run my own website, right?”), most hack attacks happen due to end-user – that’s you, if you run your own website – sloppiness and ignorance. While hosting companies, content management systems and most web designers have security at the top of their minds, end-users often don’t. They don’t secure their computers. They don’t update their website’s operating system. They install suspicious plugins on their computers or internet browsers.

Well then, now that we’ve set this record straight, let’s look at the way forward. It’s one thing to be aware of vulnerabilities, and another to take measures to prevent the most obvious attacks on your website. But I recommend, additionally, to ultimately accept the fact that your website is vulnerable, and in doing so, start to set up a back-up plan in case an attack would occur. Prepare for the worst.

Vulnerabilities & Measures

Your website can be attacked via the server that hosts it, via the content management system that runs it (admin login or FTP), or via the computer that accesses the content management system.

HOST : First, choosing a reputable hosting company is imperative. Making sure no one can access your website from the server’s side, is essential. Additionally, I recommend to work with a local hosting company that has a solid online or telephonic support desk – you want them to be there when you need them. Check with your hosting company whether they keep back-ups of your website – a good hosting company will be able to go back in time and restore the website’s files from before the hack attack, assuming you detect the attack early.


SYSTEM : Choose a reputable web designer and operating system for your website, like WordPress, Joomla or Drupal. Always update to the latest versions – outdated programming, sloppy administration management and changing website developers – whereby the last doesn’t know what the first has done –  are very often the cause of vulnerabilities. Store clean operating system files on your computer, to replace infected files, should they occur.


YOU : “End-users are sloppy, everyone is anxiously jumping at the opportunity to use an application like WordPress for their blogging and website needs, with little regard to the dangers of the interwebs. When a hack occurs, as is human nature, the first thing is to look at everything but the yourself …” {blog.sucuri.net} Run anti-virus software on the computer that will be managing your website. Be careful with add-ons (or extensions) you install on your browser – not all add-ons are trustworthy, and not all extensions do exactly as they say they do.

Find out if your website has been hacked

So, what to do if your website does get hacked? Somebody – or something – has gained access to your website’s root files, to its content management administration or to your computer. Here are a couple of checks you can run:

Run a security check at
sitecheck.sucuri.net/scanner/


avgthreatlabs.com/sitereports


mobilefish.com


www.unmaskparasites.com


virusscan.jotti.org/en-gb


Type your website into Google search, and look for any malware notifications from Google.

Now what?

If you can locate the files (or parts of files) that have been infected, remove the files (or parts of the file). Don’t forget to replace them with the clean files from your computer.


Change all passwords: FTP, MYSQL database, content management system login.


Check your browser’s add-ons or extensions. Anything in there you don’t know or don’t fully trust? Delete it.


Upgrade your content management system and any modules, plugins or extensions to their latest versions.


If Google has detected malware, it will display a warning in its search results – which will scare potential visitors away. To get rid of the warning, you will have to request a malware review via Google’s Webmaster Tools.


News from our clients


View the news archive


Our Websites

Stock Photography