Hello Stellas, thanks for coming along tonight (May 2016). Here’s notes from my presentation which you are free to share.
Since posting, I realise I may have inadvertently mailed this out to my list by accident (posts are set to go automatically), so even there’s nothing secret about this information it was intended for a specific group! I hope you find it useful.
Contact me if you have any more questions, or if you’d like some assistance with gathering some of the information I’ve outlined. Happy to do a follow up over a coffee (and I love my coffee), individually or a group.
So, tonight I wanted to cover a few topics that were flagged as of interest …
- What do you do if … your website has been hacked?
- What do you do if … someone buys “your” domain name?
- What do you do it … the guy who did your website disappears and you don’t have any passwords?
- What do you do if … you just don’t know what to do with your website?
Big topics I know, but you don’t need to panic or break out in a cold sweat. You do need to know how you can fix it though!
What do you do if … your website has been hacked?
This is about websites created using WordPress, but the same principles apply regardless of how you’ve set up your site. Here’s a real example:
A local business association’s website was recently hacked, and as a result, was unavailable for a significant period of time.
The site was set up using WordPress, and a premium theme (template) plus a variety of plugins to extend functionality.
In theory all good … but … that premium theme had an image gallery embedded within it that had a serious vulnerability identified some months before the site was hacked.
The advice to the WP community at the time was to update the plugin, but because it was embedded in the theme it wasn’t that easy as there was no access to theme updates.
The hack was probably not done by a bored person randomly targeting websites … it was much more likely that it was a ‘robot’ that was searching for any site that had that particular plugin installed.
The result for this association was 500+ pages of porn being injected into the site and the creation of several anonymous user accounts being created.
The hosting company was alerted to this in their scans and blocked access to the site. Whilst this may have been incredibly disruptive, it prevented being blacklisted by Google (which is another whole world of pain!) amongst other things and of course having all those pages of porn would have been embarrassing to say the least.
Even though you might think that your site is invisible to hackers or not a target, that’s not necessarily true. I’ve worked with local businesses who have had their site blacklisted, hacked, or they’ve lost control of their site because they don’t pay attention. Some have been repairable, and others have had to be abandoned and done again. Think about the impact of having to change your website address.
Whatever the reason though, for most businesses having your website out of action for any reason for even a few minutes can be disastrous. In this particular case, it took 8-10 hours over a couple of days to get access back, clean and restore (rebuild) the site.
There are some simple, and commonsense things you can do to secure your website and keep it clean! Think of it like securing your house – you wouldn’t leave a broken front door, smashed windows, or more subtle signs your home is an easy target, nor would you go on holidays for an extended period of time without taking some security precautions.
Your website is integral to your business, so you should take the same care as you would with your bricks and mortar store or office, your home, or your online banking.
WordPress (hosted not free) powers about 25% of all websites (that may be around 35 million sites). Considering that WP is a free open-source CMS, it’s hardly surprising that it’s a target for hackers.
So what can you do? This is by no means a definitive list but you should:
- Use good user names and passwords (and keep a register of who has access) … admin and admin1234 just won’t cut it any more! Make sure you remove accounts when no longer needed.
- Don’t share your passwords. Would you share your PIN number? Too many business owners are prepared to hand over access to their website with a shared account. Create an account for everyone who needs access.
- Don’t stay logged in, especially if your computer is in an open office or if you’re using public wifi.
- Keep WordPress up to date. No excuses. This can be set to happen automatically and regular updates are sent out to site contacts. If you have more than one site, you can use a plugin like Infinite WP to monitor things remotely. There are a scary number of sites that still run versions of WP from years ago (eg v2.xx and we’re now up to v4.xx)
- Keep your plugins and themes up to date and know why you’re using them. As for WordPress, some of these can be set to update automatically. There may be better options now.
- Delete any plugins you’re not using. Even though they may be inactive, the files are still there, and still present a window of opportunity for hackers.
- Sign up for alerts from a trusted source. Wordfence is one of several plugin that scans your site for attacks (you can see these in real time too!). There are options to automatically block, for example, invalid user names, and lock them out for specific periods of time. McAfee (security) also has a plugin that provides a badge that’s visible on your site to show it’s being monitored, scanned and maintained.
- Only use plugins and themes from well known sources. Make sure they’re in the WP repository which means they’ve been vetted by WP. If they’re not, think about why you’re using them. Some premium themes aren’t in the repository, for example, my favourite Divi from Elegant Themes isn’t, but it is subject to security audits and passes with flying colours.
- Think about using two-step authentication (password plus login code usually sent by SMS) if you have a high traffic site with many admins.
Use your .htaccess file and robots.txt files to block access to specific files or folders (you may need some help with this if it’s necessary).
- Do regular site maintenance, with a backup schedule. This could be be a regular export of data (pages and posts) from within your dashboard, plus full server backups of files and database from your cPanel.
- eCommerce or any site that stores any part of a customers’ information should have a security certificate (SSL). This is imperative if you process payments within your site, but should still be done even if you’re using Paypal and other plugins like Stripe and leveraging off their security systems. You’ll know if a site has a security certificate by the ‘https’ in the address.
Whilst these will all go a long way to securing your site, and even though some can be set to automatically happen, nothing is as good as having active involvement (or making sure you have a maintenance plan in place). You may find that is a lot cheaper than having your site out of action, your customers not being able to contact you, losing confidence in you, or not being able to conduct your business at all.
So what happens if your site is hacked? What do you do?
- Don’t panic!
- If you’re doing your site yourself, know who’s available who can help if you’re not comfortable tackling this yourself.
- Know your logins!
- Know why your site has been hacked – get the error logs from your hosting company if you don’t have access. Is it something to do with a theme, plugin, or currency of your installation of WP?
- Has your site been blacklisted by Google?
- Has it “just” been hacked? Or has it been brought down by an excessive number of login attempts.
- Be prepared to rebuild your site; or at the very least, update everything, remove plugins and add back in one at a time; do your research to see what the problem may be.
- If it’s not a hack, but a brute force attack (where automated software is used to generate a large number of consecutive guesses about, for example, login details) you may have to weather it out, but if you have access to your site, and use Wordfence (or similar) you may be able to block the IP addresses of the attacker. It can be worth paying for the premium versions of some of these plugins.
Download this Password Saver to help you keep track!
What do you do if … someone buys “your” domain name?
Unfortunately, there isn’t a lot that can be done. Sad but true.
Registering a business name doesn’t automatically give you ‘permission’ to register that same domain name – in a nutshell, if you can show a connection to the domain you’re registering (eg industry sector) and you have a valid ABN or business number you can register it on a first come first served basis. Anyone can register a .com domain.
If you are starting a new business, do your research, and register multiple versions of your domain. You should check any trademarks or possible IP infringement issues first too. Here’s a recent case about this very scenario.
If you do find yourself in this situation, there are couple of options:
- You could negotiate a buy-back which could be expensive,
- Lodge a complaint with AUDA (the governing body for the Australian domain space) but that is expensive ($2,000 to lodge) and not guaranteed,
- Register an alternative domain.
You can register multiple domains and provided you stay within the rules for an Australian domain, there is no restriction (except for your budget!).
As an example, I’ve registered multiple domains some of which weren’t available for .com but I can live with that so I’ve gone with the .com.au versions! I can register those domains because I can demonstrate a close connection to my business. I’ve also registered quite a few other domains, but don’t use all of them. Here’s a sample:
- leumesindesign.com (redirects)
- websitewhisperer.com.au (redirects)
- thewebsiteschool.com.au (redirects)
- thewebsiteschool.com (redirects)
- diy-websiteguide.com (redirects)
- plan-create-publish.com (redirects)
In short, do your research and be prepared to register multiple domains that will benefit your business! And make sure you do this asap!
What do you do it … the guy who did your website disappears and you don’t have any passwords?
This one is awful, but so avoidable.
Hopefully you’re in contact with your website person, but in this case, I’m talking here about a scenario where you’ve had no success in contacting them, and it appears that they’ve gone out of business or moved or sold the business without telling you and leaving you high and dry. Earlier this year a Gold Coast agency closed its doors leaving around 400 clients not knowing what was happening. Extreme and devastating for those businesses.
So what do you do?
Firstly, don’t panic! I know that’s easy to say, and much harder to do. But here’s the thing – when you panic, you do crazy things. You know, like leaving 42 messages on their phone or in their inbox. You might regret that when you discover they’re on a plane, stuck in another country, or you’d forgotten they’d told you they were going somewhere without wifi. Stay calm and give them the benefit of the doubt.
But this really is about good business practices, and you have to take responsibility here, so, ideally, the things you need to know are:
- Details for your domain registration – this is probably the most important item;
- Details of where your website is hosted;
- Login details for your website;
- Is there a backup of your site?
- Details of how you pay for your hosting/domain, e.g. if you pay monthly by credit card, you may need to put a stop on payments at the bank end of the process.
Do these sound familiar?
- Do try all avenues for contact one last time.
- You should try and log into your website and reset the password. WordPress has a “Forgot your password” link which is connected to the email address that was used to create your account. If you can do this and then log in, check that the user accounts are ones you want to keep.
- If you can login, create an account for a trusted colleague or friend. For example, my brother is a backup for me for websites and social media accounts.
- Search your emails to see if you can find critical pieces of information.
- Look up public details about your site – your domain, expiry, registrar, and some clues about where it’s hosted. Once you’ve got this, you’ll need to contact the domain registrar, and the hosting company to get control back. You’ll need to prove who you are and that the website is indeed yours – it can sometimes take a little while to do that.
- If you’re not comfortable doing this yourself, find a new web developer who can assist. Local is good 🙂
An extreme scenario could be registering a new domain name and an interim site while you get things sorted. Not ideal, but may be worth considering.
Remember though, your web developer may have a perfectly valid reason for not responding – they may be away (and you’ve forgotten), sick, or dealing with unexpected family matters. They may just be busy, and yes, I know this isn’t an excuse or no response, but it does happen. There may be issues with email or phone – technology bites sometimes!
Last but not least, it’s your business, your website, your responsibility! These and a good (local) web developer will take you far!!
Download this Password Saver to help you keep track!
What do you do if … you just don’t know what to do with your website?
Probably over-reaching how much we can get through in an hour but a good place to start could be revising some planning aka knowing your ideal customer. You can download this handy planning guide or call me!
Resources and more reading
- https://lastpass.com/ – one of many password managers that will also generate secure passwords for you
- https://www.wordfence.com/ (the real-time map is worth looking at!)
- https://sitecheck.sucuri.net/ – check how secure your site is
- https://wordpress.org/plugins/jetpack/ (monitor)
- https://wordpress.org/plugins/antispam-bee/ (if you allow comments on your blog)
And a few articles … if you have a bit of time for some reading!
- https://wpvulndb.com/ (you might be getting a bit obsessive if you spend a lot of time going through the WPScan Vulnerability Database, but useful none the less!)
- http://wpengine.com/unmasked/ – Unmasked: What 10 million passwords reveal about the people who choose them