December 1, 2020

Why your website may get hacked – and what you can do to protect it

Paul Lyons, owner of North Wales Web Design company, DesignWeb, discusses the small steps website owners can take to reduce their risk of falling victim to the growing threat of hacking

We’ve been established for more than 20 years in North Wales, have an excellent reputation and have worked with businesses of all sizes to build their online presence with web design.

Unfortunately, these days we are used to receiving calls from concerned website owners who have had their website hacked. I’m relieved to say, most of these calls are not from our clients but from people with older sites who are in urgent need of assistance – and we normally can and do help even if it wasn’t a website we built.

These days, hacking is a huge risk for businesses.  To put it in perspective, by lunchtime today more than 66,000 websites worldwide will fall victim to a hacker – many of them attacking from miles away, often overseas and usually unconnected in any way to your business, attacking your website purely because they can.  

How do businesses react when their website gets hacked

The first response from most website owners when their site gets hacked is disbelief. Common reactions include ‘but why would they target me? I’m just a local church/football club/small e-commerce website/local business website? I’m not NASA!”

It causes upset and disruption to your business and many people take it personally – but targeted website attacks are thankfully extremely rare. It’s likely your website was chosen purely because a remote hacker has done a worldwide scan using a specialist hacking tool and found they could get into yours. Here’s just some of the reasons your local website may be seen as a target:

  • Every website is hosted on a server, by hacking the website they may be able to take advantage of the server resources;
  • Your website may have an excellent reputation online, so they can hijack it to use it for their own sales projects;
  • Your website may contain business or customer data they can use;
  • In some cases, hackers just want to impress each other – they have automated tools that scan and highlight vulnerable websites and yours was chosen by such a tool.

Why it is probably not your web designer’s fault

The second reaction from website owners is to blame the company who designed your website, but that’s like buying a car and blaming the manufacturer if your car gets stolen.  As with car criminals, there are communities of hackers out there just looking for websites to hack.  Like car criminals, web criminals do what they do, they are clever and continually explore new ways to commit their crime. Like car manufacturers, website designers will build your website to the latest available standards, however technology is changing at a rapid pace and unfortunately hackers are upping their game at a similar pace. The honest truth is that no website protection is foolproof and the most determined hackers have even secured access to huge financial institutions who have spent billions on protection.  However, there are simple steps you can take which will prevent your website from being an easy target.  

What happens during a hacking attack?

Unfortunately, this depends entirely on the hacker – once they have control of your website it is up to them what they choose to do.

Sometimes, a hacker will just change a picture or content on your landing page and do little else.

However, some hacks can be incredibly damaging, stealing your client data, hijacking browser search results for your website and diverting your clients to a nefarious site, utilizing your web server for cryptomining, destroying your data and more. Some hackers will lock your data and hold it to ransom (don’t ever pay, in most cases they won’t restore your site anyway).

The good news is that most websites can be recovered to some degree, but it is not always possible to fully recover a hacked site.

In many cases however, hackers will leave some kind of back door for easy future access – which is why we always recommend choosing a professional to recover your site.

However even seasoned professionals may not spot them – hackers are experts at finding ways to make their code hidden and looking innocuous. Our advice is to take sensible precautions to avoid being hacked in the first place and to regularly scan the website after any hack has taken place.  

How can I protect my website from being hacked?

Nobody can 100% protect their website from hackers – it boils down to how much time, assets and acumen the hacker chooses to invest to hack your site. Huge corporates, Government associations and financial institutions are continually investing in cyber security and many of them have still been hacked. Cybersecurity experts talk about creating layers of security – staff awareness, best practice, strong passwords will each offer an additional layer of protection.

Taking just a few small steps will reduce your risk substantially. We recommend all website owners:  

Have a SSL authentication

The SSL adds additional encryption to your site, making it harder to hack. It also has a useful side benefit of helping your web ranking, as Google prefers sites with SSL certification.  

Choose Secure website hosting

You can find cheap website hosting for £1 a month, or pay thousands per month. They don’t all offer the same service and you get what you pay for. Web Design specialists like DesignWeb will have spent time choosing a reliable, secure web host for their site owners and security will be one of their key considerations. Regular site backups are important too, check whether your website host includes this.  

Do website software updates

While your website will have been built in line with up-to-date recommendations, both website hackers and technology are continually evolving.

WordPress is the most popular content management system in the world – powering more than 75 million websites worldwide.  Keeping the platform up to date to offer protection from hackers is literally a  daily challenge and for this reason, WordPress issues updates to plug ins, themes and settings almost daily. Most people ignore the warnings on the WordPress dashboard but keeping WordPress updates up to date is essential in the fight against hackers.  Other popular platforms like Joomla and Drupal are the same.

Once a vulnerability is uncovered, hackers usually spread the word very quickly, so it is an ongoing battle to issue updates in a timely fashion.

Most web designers will offer a premium service where they take care of things like Joomla and WordPress updates for you. It can seem like a cost saving to say no, but it’s worth the time you will save to keep your website secure. It’s certain a service we’ve found popular among our clients.

Very old custom-built websites are particularly vulnerable, as they will not have received regular patches and updates.  Many website designers will offer a free website review – take advantage of that and then listen to their advice.

WordPress has some good plug-ins that will reduce your vulnerability. Talk to your website designer about whether one would benefit your website.  

Choose secure passwords and educate your staff to do the same

You’d be amazed how quickly a techie can guess your passwords from a quick glance at your Facebook page. Pet names, kids names, friends names all make for terrible passwords. Also common names and passwords get added to hacker databases which automatically scan your site for vulnerabilities – so avoid them, too. Most hackers use a ‘brute force’ technique which keeps trying for common words in a database… so ‘motoracing’ or ‘rugbyfan’ is not so clever as you hoped!

A secure password is harder to crack.

A good password should not include names, have a mix of capital and lower case letters, numbers and special characters, and ideally at least 12 characters long.  

Educate staff on real-life cyber security awareness

You don’t just need to protect yourself online, but in the real world too.  Sometimes hackers will get into your website via telephoning your business and questioning your staff. An example of this type of hack is someone calling and saying they want to check your system is working now, can they just take your password and login? (we’ve heard of this being used to get bank details too.) It’s highly unusual for any bank, IT company or web designer to call a client for this type of information, so instruct your staff to challenge this and not to give this information to anyone on an incoming call.   Instruct staff to tell the caller politely you will take their number and call them back – then call the company they are purporting to be from, on the number you normally reach them on.  Your genuine web design or IT company will not mind you doing this – in fact, they will be relieved you have the presence of mind to do so.  

Change passwords when staff leave

Remember I said targeted attacks were rare?  They are, but ex employees, particularly someone who may have a grudge, represent a potential risk. Good practice can eliminate that risk altogether – simply change all passwords when people leave, no matter how much you ‘trust’ them. Trust is great, but secure practices are a firmer guarantee to avoid disruption or a data leak from your business.

Monitor your website

Often, businesses will check their email but only glance at their own website occasionally. It’s worth making sure someone in your organisation has the responsibility to check the front-end of your website at least once per day – largely because there is nothing worse than a customer calling you to let you know your website now announces your proud support of Al Qaida…. and yes, that really did happen to a local businessman in South Wales who had built his own website. Doing a quick visual check once per day means that should you fall victim to a hack, you can report it to your website support team and get it resolved before it damages your business reputation.   Website security is a huge topic and of course, we can’t cover every detail in a short article.

However, taking these basic steps will avoid your site being an easy target and give you the ability to respond to any threats quickly. For more information and advice, please call us on 01745 508588 or visit our website: https://www.designweb.co.uk.