The advice provided in this article is based on real world experience of having an income producing website hacked – namely my website.
In this post, I will reveal how the baddies got in, what actions I took to restore my website, the assumptions I had around responsibilities – that were wrong, how much the attack cost my business and finally something for you – a checklist that you can use to review your own websites security right now.
If you don’t care about my wonderful tale of website hackery and just want the checklist then scroll down to the bottom and read the “Website Security Checklist” section.
But! You will be missing out on a great story 🙂
How My Website Was Hacked
About 7 years ago my website was tracking quite nicely with 30,000 unique visits per month in a niche market, revenue from advertising was good and growing. It was about this time I decided to offer a new service to the website visitors to encourage them to stay longer on the website.
I asked the web developer, who was a contractor living in another country and did odd jobs when work was needed, to locate a suitable plugin for the website. So off he went and located a plugin that seemed to offer all that I needed and even better – it was free!
So, the web developer downloaded the plugin, installed it on the production website and off I went promoting the new features to my website visitors.
Now, some of you will already be shaking your head at what I did, and believe me I am too as I write this. It’s important to note that I was not in the IT security sector at that time and did not have any idea (nor care because hackers only target big websites, right?) of IT security in general – like most small to medium business owners.
The plugin was fantastic and kept a high proportion of visitors on the website for much longer, until of course, the website got hacked – and hacked good.
There is nothing worse for a business owner to have your “shop” broken in to and “products” stolen or damaged, and that’s what happened to me.
How did it happen?
In summary and without going technical on you, the plugin was riddled with security vulnerabilities big enough to drive a virtual bus through it. The plugin developer had no clue how to write secure code and every hacker knew it. I found out later my web developer didn’t have a clue either.
The worst part is that most plugins inject meta-data into the website HTML when a web page is visited so all the hackers need to do is search Google for that meta-data “signature” and instantly a list of websites running that plugin will be shown.
Once a vulnerability is discovered in the plugin that meta-data “signature” helps them locate all the websites running it, as mentioned above. You can try this out yourself with a simple search such as “vulnerabilities” or “exploits“.
Out of those results you will end up navigating to a website that will provide a step-by-step guide on how to exploit whatever vulnerability the software contains. This is how 11-year-old kids with no training in hacking can successful hack a website – they are provided with a “dummies guide” how-to for free!
In the case of the plugin installed on my website, it was one URL with some extra text at the end of it – which was a “SQL injection attack” that resulted in resetting the admin password of the software running the plugin.
That’s right, the admin account that manages the entire website could be reset to whatever the hacker wanted with one URL call to my website!
Thanks to the plugin a hacker had admin access to my entire website with one URL call.
The hacker, was not a simple 11-year old script kiddie that just wanted to deface the website.
No, this hacker was smarter.
The hacker wanted to remain on the website as long as possible, attempting to infect as many visitors as possible. To achieve this the hacker did the following:
- Uploaded hacker tools to allow for additional backdoors to be added to the site just in-case the original vulnerability used to gain control of the website was discovered and fixed.
- Downloaded the accounts of all the users to: 1) attempt to brute force the encrypted passwords (that failed since the encryption was strong) and, 2) grab all the email addresses to sell to spammers.
In fact, he was so good that it took a couple of website visitors to complain to us that every time they went to our site their web browser would crash.
When I investigated, I knew something wasn’t right so I rang the hosting provider who had a look and confirmed that the website had been hacked.
I rang the web developer only to find out that he was off on a 4-week holiday and did not bother to tell me.
Thanks for that.
I then went back to the hosting provider and asked them for help, but they only could provide assistance in a few days not right at this moment.
What to do?
The first thing I did was shut down the website, then emailed all the users informing them of the attack. I rang the advertisers and told them each personally about the attack and how I was going to refund existing payments.
Next, I was lucky enough to know another web developer who was based locally that I trusted. I contacted him and after having a look over the website concluded that it’s a better to roll back to the last backup then risk missing one of the hacker’s back-doors.
Excellent – that’s great news!
Except, when attempting to roll back we found the last 6 months of backups were corrupted! Finally, we located a backup that was not corrupted and rolled back the website to what it was 7-months ago.
This meant that my website was now missing 7 months of content!
Of course, this caused me a world of pain with issues such as: dead links back to my website, loss of 6-months’ worth of banner statistics for my advertisers, loss of trust with my visitors and advertisers, loss of revenue through refunds and the cost of the web developer helping me to roll back and secure the site.
Finally, when the dust settled and I was back online taking stock of the whole event the web developer who installed the plugin contacted me to touch base. After telling him what he missed and listening to blank silence on his end I asked him for his thoughts.
So, do you want me to install the latest version of the plugin?
Website Security Checklist
Below is a website checklist that I hope you will find value in using.
The checklist is based on the lessons-learned from when my website was hacked. The checklist is aimed at the business owner who is not technical and relies on third parties to help manage their business website.
- Patch, Patch and Patch – ensure that someone is responsible for keeping your website software up-to-date with patching. Make sure you have written confirmation from that person (people’s memory on who is responsible for what when an attack occurs seems to magically change). Also ensure that your hosting provider has a patching policy and that the web server your website is hosted on is patched frequently. Ask for the patching schedule and patching policy. If they don’t have a schedule or policy then it’s time to look for a new hosting provider.
- Review existing plugins – If you have installed plugins on your website then review each one and have a good hard think if you need the features offered. Every plugin you install increases the chances of a vulnerability entering your website. The plugin might be secure now but that can change with each plugin update. You can also apply this review to any other software you have installed that provides a service to your website.
- Review new plugins or functionality – if you have identified a new piece of functionality you would like to add to your website such as a plugin, perform some basic research first on the software before installing it. Key search terms I use are: ” vulnerabilities”, ” exploits”. If the search results look alarming such as discussion about how easy it is to hack then don’t install the plugin.
- Review Website Admin Accounts – who has access to the admin portal(s) of your website? Which admin accounts can be disabled and only active when needed? For example, the contractor you used 3 years ago for one job probably does not still need access to your website. Are all the admin accounts known to you and are they still needed? What about FTP accounts? What about SSH accounts? Reset the password on all admin accounts if they have not been changed in years, and make sure it’s a strong password. You don’t need to force a password reset every month – maybe once a year.
- Check your website backups – create a dummy website and restore a backup to test that it works. I know this will be very hard for most of you but I know from personal experience that if you need to roll back and the backup is corrupted or not complete, the other options you have will be far more expensive then loading up a test site and testing your backup.
- Have an Incident Response Plan – basically a document that records the contact details of all the people you need to engage when the website is hacked and what steps you are going to take, such as asking the hosting provider to block all incoming traffic. Record the hosting provider’s support contact details, including their after-hours support numbers (Tip! Perform a test run by ringing the after-hours line late at night and see how good they are at responding – you may be very surprised at the result!), contact details for the web developers or anyone else who helps manage your website, your clients and any other interested parties. If your website accepts credit cards for payment then you will also need to contact your acquiring bank and inform them of the breach (read Do I Need To Be PCI Compliant? for an introduction into PCI DSS). In my next post I will provide a basic incident response plan you can use.
- Webserver Hardening – check with your hosting provider that the webserver hosting your website is “hardened”. This means that the hosting provider has tightened up the security of the webserver such as turning off any services that are not needed, changing configurations so the security is better and a host of other technical things that are important. If the website hosting provider does not know what hardening is or doesn’t do it then it’s time to find another provider.
- Software Hardening – if your website software was installed by a third-party check with them that the software has been “hardened”. Just about every piece of software can be “hardened” as most have default configurations that do not have a focus on security. Like the hosting provider, if they do not know what “hardening” is, it’s time to start searching.
Since we are on the subject of securing your website, I would like to suggest a couple of recommendations that require thought, cost and planning to implement but are well worth the effort.
- I recommend that your website only supports HTTPS not HTTP. HTTPS allows the traffic between your website and your visitors to be encrypted. This is very important especially if you access the admin functions of your website using public networks such as free or hotel wifi. To provide a bit of encouragement in looking at HTTPS, Google has recommended using HTTPS and talk in the SEO world is that Google will prioritize websites that only support HTTPS in their search results – enough said.
- Consider using a service such as Cloud Flare that will sit in-front of your website and help protect it from attacks. Cloud Flare provides a “Web Application Firewall” or “WAF” which protects your website from attack via the Internet. Another WAF option to consider, if your website is using Word Press , is Word Fence which provides a security plugin for your website. I have not used this plugin myself as I use Cloud Flare but it looks interesting. NOTE: I receive no benefit from Cloud Flare or Word Fence in mentioning them. I use Cloud Flare and a person I highly respect in the IT security sector recommended looking at Word Fence.
- Look at a monitoring service to alert you if your website is under attack – the little bit of warning you get will allow you to alert your hosting provider who may be able to stop the attack.
If my post has sparked your interest in improving your businesses IT security then have a look at this post-> Five Basic (And Cheap!) Tasks That Will Dramatically Improve IT Security For Small Businesses