Hacked and Redfaced
There is an old adage about a builder’s house is never finished. Despite being a fantastic builder he (or she) is busy building houses for everyone else and neglects their own. We recently found ourselves in a similar situation and our site got hacked; let me tell you it was pretty embarrassing with more than a couple of expletives being shot around the office when we did a routine check and discovered the issue. We took some solace in not being alone in such a silly oversight – you may remember last year, Marketo were left chasing their tail after their domain expired without being renewed.
So how did it happen?
When we develop a website for a customer we generally provide that client with the option of purchasing a service package that schedules regular security updates. But ironically (in this case) when it came to our own we let slip.
Undertaking the security update had sat on our backlog for sometime but, being busy servicing clients, it kept getting pushed further down the list – we kept saying we will get to it eventually and then suddenly it was too late. In this case, we had neglected to update our plugins – a simple little thing to do. It wasn’t attended to and someone pounced.
Like many of our clients, our website is built on the WordPress platform. We build on many platforms but many, many clients are familiar with WordPress, with a wide array of plugins and general familiarity for most people savvy with any CMS make it very popular… PLUS its free!
But, it comes at a cost – that cost is security and with millions of websites designed in the WordPress platform, it can make it an easy mark for hackers because if you can break into one plugin, theme or the platform itself, you will have a multitude of targets. As opposed to a singular bespoke solution. This is not to scare you – WordPress is generally a safe CMS, with simple processes in place to ensure your website is secure, but the simple reality is they must be done, and they must be done regularly or, like us, you will end up with egg on your face.
In our case, the hack was relatively harmless, they exchanged some metatdata which altered our google search results (we’ll canvas the impact of that in another article in the near future), but we have seen some more malicious results in the past to websites of clients who didn’t want us to maintain their site. As such, we really do recommend making the small additional investment in a service plan. After all, you wouldn’t buy a car and never service it.
A service plan is an insurance policy. We create regular back ups of your site meaning we can restore it quickly in the event of an issue and we ensure plug-ins are up to date…
But if your site suffers a hack here are some things you can do:
Step 1 – The world isn’t over
We understand that websites are critical to practically every business nowadays, especially e-commerce sites. But it’s important to keep a level head – remember that no one has been hurt and you can recover from this.
Step 2 – IT
Luckily for us, our in-house tech team could handle this particular problem so we didn’t have to make a phone call, but for most businesses this will mean rallying your troops. Depending on the severity of the breach, your host might be able to talk you through the requirements over the phone or contact whoever developed the site for you. We would always recommend that someone in your office know how to place your site in maintenance mode, which will replace your site with a simple maintenance screen and form.
One critical issue at this point is for websites with integrated clients databases is to get your team to ensure the integrity of your secure data.
Step 3 – What are the broader implications, enquiries, marketing or sales?
Once the site is in maintenance mode, it would be worth pausing any digital advertising you may have running – it’s pointless sending potential clients to a website that is not delivering the optimal experience for its users. If you use your site for client interactions like sales or services, it may be worth preparing 2 edms (we wold recommend having these pre-built and ready to deploy): one, alerting existing customers that the issue exists and assure them (if applicable) that their user data is safe. Also provide them with some information on when your site is likely be back up and running; and secondly, an edm goes out when you are back up and running.
Step 4 – The mole?
Figuring out where the breach occurred is important so you can plug the gap as effectively as possible. Your tech should be able to point you in the right direction after reviewing the affected pages, custom code, plugins, log files etc.
Step 5 – Spring cleaning
While your tech team takes care of the website, it’s also a good time to clean your computers with an anti-virus program. Change all your passwords – website; hosting; cPanel etc.
Step 6 – Future proof
Make sure it doesn’t happen again. Talk to your tech team and get in place processes to make sure this, hopefully, small blip in the radar doesn’t happen again. The outcome could be a small retainer for ongoing support or invest in some training and make time to keep your site secure.
Remember, an ounce of prevention is worth a pound of cure.