Apologies to those who feel that we are being alarmist, however this is a topic that is highly relevant to most of the companies that we deal with and it really is worth a minute of your time.
We talk to many creative agencies that are responsible for their clients’ websites and I feel that there is a degree of complacency in regard to website security. This is based on the notion that most websites that they deal with are too small to appear on hackers’ radar and can’t imagine what why a hacker would bother to target their sites.
The sad reality is that hackers are not targeting many websites specifically, but they are targeting ALL websites continually and they are doing so by means of fully automated attacks carried out by “bots” that they have written to continually trawl the web looking for certain web servers/CMS’s and other entry points with specific weaknesses.
The reason that they are doing this is not to deface your homepage or for kudos but instead they will hijack your site for commercial gain, for example to turn it into a spam relay, steal sensitive details or to link to some dubious website in order to steal your Google page rank. There is huge money available on the black market for hackers selling credit card details, links and spam for Viagra and other products.
Many times it will not be obvious that a site has been hacked for several months. But once it does become obvious then the reputational damage will be devastating and ultimately can spell the end for a business.
The reason that these hacks are possible is due to weak points that are accidentally built into CMS and other platforms such as Drupal, WordPress and Joomla and the plug-ins that go with them. It’s just the nature of Open Source software and the haphazard testing that such systems receive.
A typical vulnerability will allow a hacker to inject his own code into your website and once this has been done they can use it for whatever they like. Such vulnerabilities can be as simple as typing a specially formed piece of text into the site’s login box.
When these vulnerabilities come to light, patches are usually made available quickly, however you need to be aware of these and to act on them within a few hours. After this period you can expect that the vulnerabilities will have been “weaponised” i.e. the hackers have built programs to trawl the web looking for any servers that are still displaying the weakness and exploit it.
The only way to deal with these vulnerabilities is to monitor the security feeds that notify the latest patches to your CMS and plugins and make sure these get applied to your sites ASAP. This process can be automated but needs to be monitored none the less.
Once a site has been hacked it can be impossible or at least expensive to clean up. Sometimes the only recourse is to rewrite the site from scratch.
When hosting your website we recommend choosing a fully managed hosting service with a reputable provider that will monitor the marketplace and apply any patches for you. Sure, it costs a little more than a basic hosting packages but for the extra you get peace of mind, 24/7. So what price your reputation?
In summary, please don’t assume that you are safe from hackers. If you feel that you need some more information to better understand this important topic please feel free to call us anytime.
You can get notifications of WordPress releases at https://wordpress.org/news/category/security/
https://wpvulndb.com/ also shows plugin vulnerabilities and will notify you by email when a new vulnerability is found.
Drupal offers a similar service here: https://www.drupal.org/security
Written by Jim Parsons, Owner and Managing Director of Performance Web