Hacked: 11 Things I Learned from Getting Hacked

Heads up, Empowered Shoppers, we’re a participant in affiliate marketing programs. For more information, see our disclosure here.

Me: “Dude, what’s up with this weird error message when I try to pull up my site?”

Him: “Can you Skype, like NOW?”

Two Hours Earlier . . .

It was a wonderful day. I was wrapping updates to my personal site, making some much needed improvements. I was about to close shop for the day and enjoy the evening. This day was special, because it was my husband’s birthday, so this night was all about him.

Then the white screen of death comes up.

The Short Story:

I called my hosting company in a cold sweat. They helped me sort some things out. I thought it was fixed.

Then I get an email from a member of my site, which gives me pause. I shoot off an email to my web developer asking a little question. He tells me to Skype him. NOW.

I was hacked. Big, bad, hairy malware . . . basically jacking up my websites and putting my visitors at risk. #ohnoyoudidn’t

“Not my fault,” he says.

I want to blow chunks, and throw a screaming fit on the floor. Instead, I call my hosting company again, they restore all my websites, and I go to work to plug the holes. I spend the majority of the evening being furious, frustrated, and generally stressed. And majorly ticked off.

Being hacked is no fun. However, since then I’ve learned a few things that I’d like to pass along to keep others from experiencing a hacking nightmare of their own.

Hacking Doesn’t Just Happen to Successful Sites.

I remember a time when you could google for a certain phrase that hackers would put up when they broke into a site, and you’d see thousands of results. Many times, they were on sites that had long been abandoned, or were owned by people who were clearly not involved with great support teams or anyone who knew how to tell them to fix it.

I remember one person once said they’d rather rip it all down and start over, then try to fix it, which is just so sad.

You lose more than just your site when you’re hacked. You lose some of your trust and credibility with your clients, you lose out on hours, days, and sometimes even weeks of business. This is especially damming for you if you’re a strictly online business.

So not only do you have to fix your site after it’s hacked, but then you often have to take extra steps to reassure your clients and build back trust.

Advice for Those Worried About Getting Hacked

1. Make sure you’re with a well-established, reputable hosting company.

Ensure that they either know how to, or have someone who knows how to, monitor and support your site. They should be keeping up to date with the latest news and updates, and able to alert you at first signs of trouble. They should also have their own system in place for backing up sites. A good hosting company will often have 24/7 support in case something does happen.

2. Make Regular Site Backups.

A backup of your site will allow your or your developers to reload a slightly older of your site in the case of a hack. This can be super valuable because it can help you get your site back up and running quickly. However, you’ll then need to be quick about finding and patching the error that allowed hackers to get in to ensure that it doesn’t immediately become hacked again. You’ll also need to redo any work that you’d done on your site since the latest backup.

You can have your site set to backup daily, weekly, or monthly depending on how active you are on your site.

3. Be Active on Your Site

Be active on your site. Make sure that you’re touching your site often so that people know it’s not dead in the water. The more active you are, the more likely hackers may be deterred and the sooner you’ll see if something does happen and be able to fix it more quickly.

Lots of hackers like to target sites that do not seem very active and that don’t appear to have developers working on them regularly. This not only means that there are patching errors that haven’t been fixed, but it also means that you probably won’t be able to fix what they break very quickly.

4. Regularly Patch Your Site.

Regular patching, especially of blog software, is critical. Blog platforms like WordPress are a magnet for hackers looking to try out their mad hacker skilz, most times using automated software. WP has had some holes large enough to drive semi trucks through in the past. While they keep patching the holes, there are always more. Every time a new and improved version comes out – it comes with new and improved holes.

Sometimes people let patches go due to the fact that patches will often break things on the site in question. So people think that it’s easier to just let a patch go because, if you use it, now “x” won’t work on the site. Very frustrating and definitely not the best practice.

It’s better to have something broken and use the patch than to leave a site unpatched. However, it is breaks something super critical to your site, this can be a hard decision to make. Try to have workarounds for any automated process on a website – that’s difficult, but it’s the only thing I can think of that might work in this case.

5. Regularly Update Your Modules, Widgets, and Plugins.

This goes hand-in-hand with patching your site, but you also want to make sure you’re updating all of your modules, widgets, and plugins when they become available. A lot of times, these updates from the products developers will have built in patches and new security measure added into them.

6. Pick Themes and Pre-Coded Extras Carefully.

There are the “ready to go” themes and widgets which can also be insecure and allow unwanted malware through the back door as it comes fully loaded in the code, lovely. One must be very very careful about any pre-coded extras added to a site. Research them carefully to see if people have had problems.

You think “what a cool thing to put on my site.” What you get is a nice backdoor for a hacker to get on the system.

7. Don’t Underestimate the Power of a Good Password

As mentioned previously, a lot of the time it’s not an individual person hacking your site, but a program that looks for holes in software or user configurations and exploits these vulnerabilities. These types of programs also look for weak passwords to take advantage of.

Ensure that your password is difficult to hack by frequently rotating your password and creating very complex passwords. There are password manager apps that will allow you to keep a list of encoded passwords so that you can use very secure passwords without having to worry about forgetting them.

8. Conceal PPI (Personal Private Information) and Passwords from Others.

Make sure you are taking all of the appropriate steps to conceal your PPI information and passwords from others. This step is more crucial than having a super secure password in the first place. It won’t matter how complex your password is it you’re giving it out or if it can be easily found by others.

9. Run a Security Audit on Your Platform Using an Auditing Tool.

These tools can help you identify problems in your site so that you can get them fixed before a hacker finds the same problem and takes advantage of it. Make sure to find a thorough and reliable auditing tool.

10. Ensure Your Server is Secure, Too.

Sometimes hackers hack servers, not sites. Then there is the hacker who gets onto the server itself and doesn’t hit your site in particular. That would definitely not be something you would have any control over, that’s in the court of the hosting company. They need to be on top of their server security. All of the above items apply to them in regard to their backend software.

However, what you can do is to make sure that you are working with a good, reliable server provided who is on top of their work. Don’t purchase a cheap one to save a few bucks, this will usually not do your site any favors. Check on their reputation before you decide to work with them.

11. Stay in the know.

Your web developer should be staying on top of things themselves, but you should try to as well. Ultimately, it’s your site and your responsibility. Set up an RSS feed that is specifically pulling in info from sites that talk about the latest security issues with your web platform. Even better and faster is to follow some of the people who are into this platform on twitter as that’s the generally the first heads up.

You don’t need to fully understand what they’re saying or how to fix it. You just need to be able to hear when something is wrong so that you can forward the information onto your developers who can fix it so that your site can be fixed and secure as quickly as possible.

In Conclusion:

Doing all of these things will help make your site more secure, although it’s very hard to make a site completely secure.

You need to be proactive about your site security. You can look at all of this and see there’s a clear danger that takes time and effort to thoroughly manage. We may think, yes, this can happen to anyone and so I shouldn’t change my behavior. That’s dismissive and negligent.

Instead, you should be thinking, yes, this can happen to anyone: what can I do better to best manage my risk factors? What are you doing now that better manages your risk factors? And how are you holding your vendor/host accountable to do the same?

What have you learned from being hacked? What advice would you have for those who want to protect their sites?

Looking for more great reads? Check out these related articles: