I know how it is – you’ve got a business to run and you don’t have time to learn how to do all the behind the scenes technical stuff for your website.
Or, you’ve handed the “technical” stuff over to your VA, but secretly they have no idea about what needs to be done either – it’s not their area of expertise.
Then, someone tells you that your site has been hacked – when they visit your site on their smartphone or tablet, it redirects to a porn site.
This is the last thing you need.
Website maintenance, especially security, can be confusing and easily dumped in the “too hard” basket.
If you’re not a big name blogger or business owner, it’s easy to just bury your head in the sand and think your website will be fine and won’t get hacked.
Well, I’m here to tell you that it can happen to you.
It happens to the most caring, beautiful business women I know and it’s upsetting to say the least.
It’s nothing personal though – by this I mean, there isn’t some evil person sitting behind a computer in a foreign country, searching you out specifically to take your site down.
Yes, there are people with nothing better to do, who love the challenge, creating this havoc, but it’s purely a numbers game.
Hackers will create pieces of code that get sent out to the internet in search of websites that are vulnerable.
If your site is vulnerable, there is a high likelihood it will be infected.
What makes your site vulnerable?
Warren wrote an in depth, semi-technical article on website security – you can read that here.
Today I want to give you just the simple things that you can check and fix yourself – right now!
Important!: Before you apply any of the following measures, make sure you have a full backup of your website that can easily be restored – it’s not enough to have a backup if you can’t restore that backup if something goes wrong with your site. (Backup Buddy is great for this).
1. Are you using the latest version of WordPress?
Make sure you have the latest version of WordPress running on your site. You can head over to the WordPress.org site to see what the current version of WordPress is.
When you log in to your dashboard, there will be a notification bar at the top of the page that will alert you if you need to update.
If you are running a version earlier than 3.7, you need to do these updates yourself. If you have a version later than 3.7, minor updates will be applied automatically, but major updates will still have to be run manually.
From the WordPress Codex:
For WordPress 3.7+, you don’t have to lift a finger to apply minor and security updates. Most sites are now able to automatically apply these updates in the background. If your site is capable of one-click updates without entering FTP credentials, then your site should be able to update from 3.7 to 3.7.1, 3.7.2, etc. (You’ll still need to click “Update Now” for major feature releases.)
Each new version of WordPress comes with feature and security updates and bug fixes.
If you don’t update your version of WordPress, you can have everything else right on your site, but your site will be vulnerable.
2. Have you applied all theme/framework and plugin updates?
It’s important to apply theme and plugin updates too – old versions can contain security holes – again making your site vulnerable to hacking.
Make sure you have a full backup of your site before applying any updates.
Plugin updates are fine to run (usually) except in the case of bigger plugins such as Woo-commerce – just check on their site for any update suggestions.
As for themes, if you have a theme framework in place (e.g you’re using the Genesis framework), then you can safely update your framework.
If your child theme needs updating or you have a stand-alone theme, it’s a more laborious process to make updates if you have made changes to the style sheet or functions file. If your theme has a “Custom CSS” section and all changes are in there – updates should be fairly straightforward.
If ever you are in doubt about updating your theme, please check with your web developer or theme developer.
3. Have you deleted all unused themes and plugins?
Unnecessary code on your site is an invitation for malicious code to enter. This usually takes the form of unused themes and plugins.
It’s easy to accumulate a few different themes and a variety of plugins in your dashboard, especially if you’ve been building your site yourself and trying out different looks and functionality.
But once you’ve finished creating your site, it’s important to get rid of any unneeded items.
Do a quick audit of your site, delete all themes except your current theme (& framework if your using something like Genesis), de-activate and delete any plugins you aren’t using on your site.
Then it would be wise to run another full backup of the clean, lean version of your site.
4. Do you have a secure login?
Many people have used the quick, 1-click installation to set up their site, and some hosts assign the name “admin” as your admin username.
If you have “admin” as your login, you are an easy target for hackers.
It’s easy to fix this – simply create a new admin user with a more secure login (definitely not your name or the name of your site), log out of your current user account, log back in to your dashboard with the new credentials and then delete the old admin account.
Also make sure your password is long – length trumps complexity.
And if you have difficulty remembering your multitude of passwords, check out 1Password. I’ve been using it since 2008 and wouldn’t be without it.
How do you know if your site has been affected?
The average website owner thinks that if they can see their site on their computer, all is fine.
Not every hacking will replace your website with an ugly image and scrolling message (I have seen this type of hack though).
If you have experienced any of the following, then your website has been affected:
- People are complaining that your website is redirecting on their mobile devices, notebooks, desktops (potentially to porn websites),
- Your host has disabled your website because of a Security issue,
- You see “This site is Hacked” or “This site may be compromised” on Google search,
- Clients are complaining that your website is being flagged by their AntiVirus
- Google / Bing search is showing Viagra, Levitra or other Pharmaceutical ads in the search results
- You are plagued with reinfections
- Google, Yahoo, Bing have Blacklisted your website
- Something just feels off – you’re seeing weird activity, things are popping up or just want a second pair of eyes
It’s important to act quickly
As soon as you find out your site has been hacked, it’s important to get it fixed as quickly as you can, especially if your business relies on your website for sales, but also because you can potentially damage your reputation if your site is redirecting to a porn site for example.
Your audience may not be sufficiently web savvy to know that your site has been hacked, and even if they are, the subconscious impression that gets sent is that your site can’t be trusted and worse still, you can’t be trusted.
Also, hacked sites can lose nearly 95% of your traffic in as little as 24 to 48 hours if not fixed immediately – losing your organic rankings and being blocked by Google, Bing and many other blacklists.
Hacked sites can also expose your customers and readers private and financial information, even turning your site into a host for dangerous malware and illicit material, creating massive liability.
How do you fix this?
You have a number of options:
1. Contact your host and ask if they can fix the issue.
Unless you have high level managed hosting that has specifically mentioned it manages security for you, it’s unlikely they will do anything,
If you’re on a low cost, shared host, they may tell you they can fix the issue (& by fixing they may replace infected theme files which could mess up your site if it’s been custom designed) but they are in the business of providing hosting, not security.
If you’re using Siteground (the hosting company we recommend), jump on chat with them and ask for their advice.
2. Contact the person who built your website and ask them to fix it.
Be aware, not all people who create websites understand the security aspect.
There is a high possibility your web person won’t understand security sufficiently to be able to rectify the situation. If they did, they would have already implemented preventative security measures and enrolled you into some sort of security monitoring service.
3. Get a service like Sucuri to remove the malware.
Even if you aren’t already using Sucuri to monitor your site (which you should be), for the price of a few cups of coffee (or green smoothies) a month ($199.99 per year) they will clean your infected site and then continue to monitor your site for an entire year (remember to renew annually though).
If you already have a Sucuri membership, make sure you also have the plugin installed on your site – make sure you keep it updated and renew your license each year.
The main Sucuri plans provide malware detection, alerting and removal. For regular websites, this is all you need (it’s what we use).
As long as you keep your license active, you will be notified if anything happens, which means you know which of your backups are clean and which ones need to be deleted (because they could be corrupted or contain malware).
4. Be Pro-active and outsource the ongoing care of your website.
You can’t be expected to be expert at everything related to your website.
Outsourcing the care of your website (backups, security monitoring, plugin, WordPress and theme updates, uptime monitoring) means you can focus on what you do best and your website will be taken care of by professionals (that’s us).
A word of caution: Backups are important but not enough on their own
Backups go hand in hand with security – the two work well together.
I mentioned above that you should run a full backup before you do any updates to your site (WordPress, theme, plugin updates).
But just having backups without security monitoring leaves you open to continued problems.
Without security monitoring you have no idea how far back the hack happened (it’s possible to be hacked for a while and not know it).
If you just restore an old backup, there is no guarantee that backup is clean and you could just be reinstalling your site with the malicious code intact.
That is why use and recommend both Backup Buddy and Sucuri.
Want help with taking care of your website?
If you’d rather have us get all this sorted out for you, we have two options:
If you have an emergency situation, choose our Tech Rescue or if you’d like us to take care of your website on an ongoing basis, choose one of our Website Care plans.
I hope you now have a better understanding of website security with easy steps to get your site secured.
Make sure you share this post with all your business friends – they will love you forever 🙂