Why hackers want your website and how to stop them.

Recently I was meeting with a prospective client and went to show them a website I’d designed for another client. We were both fairly alarmed to be greeted by a spinning skull and crossbones on a background of fire, with some creepy text!

After reassuring my prospect that this, in fact, was not my design style, I notified my client that their site had been hacked. The client and I then spent numerous hours over the next several days restoring the site and implementing new security precautions.

Many website owners have the mistaken idea that their site is small, simple and of no interest to hackers. Unfortunately, that just isn’t true. WordPress websites in particular, because of their huge popularity and open source software, are favorite targets for hackers.

So, in the interest of sparing you this unnerving and time-consuming experience, I’ll go over the reasons hackers want to get into your site, and how to stop them.

Why do hackers want your site anyway?

If your site processes financial information, takes credit cards or stores personal data, then it makes sense that you’d be an appealing target for a hacker. But even if you don’t store banking information, your site can benefit bad guys in several ways:

Webserver Access

Most of the time it’s not your website that a hacker is interested in but the means that it provides. They want the free electricity from the computer power and web server that your site is running on. This access allows a hacker to perform more complex (often illegal) tasks, while simultaneously remaining anonymous through the use of a server that is not linked to them (because it’s conveniently linked to you).

Viruses and Spam

A hacker can use your site to take over your server to send out spam emails or brute force attacks, resulting in your server being blacklisted. Or hackers can use your site to serve up viruses, malware, keystroke trackers and other malicious software, not just to you but also to your website’s visitors. Or the hacker may redirect visitors to another site that creates affiliate income for them. The possibilities to make a buck turn your website, no matter how small, into a very appealing and useful tool for a hacker.

So what can you do to protect yourself?

The most common hacking access points on WordPress websites are:
• 41%: Vulnerabilities in the hosting platform
• 29%: Out of date or insecure themes
• 22%: Vulnerabilities in a plugin
• 8% Weak passwords

Unfortunately there is no way to completely stop a determined hacker. Like squirrels at a feeder, it’s their job to get in, and they have all day to figure it out. But if you can’t make your site completely un-hackable, you can make it annoying enough that a hacker will move on to an easier target. So how do you do that? Here are some simple safeguards that non-techie website owners can implement.

Keep software up to date

More than half of all website hacks come through themes and plugins, so keep your software for WordPress, your theme and plugins up to date. Updates address security issues of older versions.

Back up regularly

You should back up before making updates or changes to your site, just in case something goes wrong. And you should make backups on a regular basis if you frequently edit your site. Downloading a backup to a computer or external drive gives you another level of security if your web host’s server is compromised.

Use a high-quality hosting provider

The most common hacking access point is through a vulnerability of the web host, so the quality of your hosting provider is key to your site security. Choose a reputable provider that emphasizes security, conducts regular scans for malware, daily backups and supports the latest versions of PHP and MySQL. Buy an SSL certificate if you collect information or passwords.

Use a strong login

A common method of hacking a site is a brute force attack, where hackers run a script that generates random usernames and passwords until one works. Given enough time, they come up with the right combination. Your best defense from this is to use an unpredictable username (never use “admin”!), create strong passwords, either with a password generator or other technique that incorporates upper & lower case, numbers and punctuation. Store your passwords in a secure place or password service.

Install security plugins

There are many plugins available that will put another layer of security on your site. Wordfence, Login Lockdown and Securi are among the plugins that offer features like limited login attempts, malware scanning, brute-force protection and more.

There is much more that can be done to secure your site, but some of it involves some level of comfort working with code and may be best left to a developer. But if you implement these basic steps, you’ve made it that much more inconvenient for hackers to crack your site, and increased the odds that they’ll move on to easier pickings.