The Internet is a treacherous place. It is full of evil, greedy people trying to steal your identity, your money or your website. Certainly the two most common places they attack are your website and your email. I want to discuss both briefly and give you some tips to protect yourself.
Recently, one of our new clients, an attorney, had her website hacked. It was taken over by a Chinese company using the site to sell cosmetics. Needless to say, that was a far cry from the dignified image she had been presenting. Google got wind of the hack and blocked the site so that a big red malware warning appeared when anyone went to her site.
Another client, a pet products company, had their site hijacked and every time you went there, you were redirected to a Brazilian pornography site. That’s even more embarrassing than cosmetics you aren’t selling.
WordPress sites, especially those with forms, are particularly vulnerable. Our lawyer client had a WordPress site that another firm had built for her. The pet products people had a lot of forms using PHP on their site. (We didn’t build that site either. We just rescued them.) Forms are very vulnerable to hacking if they are not protected. The above-mentioned lawyer had a contact form on her site and that was likely how the hacker got in.
What you can do
If your site gets hacked, first you have to clear up the problem. Then you can take steps to help insure that it doesn’t recur. When your site is hacked, bad files have been inserted and they must be removed. This can be simple or very difficult, depending on how good the hacker was. For the pet products company, the files were easy to find and delete. But for the lawyer, it was much harder. The offending files were placed in numerous locations, some of which were in “hidden” directories. Or they used innocuous file names and were included among very large sections of hundreds of good files. We had to run several analytic tools, working with the hosting company and Google, to try to identify and remove them. In the end we could not get them all. Nobody could.
Even if we had deleted all the offending files, Google still requires three weeks to remove the malware warning. So at best, the reality is the website will be down for over a month. But in this case, it was irreparable. We are now rebuilding her site from scratch. That’s what i mean by a “painful cure.” The new site of course will have many more protections in place than she had previously.
We have found in our fourteen years in this business that sites using the language PHP and those using WordPress are more vulnerable than a straight HTML site. So we recommend that if you have a WordPress site, get it encrypted. This is done by purchasing something called an SSL certificate from your hosting company. The certificate generally costs around $40/year and it makes it much more difficult for hackers to get in. Secondly, if you have online forms like a contact form on your site, another step you can take is to add a “capcha.” You’ve seen these graphics at the end of a form where you have to type letters or numbers to prove you aren’t a robot. That feature makes it harder for hackers to break in via the form.
Email is the other great source of cyber attacks. We are all subject to email scams that make it easy to click the wrong thing. These scams are pervasive and insidious. Lately, they often seem to come from someone you know or a company with which you do business. The threats they pose vary considerably. Their goal can be relatively benign (though still annoying), like trying to get you to buy drugs or other products. Or they can be much more dangerous, like getting into your bank account, stealing your identify or permanently crashing your computer. They can wreck lives and costs thousands of dollars.
What you can do
Watch out for links and attachments, especially any link that contains a “php” or “exe” extension. You can usually see these file types if you hover your mouse over a link in an email. Do not click on those links. They are programs that will run on your computer and they can be very destructive.
Another giveaway is poor English. Many of the email scams originate overseas. They are getting smarter, but they still often misuse English slightly, with odd phrasing or word choices, misspellings, etc. Also, legitimate organizations like your bank or the IRS will never ask you to send them your account information or social security number. If you think a request is genuine, you should always check with the institution. Don’t use the links or forms in the email. Finally, take advantage of the spam filtering that comes with most email systems. This is a setting you can choose to stop suspicious emails. It is well worth missing the occasional legitimate email to protect yourself from the hundreds of illegitimate ones.