I’ve got to admit, it’s tempting to just type the word "yes" for this blog post and get back to my day job. However upon reflection, and a bit more thought, there is actually more to this question than it may first appear. I’ve just spent the last week fixing a client’s site that was taken down by hackers, so now is a good time to consider the thorny issue of what puts a website in the line of attack.
Is there a target mark on your site?
Part of the issue here is the way most site owners think about security. A common line of thinking is “My site is small, why would anyone target me?” Perhaps the problem here is the word “target”. Most hacked sites were not "targeted", rather automatic scanning software identified the site as having a vulnerability, then either compromised it using scripting or flagged the site to a hacker who did the work themselves. It’s more trawling than targeting. The end result is the same; a huge headache for you and inconvenience for your visitors.
Why do they bother?
It will come as no surprise that the end goal is money. Once compromised, your site may be used to :
- Host ads to drive revenue.
- Steal your visitor’s data.
- Attempt to intercept sales and capture credit card information.
- Run cryptocurrency mining software. With high cryptocurrency prices, this type of attack is on the rise.
- Lock your sites files and hold you to ransom for recovery.
- Host links to other malicious sites, with various aims but most likely to infect your visitors with malware.
- Attempt to directly infect your visitors with malware.
None of these is good news. At the very least you’re in for some head scratching about how to remove the unwanted code. At the worst you’re opening yourself and customers to fraud. It’s fairly easy to see why, with all the potential revenue on offer, the bad guys spend so much time and effort trying to locate sites to hack.
What can be done?
Thankfully there are plenty of steps that can be taken to avoid this happening to your site. Much of it comes down to site maintenance; site updates and the like. Don’t use unnecessary add-ins and keep your passwords secure and strong. Make sure your list of site admin users is kept to an absolute minimum. On the more tech heavy side it’s also important to keep the site’s code lean and written with security in mind. Oh, and did you take a backup of the site? You did? Good, now go take another one.
The really good news is that, whether you want peace of mind on a working site or need assistance after an attack, I can help. Just get in touch to talk about your site’s security.