Hop Studios has been up and running for 13 years, and every year, one or more of our client’s web sites has been hacked in some way. Some of these have spectacularly obvious—home pages overwritten with strange content—but most have been relatively hard to spot immediately, regardless of how significant a hack it was.
Typically, a site is hacked for one of two reasons: to gain access to the personal information of its members (from email addresses and passwords to credit card numbers) or to put code in place that exploits the web site’s visitors. Whatever the purpose, having a web site hacked is bad news for the web site publisher, who must re-establish the trust of their audience, spend a lot of time and money on cleanup and prevention, and even in some cases have to deal with legal issues.
We’ve had a client whose site was hacked to add small links to gambling sites to give those sites a boost in search engine rankings. We’ve also had sites that were hacked for political reasons.
Now, if you’re saying, “Hey, if your sites are getting hacked that means that you suck!” I would of course return, “We do not!” The truth is, although we’re careful and conscientious, the possibility of a web site hack is real for any web site built by any developer, much in the way any house is potentially vulnerable to a determined burglar regardless of who built it. Of course there are things you and we can do to make hacks less likely. Here are a few tips.
When a site gets hacked, the big question is usually “how did this happen?” and it can be unsettling to realize that often it’s hard to determine how with 100% accuracy, at least not in detail. The least-detectable hack, of course, is when the hacker has obtained a password: for FTP, or the content management system, or the site database server, or… . This is why we are very careful with creating and handling your web site’s passwords. We change them from time to time; use complex passwords with capital letters, numerals, and punctuation or that are very long; we don’t email them. We recommend you do the same.
But passwords are really just the start. As web software has become more complex and multi-layered, hackers have more opportunities and have developed better tools to exploit common security errors. Not surprisingly, this is one of the reasons we’re always keen to update your web site software, whatever it may be, to the latest version. The older your software and server—and that means every part of it, not just your main admin tool—the more exploitable your site is, as a general rule.
The good news is that as hackers have gotten more sophisticated and pernicious, the folks offering tools to detect and prevent them from getting into your site have gotten faster and better. Even if you don’t have time or budget to update everything all the time, you can use Web-based monitoring to look for trouble as it happens.
One we are especially pleased with is Sucuri, a 24/7 web site monitoring service that verifies your site is clean, watches for unauthorized changes to your web site’s files and pages, and alerts you immediately when suspicious activity occurs. They also can assist with cleanup when a hack happens. There are several levels of Sucuri service depending on your needs, but for most web sites, the $89.99/yearly package will do the trick, and we can order and set it up for you.
Sucuri monitors your site internally (have files changed on your Web site’s drive?) and externally (are your site’s Web pages transmitting malware and viruses to visitors?). The service scans for changes to your files, content management system, SSL certificates, and domain records. Best of all, if your site is hacked, their cleanup response time is typically a few hours.
Although we recommend you sign up before your site gets hacked, you can certainly sign up after it happens and Sucuri will assist with cleanup and prevention of future hacks. It’s important to note that this company isn’t a security consulting service, but is more like a home security service that puts detectors in place to warn the homeowner of signs that there might be a break-in and provides a response team for dealing with trouble promptly.
You’re probably wondering if this is something you really need to worry about, and I’m sorry to say, you probably do. A hacked site can leave you with legal liability, or at the very least a very upset group of visitors and customers.
If your Web site allows users to register, offers products for sale via an installed shopping cart, has a lot of traffic and search engine ranking, or you’re likely to be targeted by bored or malicious internet hackers, we suggest you seriously consider Sucuri (or a service like it).