Why has my website been hacked?

Small websites are sadly not immune from hackers. Here we explain why – and what steps you can do to prevent a hack occurring.

We are often approached by small businesses needing emergency help because their website has been hacked. They often wonder why they’ve been targeted. The answer is that there are a few reasons, but all of them are related to how small businesses operate – they are usually pressed for time and knowledge-poor when it comes to websites. But fret not, there is plenty that can be done to help stop a hack happening (without learning how to code!)

At this point, it’s worth noting that no website is hack-proof. All websites, by their very nature of being publicly accessible, are vulnerable to hacking to some degree. Even the Pentagon website was hacked a few years ago. So it’s about running your website in a way that mitigates the chances as much as possible.

Let’s start with why small business websites get hacked:

• The website gets ignored. Once the business has gone through the process of having the site built or building it themselves (often with much pain and loss of weekends and sleep), small businesses step away from it thinking: “there, that’s done – I’m not doing THAT again!”

• The websites are on low cost, poor quality hosting. There’s a temptation to opt for cheapest hosting you can find – all hosting is the same, right? Wrong. Think of hosting as a neighbourhood. Your website is surrounded by (often) thousands of other websites, all on the same server, and you can’t do a thing about how they behave or what trouble they invite. You’re in the same place as they are and an equal target. Better hosting means the sites will have most likely gone through some vetting and there are fewer on the same server.

• The website might have been built by a ‘bedroom developer’. Some freelance website developers do not have the breadth of experience to know how to limit vulnerabilities. They’ll build a site based on its looks, rather than its robustness.

• The website never get updates to its core CMS and plugins. This is one of the most common reasons. The site gets built and sits there, without ever getting updated. As time moves on and the vulnerabilities of the website’s basic structure become known, it becomes more likely to become a hacking victim. It’s like never updating Windows or Mac OS on your computer for 4 years – it would fail pretty quickly.

• Installing plugins and bolt-ons. It’s tempting to add plug-ins and bolt-ons to improve functionality, especially if they are free. But it’s also easy to get more than you bargained for. Many of these extras are from unknown sources, usually overseas. There are plenty of free website plugins out there that add functionality to a website that can be easily installed without coding knowledge. Some are great and supported by a wide developer community. However, many ‘free’ plugins often have an ulterior function and create a back door into the website they have just been installed on. There’s no such thing as a free lunch.

• The computers that small businesses use are often compromised with malware. This is usually the case without the owner even realising – the access to the website is then exposed to the hacker via keyloggers and other malware.

• The admin logins (usernames & passwords) are often poor and can be brute-forced or guessed. One in three website admin logins are set with the username ‘admin’. If you do that, you’ve already given away 50% of the credentials a hacker needs to get into your site.

But why hack my website – I’m not a bank?

• It’s not you specifically – it’s to ‘build up a soldier in an army’, called a ‘botnet’ – a network of bots (robots) to all perform the same task. Basically, if a hacker can hack lots of small websites, they can join them together and then use that combined power to attack another, bigger site through a botnet DDOS attack (distributed denial of service = firing lots and lots of requests to a website from thousands of other sites and overloading it).

• Hacking a single, big well-supported website (let’s say a famous online shop) requires huge amounts of resources and can be prevented (or mitigated), whereas an attack from thousands of different directions is a lot harder to repel.

How to prevent your small business website being hacked

• Spend as much as you can afford on a decent website developer – their experience will provide you with more than just something that looks good, you’ll also get a website that is robust as they won’t want you coming back to them every week needing something fixed. Good website developers aren’t cheap, but you could save a lot of money in the long term (it costs a lot to clean up your site and reputation after a hack).

• Get the website on better hosting. Big, cheap hosting services are tempting, but not only do they often have hidden charges, their ‘support’ is often run in a different country that you can’t get through to and even if you can, they often aren’t really that interested in helping. A decent hosting company will also make sure that your website is hosted with other, better standard sites. Speed, reliability, quality all play a part here to support a better website, but it also positively affects Google’s view of your site in terms of SEO.

TIP: If you spend a couple of hundred pounds per year instead of a couple of quid, you will not only get infinitely better hosting that is supported by experienced people, but also better site speed and the knowledge that the site is (pretty much) always going to be there for your customers. It’s be better than having to spend a much larger amount getting everything cleaned up after a hack.

• If your website is on WordPress or Joomla or Drupal, do the updates regularly – the core ones and the plugins. When it says ‘there is an update available’ – do it. The longer you leave it, the more likely you are to be risking exposure to vulnerabilities. It may also fail to  update if you’ve left it too long. If you’re worried the update might damage the site, put it this way: it’ll be cheaper to commission a developer to fix a site that broke because of an update, than to clean up a hacked site.

• Ask you website developer or host if they offer a support package – that’ll include them making sure the core and plugin updates are done for you and if an update fails, they will fix that as part of the SLA (support level agreement). Often, the support package will include a set number of hours you can use to put towards minor updates, too. Think of it a bit like getting your car serviced once or twice a year by a mechanic. You do this to avoid breaking down.

• Log in to the website admin area regularly – you may not have any changes to make, but it’ll mean you can just have a quick look around to make sure there’s nothing suspicious. The last thing you want is a potential customer visiting your site, only to get a browser warning that the website is infected.

Above all – treat your website with care & respect. You should view it as your 24/7/365 salesperson, there to deliver your message and products while you’re out, working or sleeping. You wouldn’t ignore an employee – don’t ignore your website!

If you are concerned that your website suffers from any or more of these issues, why not give one of our techies a call for a free, no obligation chat to see if we can better support your site.

You may also like to read our other articles on the importance of website security and SEO (search engine optimisation) in ‘Why a good web host is important’ and How a website hack affects more than just the website.