If you do not proactively keep your website code up to date and monitor it, there is a good chance your website will get hacked sooner or later.
Especially WordPress. Almost every existing WordPress site I am hired to work on has not been properly secured. When I bring this up to the client, they usually say something like “My website won’t get hacked . I don’t store credit cards on my site, so there is nothing a hacker would want.”
You couldn’t be more wrong.
I understand why small business website owners may think like this, but website hackers are not looking to steal credit card information or personal data.
Often a hackers intent is:
- to send mass spam email from your hosting account
- generate “black hat” SEO backlinks that they embed into your website code
- redirect to fake websites
- simply wreak havoc – because it’s their idea of “fun”
What Types of Websites Hackers Target
Hackers don’t care if you are a small business or a large company. Most hacked website are not from an individual trying to target only your site. They use bots (scripts) that crawl the Internet looking for vulnerabilities in web hosting accounts and website code. If you’re vulnerable, they attack. If your hosting account and website are not secured, they get in.
Websites are Software, and Software Gets HACKED
Websites need ongoing maintenance to keep them updated and secure just like a computer program, apps on your phone and your operating system on your computer.
Securing a site when it’s first built and then never doing any type of website maintenance is a vulnerable website. Many websites I review were never hardened when they were first built.. Usually, this is because of an inexperienced web designer, or it was offered and the client declined it. This is especially true of websites built with WordPress. Often, no site maintenance has been done since it was first built. Years of updates that are available to the WordPress core, plugins and themes equates to dozens if not hundreds of points of vulnerability for a hacker to gain access to inject malware into your site.
Hacked Websites Have Many Points of Vulnerability
There are multiple points where than can be weaknesses for a hacker to target – and not just website code.
Web Hosting Service
All small business websites I am hired to work on buy web hosting services from a web hosting company, rather than managing their own web server, or using a hosted website builder service.
It makes sense. This is a cost effective and logical choice for small businesses that do not have an IT department to provide server administration services. The host’s job is to provide space on their web servers for you to build your website. The web hosts role is maintaining all aspects of the web hosting service. This means keeping the web server secure, server software up to date to protect their customers. If your host is not doing this, it’s time to look for a new host.
Recently I reviewed a website on a well known shared hosting company and could tell that it was not running the current stable version of PHP. While reviewing the code, I saw the site had been hacked and was infected with multiple malicious files.
I explained to the site owner, the importance of keeping PHP up to date on your hosting account and that it could be the source of where their site was hacked.
In my website quote, I included (cleaning the hacked website), upgrading the web server to use the current version of PHP and to upgrade the written PHP code to support the new version. After I was hired to do the work, and was given access to cPanel, I found they were running a version of PHP that has not been supported in 6 years. The only option was to upgrade PHP to a version that has not been supported since 2018. I told them it was time to find a new host.
With web hosting, you are paying for a service. If they are not providing quality service. Find a new hosting company.
Website Code
Website code that is not properly secured, and then maintained is also a huge security vulnerability.
Open source software, like WordPress is a prime target for hackers. The beauty of open source software is that anyone can download, study and learn how the code works.
Combine this with the fact that millions of websites run on WordPress, makes it a prime target to be exploited.
Hackers learn how the code works. They can listen to the community chatter when a vulnerability is found.
Then, they can act quickly to target the weakness and attack thousands of sites (blindly) that are vulnerable.
There is little investment on their part, to reap big rewards of hacking many sites.
They don’t care who owns the website, or what the site is about. It is about mass targeting to affect as many sites as possible.
Most people think that a hacker cracks your password and logs into your site. This is not the case. Weak, insecure code is what I see most. It’s also easy to prevent.
Secure your WordPress installation and then maintain your code or buy a WordPress maintenance plan for your site to be managed by WordPress experts.
Passwords
Password security is straight forward and simple for anyone to do without needing technical knowledge.
- Use complex passwords.
- Don’t share your password.
- Change your password regularly.
This applies to every password you have, not just related to your website, EVERYTHING.
Many of my ongoing website maintenance clients are people that contact me saying “someone hacked my WordPress website” or “my website keeps getting hacked”.
Just removing malware is not enough. If you don’t clean the infection thoroughly and then address the point of vulnerability, the website will get infected again.
You have to keep up with security maintenance all the time, just like keeping your PC or phone updated.
Key Takeaways
- All websites are vulnerable to getting hacked.
- The main sources of your site getting hacked are related to how your hosting service, website code and passwords are managed and maintained.
- Keeping your website code & hosting service up to date, and following basic password security measures are the best things you can do to keep your website from getting hacked.
If your site has been hacked and you to hire someone to clean malware in WordPress, hire me, a WordPress security expert. Read more about WordPress malware removal service.
