When pricing website development services on an existing website, I request to review the source code before providing a quote to see what I will be working with.
The majority of the time, there are security issues I see that need to be addressed. When I bring up the odds of having a hacked website, they usually say something like “My website won’t get hacked, I don’t store credit cards on my site so there is nothing a hacker would want.“
You couldn't be more wrong
I understand why small business owners may think like this, but website hackers are not just looking to steal credit card information or personal data.
Often a hackers intent is:
- to send mass spam email from your hosting account
- generate “black hat” SEO backlinks that they embed into your website code
- redirect your site to somewhere else
- simply wreak havoc – because it’s their idea of “fun”
What hackers Target
Hackers don’t care if you are a small business or a large company. Most hacked website ares not from an individual trying to target only your site. They use bots (scripts) that crawl the Internet looking for vulnerabilities in web hosting accounts and website code. If you’re vulnerable, they attack. If your hosting account and website are not secured, they get in.
A website is software
All sites need ongoing maintenance to keep them updated and secure just like a computer program, apps on your phone and your operating system on your computer.
Securing a site when it’s first built and then never doing any type of website maintenance to keep it secured is a vulnerable website. Many websites I review were never secured properly initially. Usually, this is because of an inexperienced web designer, or it was offered and the client declined it. This is especially true of websites built with WordPress. Often, no site maintenance has been done since it was first built.
Hacked Websites Have Many Points of Vulnerability
All small business websites I am hired to work on buy shared hosting services from a web hosting company, rather than managing their own web server.
It makes sense. This is a cost effective and logical choice for many small businesses that do not have an IT department to provide server administration services. The host’s job is to provide space on their web servers for you to build your website and are responsible to maintain all aspects of server administration. This means keep the web server secured and up to date to protect their customers. If your host is not doing this, it’s time to look for a new host.
Recently I reviewed a website on one of the most well known shared hosting companies and could tell that it was not running the current stable version of PHP. While reviewing the code, I saw the site had been hacked and was infected with multiple malicious files.
I explained to the site owner, the importance of keeping PHP up to date on your hosting account and that it could be the source of where their site was hacked. In my website quote, I included (cleaning the hacked website), upgrading the web server to use the current version of PHP and to upgrade the written PHP code to support the new version. After I was hired to do the work, and was given access to cPanel, I found they were running a version of PHP that has not been supported in 6 years. The only option was to upgrade PHP to a version that has not been supported since 2018. I told them it was time to find a new host.
You are paying for a service. If they are not providing quality service. Find a new hosting company.
Password security is straight forward and simple for anyone to do.
- Use complex passwords.
- Don’t share your password.
- Change your password regularly.
This applies to every password you have, not just related to your website, EVERYTHING.
Many of my ongoing website maintenance clients are people that contact me saying “someone hacked my WordPress website” or “my website keeps getting hacked”. If you don’t clean the infection thoroughly and then address the point of vulnerability, the problem will continue. You have to keep up with security maintenance so your site does not get hacked again.