What happens if your site gets hacked?

Yesterday I was discussing site updating and WordPress security with a potential client. She was genuinely curious as to why keeping her site up to date mattered.

“Why,” she asked, “would hackers even target my site? I’m just a small professional in the Midwest. I don’t have a huge audience. My site’s not important enough to hack. And besides, if they did hack into it, what could happen?”

Ooooh… good questions.

What can hackers do if they get into your site?

If hackers get access to your site, they can do a number of things, none of which you will like very much.

  • Sometimes, if you are lucky, all they do is put up a page that says “Ha ha, you’ve been hacked by _____________ (insert name of group).”
  • They can put ads for Viagra and other pharmaceuticals on your front page.
  • They can redirect your URL to a porn site.
  • They can put porn on right on the site, for that matter. (An artist who is now my client woke up one morning to find a large image of male genitalia splashed across the front page of her site and called for help.)
  • Or — most dangerous of all — they can change the code so that from the outside your site does not look at all different, but just going to the site loads malware onto the computer of anyone who opens the page. (Yes, Macs, too.) Then they can take over your computer, steal any information on it (banking logins? credit card access?), and use it to attack other sites in what is called a distributed botnet attack.

Your site will be blacklisted.

As soon as Google checks your website and finds the malware, porn images, URL redirects, or whatever else the bad guys left behind, they will immediately blacklist your site and remove it from their search results. This means that no one can find your site by Googling it, even if they put the exact website name into the search bar. Your site disappears from the Internet.

If you depend in any way on being found online, you’ve just vanished. As has your business.

Why are they targeting me? My site isn’t important!

Hackers aren’t actually searching for the website of a small professional company in the Midwest. They are targeting an out-of-date WordPress website on a large shared server.

Think of it this way. Your website lives in a large apartment building. You leave a window unlocked and burglars can get in and trash the place. That’s not good. But they can also climb through the ventilation ducts and get into every other site in the building. (And conversely, if someone else leaves a window unlocked, they can get into yours.)

So vulnerable WordPress installations are much more frequently attacked than other kinds of sites.

So should I get rid of WordPress altogether?

No.

WordPress is targeted because it runs about 25% of all websites in the world. That’s a big target, a lot of websites.

But WordPress, unlike some other software, is constantly updated. A huge community of dedicated coding professionals works on the software every day, checking, updating, patching vulnerabilities as soon as they are found. But it’s up to you, as the site owner, to apply those patches and keep your software up to date.

What can I do to make sure my site is safe?

The biggest thing is to keep your site, plugins, and themes up to date. Make sure you use a strong password. Make sure that admin privileges are given only to people who absolutely must have them. Be careful about logging in to your site on a public wifi network, such as at a coffee shop or airport.

If you are concerned about your site, get in touch with me. I’ll be happy to run a security audit on your site and send you an 11-page report that includes my findings and complete recommendations.

Make sure your doors are locked and your site is safe. Let me know how I can help!