Over the past few weeks, three of our clients have found themselves on the wrong end of an SQL injection attack. Their websites have been hijacked, with content being removed and the site defaced and traffic is being redirected to bogus offers in an attempt to steal PageRank. A common thread between two of them was that they were running outdated versions of WordPress, which contained a vulnerability that was exploited by hackers who were just “spraying and praying” to find holes.
They were not hijacked because of who they were, but because of the software they were running. This is important to note because even if your website is just a personal blog that has links to your favorite dog wig shops, you’re still a potential target for a hack.
The basics of what happens is that a hacker finds a vulnerability (a “hole”) in the coding on a widely-used framework like WordPress. Then, they either sell that vulnerability to others for profit, or they use it for their own gain. Whichever way they choose, the results are almost always the same. Bad. Unless it’s sold back to the software developer, who then patches it. Once a vulnerability is known, the hackers pull out their “ray guns” and shoot the holes full of nasty code. The code could take down the entire site, deface it, or use the server as a means of spreading itself of malware to website visitors. If the hacker is smart enough, they will also open up another “backdoor” in order to re-infiltrate the website later — even once the initial exploit is patched by the developers.
With a backdoor now in place, the hacker can create himself a revenue stream by selling these sites, or again using them for his own gain. At any point, the hacker can pop back into the site and do what he’d like.
How can I keep my website safe?
Recovering from certain types of hacks can be extremely difficult depending on the circumstances. In fact depending on the extent of the hack, your ability to repair the damage can easily disappear. For that reason, the most important way to keep yourself safe, is to keep your software up to date and keep regular backups.
You need to be regularly backing up ALL of the websites you and your business own. From the silly side project site to the big company site, each are potential targets that need regular backups.
My father always told me that you don’t have an adequate backup unless it’s at two different locations, on two different storage devices. Just think – if all your backups are on CD’s that are in your house, next to your hard drives that hold copies of those backups, they are both susceptible to theft, fire, flood, or other damage.
Further, you need to have backups that are older than 30 days old. Many hosting companies, offer hourly backups for 30 days. This has saved us and our clients when a file gets corrupted or when something goes missing. However, if the “back door” was installed on the site and an actual hack hasn’t happened yet, you might not know that your files are in jeopardy. For this reason, a 30-day backup isn’t enough. You need monthly backups, keeping the last 12 months. This will ensure that in the event of a hack, you’re able to recover quickly and efficiently, with minimal down time.
If you’re using WordPress, consider looking at the following plugins (among the many that are available):
http://ithemes.com/purchase/backupbuddy/ (Paid, $80-150)
https://wordpress.org/support/view/plugin-reviews/backwpup (Free, less features)
Setting up one of these plugins is simple and straightforward. An ounce of prevention today will save you a pound of labor in the future. Forward this page to your webmaster, and ensure you have regular off-site backups.