Getting your own business website is a huge milestone. I loved the excitement of the the design phase, creating the content, and finally seeing it out there “live” on the internet. Of course I’d heard about hackers and such but that seemed like one of those things that happens to other people. There’s a saying among con artists, though, that if you look around the room and you can’t tell who the sucker is, it’s you. If I’d looked a little closer I might have seen the “hack me” sign on my back.
Last week some shadowy leeches launched an attack on my website. I found out that something was up because I have a plugin on my site which notifies me of unsuccessful login attempts. I usually get a couple of these notifications a month, no big deal. But that day the floodgates opened and my inbox was bombarded with a stream of failed-login notifications. As soon as one IP address was blocked the attempts would continue from another address; this continued relentlessly throughout the night. As I learned later, this is referred to as a Brute Force attack. Very apt; it did feel a bit like [geek reference alert] Orcs ramming the gate at Helm’s Deep.
I still wasn’t overly worried, though, because my password was long, completely random and fairly attack-proof, I thought. Eventually the login attempts petered out and finally stopped altogether. I breathed a sigh of relief, clicked on my admin page link and … was rerouted to an empty page. The attacks hadn’t stopped because they had given up, but because they were in.
Oh [expletive]. I now had a big problem, which ended up taking almost a week to fix. I won’t bore you with the details but here’s the short version :
- I contacted a website security expert recommended by Yuriy, my website designer. The expert explained it sounded like a pretty serious problem, that his schedule was full for the next few weeks and that it would probably be more expensive to fix the problem that it was to create the site, anyway. Oh-kay… thanks, I guess.
- Next I tried the live-chat tech support from my webhosting company. But no matter who I talked to, as soon as I explained the problem they would just send me to a link with 10 pages worth of gibberish instructions for how to fix the problem yourself. I don’t speak computer! If I could, I wouldn’t be trying to talk to you! Tell me what to do IN NORMAL-PEOPLE ENGLISH PLEASE.
- After that depressing episode I tried to find someone local to help me. Finally Tom, a friend who owns a computer service business took several hours out of his busy day to look at it but he couldn’t fix it, either. He tried the live chats as well and even though he got a much more detailed conversation going because he speaks the lingo, in the end he got bupkis from them too which made me feel marginally better (I’m not a moron, yay). He finally told me it might be possible to just delete the infected website and replace it with a fresh copy.
- So I asked Yuriy if he could send me the files for the site. He asked me if his expert hadn’t been able to help me so I explained what had happened, and his response was perfect: “People are useless sometimes, aren’t they.” I wanted to cheer. Yes! Yes they are, dammit! (not you, Tom.) And he went on: “I have the files; let me take a look at your site.” Half an hour later I got an email that he had replaced everything. Problem fixed. I was back in business.
In the process I did learn a few things. Since my website is such a small niche site I wondered why anyone would bother trying to hack it in the first place. What was in it for them? Quite a bit, it turns out. Hackers can use your small website to:
- Steal sensitive or valuable information (nothing there on my website, thankfully)
- Use the computing power of your web server
- Send out a barrage of spam
- Send viruses to visitors’ computers
And these are just a few examples.
Small sites like mine are usually not victims of targeted attacks but simply get tagged by botnets that sweep the internet for vulnerabilities. Two very common and avoidable vulnerabilities:
- You’re using an outdated version of WordPress. This was at least one of my problems; once my website was created I simply stopped thinking about it. You need to check regularly for updates.
- Plugins with vulnerabilities. I found out that there actually is a plugin called Plugin Vulnerabilities by WhiteFirDesign that checks other plugins for vulnerabilities. Another useful plugin from this publisher is the Automatic Plugin Updates
There is much more, of course, but this post would turn into a (sleep-inducing) novel and there are countless sites that provide detailed information about protecting your website. I’d love to hear what plugins or security measures other people are using, though.
So the moral of the story? Hackers are a fact of life. We’re all potential targets but with hard work, vigilance and a little help from some friends at least we won’t slip into the “victim” zone. I am very grateful to my friend Tom for pointing me in the right direction and to Yuriy for saving the day when the experts wouldn’t. If you are thinking of getting a website for your business, check out Juriy Zaremba’s site at Juriyz.com. He’s hugely talented, but more than that, he comes through when it matters. And in a virtual world where we are inundated with empty boasts, claims, and outright lies, that is more than a little refreshing.