My website has been hacked – A drama in 4 acts.

The plot analysis and author’s comment:

Perhaps you might think that it’s not such a great idea for a web developer to admit that his website has been hacked. We’re supposed to be fully conversant with all the strange, weird and nasty ways that people with far too much time on their hands decide to use it. We should be above it, immune, savvy and untouchable. There’s the first mistake.

The reality is that even the most secure websites can eventually be broken. Just like the unsinkable Titanic, a website can be compromised to a point where the site owner can’t get in to effect changes to un-hack it. Sometimes the only solution is a complete roll-back to a backed-up version, followed by a very quick set of changes to the site architecture and security settings.

So, now that I have gone through the embarrassment of realising that my website has been hacked, I thought I’d share a few pointers with you that may help you safeguard your websites. I will admit that it may not be a completely foolproof methodology, and some of the information might be far too obvious, but I hope that it saves you time and stress.

The main players and their place in the drama:

The website host – aka the Internet Service Provider.

The ISP provides a service where your files are stored on a hard disk that can live anywhere from a secure clean-room environment; to a Commodore 64 in a backyard garage with a paper-clip for a lock.

There’s an expectation that the ISP will provide a service that will allow your website (and email etc) to be hosted in a secure fashion. Although that’s the expectation, it’s very seldom a guarantee. Just like a public car park, they’ll take your money, but shrug if your car gets stolen and ask you to read the fine print.

The Website Developer – someone like me.

The designer / developer uses all sorts of magic to make your website (actually it’s usually just a combination of things like PHP, HTML, Javascript, CSS and suchlike). His job is to take your idea, your vision, and convert that into code that’s interpreted by a web browser (something like Chrome, Safari, Internet Explorer, Firefox etc) so that you and your customers get to see the pretty pictures, products in an e-store, blogs, etc.

The expectation would be that the developer would create the website so that it was fit for purpose, adhered to standards, was accessible (for disabled people), worked well on a mobile device and was as secure as possible.

The Website – the files, the database and the code that makes it all work.

As previously suggested, a website is a combination of coding languages along with content that might be made up from text, images, audio and video that get presented via a web browser.

In it’s perfect form, all the elements work well together, and everyone’s happy.

The Hacker (contrary to popular opinion, they do not all wear black hats).

The hacker hacks for many reasons – sometimes it’s just pure ego – they do it because they can. A door is shut, they open it. Others hack so that they can gain access to sensitive information, or to expose areas of a site where they can get locked-down content.

Some do it so that they can get users to inadvertently download software into their own computers that allow hackers to track every keystroke.

That’s only a few of the reasons, suffice to say that once open, the door will flap in the breeze.

The Security – blokes in black uniforms wearing Kevlar.

Well, not exactly. More likely software programmes that lie in wait for hackers and attempt to limit their access. But they’re only effective if they know what to look for. And just like any security guard, if the hacker knows where they patrol, their routine and their own peculiar habits, these constants can be exploited just as easily.

Act One.

Use a reputable Internet Service Provider with a good support line. If you can get one that has 24hr phone support as well as email support, you’re on the way.

Confirm that you have regular scheduled backups of files and databases as part of your ISP contract so that you can roll back to a saved version if you get hacked and all hell breaks loose.

Use solid Control Panel, FTP and Database usernames and passwords that you change regularly. Using variations of your site name, the month, year combinations or your daughter’s middle name just won’t cut it.

Or – get hacked!

Act Two.

If you’re using a Content Management System (like WordPress, Joomla, Drupal) or an e-store (many variations), make sure that you use plugins or modules that obfuscate (hide) the system, version and metadata of the CMS. (Hackers know the particular security loopholes of each version and it just makes it more difficult for them if you deny them this information).

Don’t use administrator login and password combinations that come ‘out-of-the-box’, like ‘admin’ and ‘password’. Don’t use combinations that  include site name variations, just as mentioned in Act One. Use a password generator that gives you at least 10 characters in upper and lower case, symbols and numbers that make absolutely no logical sense.

Transposing ‘@’ for ‘a’, ‘3’ for ‘e’ and similar phone-text substitutions is also dead easy to predict for a computer that can fire off 1000 login attempts a minute.

Easy to get hacked!

Act Three.

Don’t get sloppy. Be vigilant. Constantly change all your login and password combinations, maintain your backups not only on your server, but also download them, test them locally from time to time.

I do recall a client boasting that they had ‘awesome’ security and disaster recovery. Their system completely crashed (not due to a hack, but a massive electrical surge that fried all their computers and killed all their hard drives). ‘No problem – we have all the data on tape which gets couriered to my house every night’ said my client. Excellent. All that’s needed was to get new machines, install the backup software and read in the tape.

However, you guessed it, the tape (and every other tape they’d ever made) was completely garbled. I was incredulous that they’d never even tested the backups and restored. Lesson : Don’t believe everything that’s written on the label. Test it.

Or prepare to be hacked!

Act Four.

Employ good security. If it’s free, or dead cheap, you probably have a veneer of security which won’t take the pounding that a dedicated hacker can dish out. Use a service that constantly tests your website against new strains of malware and viruses by getting the information directly from a security site. A few dollars a month is well worth the price and the peace of mind is incalculable.

Keep all your CMS, plugins, themes and module versions up to date. Hackers exploit vulnerabilities of old software mercilessly.

You guessed it – something to do with getting hacked!

Curtain Call.

You’ll probably notice that I’ve kept real names out of my narrative in order to protect the innocent and not flip the bird at hackers. However, here’s a few links that might just be useful.

Stay safe and don’t get hacked.

Links:

Sucuri

Netsparker

Qualys