You might hear about other business websites getting hacked, but how could this possibly happen to you? Well, it happened to us and it could have been avoided. Here’s some words of advice on how to avoid getting hacked.
We were going about our busy day. I was finishing a big deadline on a project. I was ready to post a new blog post article on Travel Life Media.com. As I was doing this, Troy (my husband and business partner), and I chatted briefly about some changes and modifications we wanted to make on our website for the next few months.
Shortly after, I just happened to go back onto Google to check how the new blog posted looked and I searched it by URL.
Without warning, the post completely disappeared and was replaced with a white page covered in characters in another language.
The only thing recognizable text was the first sentence of the long string of characters that said:
“Oh man, we’ve been hacked!” I shouted to Troy while swiftly following up with the comment,
“How the heck did this happen?”
My immediate next step was calling our hosting service- SiteGround, to figure out what happened to get them to fix it fast.
Their answer? – “Yes, it is confirmed your website was hacked” – it was a full-on malware attack.
“Well, thanks, guys, I realize that,” I said, “how do we fix this?” and in the back of my head, I’m thinking…. “And don’t we pay you guys to manage the security on our website?”
Well, it turns out – I made a fatal mistake.
We didn’t pay for security at all on our site; we just paid for regular hosting services.
Buying security on top of hosting services was an option, but we didn’t know it or just got too busy to realize it.
How did this happen?
How to avoid getting hacked – and what we learned the hard way
A malware attack can happen several ways, including:
1. When an update isn’t added to your website. – you know those pesky updates that prompt you to update your website or plug in at the worst time – when you are in the middle of a job.
2.There could be an issue with a plug–in, a breach that could open up a hacker to attack your site.
3. An old or simple password that hasn’t changed in months, and it can also invite hackers in easily. Attacks are common for small and medium-sized businesses because they tend to use self-hosting services and don’t have the in-house security capabilities that larger businesses use. And like us, we get busy working on our business, not worrying about hackers. – We are prime targets.
During this process, we discovered that the most likely cause was a plugin on our site that could have caused the opening that allowed hackers in.
How we got our website back up and repaired
After discovering that our hosting site couldn’t do anything, we hired a security company (recommended by our host) to clean up the malware mess. They removed thousands of corrupt code lines, attempted to get the site up and running.
After 3 days of cleaning, the company came back and said it was unrepairable. You can imagine the stress and angst of waiting three days for this answer!
We learned our lesson here – a big company, using a ticket system to a small, entrepreneurial business to resolve this issue. – they were in Europe; we were in South America. We couldn’t get regular updates as to what was going on. Our website is our business, our income – everything, and we couldn’t even receive an update about the situation?
Reinstalling the backup was the only solution. The website was beyond repair. We retrieved the backup files from our hosting service to replace the site and the theme from our provider (Thrive themes) to reinstall the theme on WordPress. Fortunately, we did have a good backup plan with our service, and our site could be restored just before the malware attacked our site.
This was a hard lesson in understanding what you are paying for and knowing the right questions to ask when finding a hosting and security supplier.
I’ve asked for the help from Ed Mochrie from Atomic Whale Website design and hosting to help me determine the most important questions to ask.
Useful questions to ask your service providers
These questions are for you if you run a self-hosted website- meaning you buy software services to host your site on the internet, perform backups, and security. The other option is a hosted site -where a company does all this for you. Regardless, these questions are generally the same.
What are the services you need for your website?
If you hire a company to host your website or “self-hosting,” find out exactly what you get. Ask about hosting services, as well as backups and security.
Usually, the best price advertised for self-hosting sites like Bluehost, GoDaddy, and Site Ground are just for hosting services on the internet. So you do need to read all the service packages details and ask questions to ensure you know what you are getting.
-Use a service where your website is hosted on a dedicated server, meaning in a separate space(or server) away from other sites. This will cost you more, but it will reduce the chance that a problem with one website hosted on the same server as yours, won’t transfer to your computer. Additionally, when your website is on a separate server, you get the added benefit of better control of website speed – a fundamental aspect that improves SEO and reduces bounce on your site.
This single server approach is possible for WordPress websites. Websites built from Wix or Squarespace are housed on their own platforms, so this is not an option for you.
2. Backup Frequency and Location
Ask about how often your hosting service makes a copy of your website. This is no different from how you back up your files on your computer with an external drive.
Also, ask where the backup is stored, and if there is 3rd party storage backup? In case they run into problems in their building, what do they have in place to prevent your website backfiles from getting lost or damaged?
Ask if they have daily backups and if it stored for at least a month minimum. If you need to use your backup (like we did), you can go back to the time before the problems occurred and get it reinstalled.
Look at the package options – perhaps there is a paid upgrade to get extra safeguards related to backup. Even if you do get a malware breach on your computer, the backup will save you from your website contents getting completely lost.
Beyond your host’s service, you can also take control of your own backup and have a copy for yourself. There is a WordPress plugin called Updraft Plus– it is a paid subscription that allows you to backup your website on Google Drive or Dropbox.
3. Security Features
Specifically, what security features do you need, and what can the supplier provide?
Ask your supplier if the following features are included:
a. SSL certificate
You must have an SSL certificate – this has become the standard for all websites now, and most hosting companies include this in their package. An SSL certificate is a bit of code on your web server that provides security for online communications. When a web browser contacts your secured website, the SSL certificate enables an encrypted connection. In simple terms, it’s like sealing a letter in an envelope before sending it through the mail.
b. Includes a firewall
Server-side Firewalls are software or hardware that work as a filtration system for the data attempting to enter your computer or network. Firewalls scan for malicious code that has already been identified as an established threat for websites.
c. Hosting security plugins
Ask about other hosting security plugins – are there other plugs or services they offer, and what do they do? Some hosts have plugins that work with their firewalls for added security and are easy to install.
d. Two Factor Authentication
This means that you would have to log in with both a password and a code that is sent to your cell phone, so the hacker would only be able to access your account if they had your cell phone and were able to complete both steps.
e. Make sure the services enforce strong passwords
These are those long strings of passwords with numbers, letters, and symbols. If your supplier uses these – this helps prevent any safeguards against poor or weak passwords.
f. Additional security safeguards
You have the option to put some additional safeguards into your own hands. You can install a plugin called Wordfence – a popular WordPress plugin that does enable security features and has solid reviews for reliability. They have both free and paid plans – read the details to see what this includes.
Another option is a service called Sucuri – where you can receive regular updates for any security problems on your site. We bought this service after our website problem, and we like it, but we realized later that we probably could have just bought Wordfence to do the same job.
There isn’t any completely safe solution for the threat of security and malware attacks to your website, but you can be informed and prevent a colossal problem that can cripple your website (and your mind) for days – we’ve been there and we don’t want this to happen to you!
Hopefully you can learn from this and avoid getting hacked. What security tools have worked for you? Let us know. For more blogs and resources to help your tourism business you can find them all here.
On Pinterest? Share or save this article and read it later.