When your website Content Management System (CMS) is left unattended without maintenance or updates, it’s like leaving a 5-year-old alone for hours with a bucket of paint – it’s not going to be a pretty picture in the end. A CMS is the application that powers your website and is used to manage the creation and modification of digital content. You have likely heard of Drupal and WordPress; each is a CMS.
An outdated and vulnerable CMS opens the door to hackers, and they will waste no time taking advantage of the weakness. A CMS needs regular updates and security patches that keep it secure and supported. And sometimes a security patch needs to be implemented very soon after it’s released due to the severity of the vulnerability. A few key questions to ask yourself are:
- Who is looking out for your website?
- Would you even know if it had been hacked?
- What exactly happens to your website when it’s hacked?
- What does it take to remedy it?
- Most importantly, how do you prevent your website from being hacked in the first place?
Let’s dive into the answers and arm you with knowledge about your website’s security.
Who is Responsible for Your CMS Updates?
One scenario we have seen happen is a very common one. A company hires a website developer to design and implement their website and CMS. After the website goes live, all is well for a period of time. But often, the individuals at the company who are now in charge of the website are not necessarily very technical. They might be marketing professionals who are not well-versed in CMS maintenance and security. And, quite often, there are assumptions made at the start of the website development about what exactly the website vendor does, and doesn’t do. And you know what they say about when you assume . . . ahem, things can go south.
The company may be under the impression that the web designer is going to continue to take care of the website, after launch. But if they didn’t specify ongoing maintenance in their contract, they are on their own for that. Not much time has to go by before core modules or plugins are behind on updates. Drupal and WordPress patches and updates are released at least monthly, and sometimes more often.
It’s vital that when you hire a web designer you are clear on the website maintenance side as well. Ensure you understand if the website needs maintenance, what kind, who will maintain the website, and who will be updating the website content. These simple questions will provide a roadmap for your staff so they know what to expect going forward.
Another piece to consider is who is hosting your website. Many times, web hosting may be an afterthought for the web developer and for the client. Instead, there should be a clear evaluation of the right match of hosting for the website. Things to consider are:
- Is the hosting local?
- Is it fast?
- What are your uptime requirements?
- How does it fit with your business goals?
This all figures into website security because you want a reputable and reliable hosting partner who is keeping the webserver patched and securely configured.
Signs Your Website Has Been Hacked
By now you are aware of the role your CMS plays in your website security and if you are keeping it updated you should feel pretty good. However, if you have any doubts, knowing the signs of a breach will help you get a handle on things as soon as they go awry.
Sometimes you have an in-your-face hacker who doesn’t care about subtlety. What you or your visitors see upon visiting your website one day is, as the movie title says, Very Bad Things. Pop-ups and inappropriate images will be enough to have you calling a webmaster to take the website down and put up a single line maintenance message.
However, more often than not, the bad guys are aiming to be undetected, so they can get away with more, for longer.
How to Identify a Website Hack:
- Your website traffic starts to mysteriously tank. This is because Google is penalizing your website. Why? Because the hackers placed hidden code in your website that points search engines to something bogus, like spam websites for athletic shoes (this is an actual example).
- Your search rank decreases. Same reasons as above.
- Your website is flagged in search engine results and warns visitors not to visit. This is because Google sees that the website has been compromised and is warning visitors to stay away.
- Your website suddenly has A LOT more pages indexed. How would you know this? You wouldn’t, but if you suspect any kind of hack, go to Google and type in ‘site:yoursitedomain.com’ and you will see the total number of indexed pages for your website. You can also do this in Google Search Console for more detailed data. If your normal number of website pages is inflated, this is a sure sign something is amiss. We know of a company that had close to 300,000 pages added to their website during a hack. Yes, you read that right.
The tactic described in that last bullet is called cloaking. This is when your website looks one way to human visitors, but looks entirely different to search engines. That’s because spam links leading to bad websites are buried in the code of your website, and code tells search engines to see/read the website differently. This is how Google knows to penalize your website and flag it in the results page.
Another way your website and company can be taken advantage of is if the hacker hides a script in the codebase of your website that directs emails to be sent out–from your webserver. So, emails are being sent to your database, that may look like they are coming from you, or from a random sender, with any type of content. This effectively destroys your sender reputation and takes a while from which to recover.
Another important thing to realize is that if you are running any other programs on your webserver such as a Customer Relationship Management (CRM) system or an intranet, it is at risk of being hacked as well. This is especially risky if you store customer data. The effects of a breach can be far reaching. And if you are a business that has multiple websites–the same happens to each website.
The Effect of a Hacked Website on Your Brand
We don’t have to tell you how it comes across if you search for a company by name and their website comes up flagged with a warning in the search result. Your impression of that company is altered instantly and you likely will never look for them again. Or, even worse, your website is one of the obvious hacks and visitors see unsavory images upon page loads. The amount of business you would lose would be impactful.
Additionally, if your business has an advertising model on your website, suddenly your supporters get a lot less value because the website traffic is decreasing due to the hack. Advertisers may even pull out, before you even know you have a real issue on your hands.
Your company’s reputation is at stake. We’ll soon discuss how you can avoid this and not have to worry about recovering from a devastating hack.
Recovering From a Serious Website Hack
Once you know what’s happening and have found the right webmaster to help you deal with the problem, there are several steps in the process to recovery.
- Restoring backups. Hopefully you store your website backups somewhere other than your webserver and they have remained uncompromised.
- A copy of the website will be placed in a separate development environment. This is where your website will be worked on and cleaned up, and in the meantime, your webmaster can put up a stub page, hosted somewhere safe, with a note that the website is undergoing maintenance.
- Searching for established patterns of known hacks. An experienced vendor will have a database of known hacks from which to draw, and will be able to scan your website for code snippets and file names to quickly identify where the issues are hiding.
- Analyzing the website behavior. Your vendor will look at what the website is doing. Is it sending email or creating pages and links? This will give the vendor the information needed for the type of hack it is.
- Notify Google. After the website is cleaned up and live, a request should go to Google for it to crawl the website again. This will help you earn back your credibility and rank.
- Continued scans and checkups. Hackers will sometimes leave a backdoor for access to the website, to come back and add more code, so a good vendor will continue to look for infiltration even after all is cleaned up.
Preventing a Website Breach
A malicious breach of your website is similar to a virus, usually it can be recognized and dealt with, and your website will fully recover. But it’s best to never even find yourself in that position in the first place so here are ways to prevent an attack:
- Be diligent about website security and protection. Ensure you know who is in charge of it for your website.
- Keep up to date on patches and updates for your CMS–especially if you are on open source like Drupal or WordPress, which are the most commonly used
Let’s talk a bit more about open source. It’s attractive due to its low cost, and the fact that improvements and development are always ongoing. Thanks to the efforts of the open source community, a CMS like Drupal or WordPress can be very secure, provided it is updated in a timely manner. However, an open source CMS is only as secure as the maintenance and attention applied to it. Open source code is just that–open; anyone can see the source code and it can be exploited, which is attractive to hackers. By definition, a security update to WordPress or Drupal defines a vulnerability that can be exploited if websites are not kept up to date. This is why it’s critical to stay on top of updates.
The amazing thing about open source is that a worldwide group is contributing to the codebase. As with anything that involves humans, you do have human error. If a new plugin or module includes code that creates an unintentional weakness, then the code needs to be updated before hackers exploit it. But if you aren’t updating the system right away, you will fall prey to that vulnerability. In short–do your part in keeping up with your Drupal or WordPress updates, and you will realize the benefits of open source and remain secure.
In conclusion, you can take the worry of website security off your plate by partnering with a reputable webmaster who is experienced not only in website design and development, but maintenance, security and hosting as well. Having someone in your corner who is always several steps ahead of the hackers, is well worth it for your company’s reputation, and overall operations.