Fix Hacked Site

Menu

Blog Security: How To Protect Your Blog From Hackers

Blog Security, Firewall, Marketing, online threats, Security, Spam, Traffic / By / / automated software, backdoor, blacklisted/disabled, Common Weakness enu­meration (CWE), cybersecurity, Email spam, hacker, HTTP websites, HTTPS, Injection attacks, malicious scripts, malware, Password, SEO spam, spam content, SQL injection, Steal traffic, vulnerable components, website security

You know when you wake up and see an alert from your web host or Google informing you that your website has been compromised and is now blacklisted/disabled? No? It’s only a matter of time.

Hackers are everywhere,

The bad news: It’s getting worse. Researchers estimate that roughly 1% of the websites in the world are currently infected with malware. That means about 18.5 million websites are compromised right now.

However, it’s not all doom and gloom. The good news is that you don’t have to be a cybersecurity expert to protect your website.

In this article, I’ll explain the basics of how and why hackers target blogs, what you can do to prevent hacks, and how to remediate a hack if your site becomes a victim.

Why do hackers target blogs?

We’ve all read the headlines about data breaches at high-profile businesses such as Equifax, Home Depot, and Yahoo. It’s obvious why hackers target large companies that have huge amounts of customer credit card numbers and other valuable data.

A hacker wouldn’t target a small blogger who doesn’t have credit cards or other personal financial details. There are several common reasons why people don’t get results from their online marketing efforts.

Bragging rights. Some hackers are just having fun—they enjoy the thrill of the chase and the feeling of power they get from breaking into computers. It’s an activity among their group of hacker friends, and some of them enjoy winning.

They may just delete or deface the website like:

Hacked

  • Steal traffic. Sometimes hackers install hidden codes on your website that redirect people to one of their websites. They’ll often set up sophisticated rules that make it hard for you to detect or locate the malware. They then use your traffic to make themselves money.
  • SEO spam. Hackers can use your website to post spam content, for example about prescription drugs. While this helps their search engine ranking, it can completely ruin their search engine ranking or even get your website removed from Google.
  • Email spam. Over 100 billion spam messages are sent every day, mainly from hacked websites. If your website gets listed among the top spammy websites, your legitimate emails will no longer be delivered. It’s hard to get things done if no one knows about them.

Should my blog use SSL/HTTPS?

You need to get an SSL (Secure Socks Layer) certificate for your website so that people can connect securely to your website via HTTPS.

Google has been leading a global initiative to encourage the entire internet to switch to HTTPS:

  • Since 2014, Google rewards websites that use HTTPS by ranking those websites higher in search results. It’s a small boost, but every little bit can help.
  • In July 2018, the stakes will be raised even higher—its Chrome browser will start labeling all HTTP websites with a “Not Secure” warning.

Using HTTPS also protects certain hacking methods and is the first step towards protecting your users’ privacy.

How do hackers access my website?

Most people think hacking is some sort of black magic. A hacker could modify your website and upload files without you giving them your admin username and password. We’ve all seen Hollywood movies where people type some green text into black screens, and voila! They’ve gained access to a system! (If you want a good laugh, watch this parody of how Hollywood portrays hackers.)

There are hundreds of different ways hackers can gain access to websites. If you want to go deeper, there’s a common weakness enumeration called the Common Weakness enu­meration (CWE), which lists 714 different ways hackers can compromise websites.

Once you understand how hackers gain access to websites, the tactics you should use to prevent them from doing so will become clearer.

Here are some of the hackers’ most common tactics. You’ll get an idea of how they go through their nefarious business.

Steal your login details

Hackers sometimes go direct and steal your username and passwords so they can log into your website just like you would. There are various ways they can steal your admin credentials.

  • Install a trojan on your personal computer to steal your username and password.
  • Hack a WiFi router to intercept usernames and passwords from anyone who logs on via that network. Tip: If your website uses HTTPS, you’re less vulnerable to this kind of “man-in-the-middle” attack.
  • Use automated software that guesses passwords until it finds the right one. With this type of “dictionary attack” or “brute force attack,” how long do you think it takes to crack your Password123?

Find vulnerable components

Hackers usually focus their attacks on websites built using popular blogging platforms such as WordPress. They typically look for weaknesses in plugins and themes installed on the site. The WPScan vulnerability database lists over 10,000 different WordPress vulnerabilities, most of which have already been fixed. Outdated WordPress versions were used by 49% of the top 10,00 websites in the United States.

Upload a backdoor

Websites allow users to upload files including profile pictures or message attachments If the file upload forms aren’t properly protected, hackers can use them to upload malicious scripts. These scripts can do anything from stealing personal information to installing malware on your site.

your file

Injection attacks

A skilled hacker can gain unauthorized access by tricking your website into displaying confidential information from its database, such as your passwords. This is called injection or SQL injection.

This 56-second demo video demonstrates how SQL injection can be exploited to trick a website into granting administrative privileges to an unauthorized user.

Hackers use these methods and hundreds of others to compromise thousands of websites each day. We’re always trying to stay one step ahead of malicious hackers.

How can I protect my site from hackers?

Preventing attacks is the best way to protect your website from attacks. It’s easier and cheaper to prevent a hack than it is to find, fix and recover from one.

Here are some things you can do to prevent hackers from successfully breaching your website:

  • Make sure your software is always up to date. This simple step can greatly improve your security. Make sure that your blog software, themes, and plugins are automatically updated. This reduces the amount of time your website might be vulnerable. If automatic updates aren’t possible, set up email notifications so you’re notified immediately when updates become available. Make sure that you check manually for updates every once in a while just in case anything slipped through the crack.
  • Use components that are being actively developed. Don’t use old software components (like themes or plugins) that aren’t being actively maintained and updated, even if they’re free. If a security issue occurs and the creator doesn’t release a patch, you’d have to research and create one yourself – if you were even aware of it before your site was hacked.
  • Use stronger passwords. You can defend against brute force attacks by making your passwords harder to guess.
  • Here are a few password guidelines from the National Institute of Standards and Technology (NIST):
    • Make it long, 12-16+ characters is good
    • Avoid common English words
    • A Bing search reveals that publications list the most common passwords each year. 123456, password, and qwerty are typically near the top.
    • Don’t use your username in your password
    • Don’t use common passwords like “123”, “password”, “pass”, and so on.
    • Use numbers and punctuation, but don’t just put a 1 or! At the end (everyone else does that)
  • Don’t reuse passwords.
  • It’s a huge security risk to use the same password across multiple sites. More than five million records are hacked every day. Hackers then use these records to access other accounts. If you used the same password for your Yahoo account that you use for your website, the hackers who stole 500 million passwords from Yahoo could use them to gain access to your website. Don’t think your password will be secure because hackers don’t have the time to sort through 5 billion passwords. Today’s automated software can process millions of records faster than you can read this article.
  • Install an advanced web application firewall (WAF). A “smart” web application firewall can detect and block attacks on your website.
  • Review your code. Use the OWASP Top Ten Cheat Sheet to review the security of your custom-built blog software.
  • Minimize access permissions. The more users who have admin access to your blog, the more potential points. To minimize hacker opportunities:
    • Remove users who no longer need access
    • Only give users the access they need—if editor access will suffice, don’t give admin access
    • Monitor logins so you know the IP address and username each time someone logs into your website
  • Uninstall apps you don’t need. Websites tend to collect components over time—apps, plugins, and themes that were installed but are no longer used. Remove all these components so they can’t be a possible vector for hackers to access your website.
  • Back up your website. This won’t stop hackers, but it will make it a lot easier to fix/restore your website if it’s ever hacked.
  • Protect your devices. Hackers often use trojans on your computer, tablet, or smartphone to steal your website passwords. Ensure you’ve got advanced, up-to-date protection software installed on all your devices.
  • Set up scans. Install a daily scanner to check your website for malware and vulnerabilities. This can alert you to an issue so you can react quickly to fix it.
  • Have a response plan for any attack. While we’d like to think we could fend off all attacks, in reality, we’re not immune to them. If you’re online, you’ll probably get hacked at some point. According to surveys, 75%-90% of companies are victims of hackers each year. Plan ahead:
    • Set up alerts so you can quickly find out if any issues occur.
    • Back up your website regularly, and keep backup copies for at least a week.
    • Know who you can contact if your website needs repair, such as a web developer with hack repair experience or a cybersecurity team.

What steps can I take if my website is hacked?

Even with the best security in the world, you’re never 100% safe from hackers. It’s an unfair game—to win, you have to defend every single vulnerability every second of every day, while the hacker only has to find a single vulnerability to exploit for a few seconds. So you must have a response plan in place in case your website does get hacked.

Here are the basic steps you’ll need to take to deal with a typical hack:

  1. Document the issue. Carefully record each indicator of a hack that you’ve seen, which pages are affected, etc.
  2. Change passwords immediately. Change all login details related to your website: FTP, database, WordPress, hosting control panel, etc.
  3. Scan your local computer(s). Hackers sometimes use trojans to steal website passwords from your local computer.
  4. Find and remove the hack. The hack will often be malicious code inserted into your site’s PHP files, or additional files uploaded somewhere on your site. Note that many hacks will have multiple components, for example, a backdoor access file, malicious code added to your website files, and new files uploaded through the backdoor access. If you have a clean recent backup of your site, this can help to identify and remove the hack.
  5. You should check and clear any blacklists of compromised websites maintained by Google and email service providers. If your site has been added to one of these blacklists, you’ll need to get it removed.
  6. Change all your passwords again. Just in case the hacker had gotten an updated password before you managed to get the hack completely removed.
  7. Lockdown your site. Take preventive measures to protect your site. Consider taking extra steps.

We can’t do anything but take preventative action, remain vigilant, and be prepared to respond if something happens.

Fixhackedsite.com helps entrepreneurs and business owners protect their businesses by providing high-quality website security solutions so you can sleep soundly at night.