The advice provided in this article is based on real world experience of having an income producing website hacked – namely my website.
In this post, I will reveal how the baddies got in, what actions I took to restore my website, the assumptions I had around responsibilities – that were wrong, how much the attack cost my business and finally something for you – a checklist that you can use to review your own websites security right now.
If you don’t care about my wonderful tale of website hackery and just want the checklist then scroll down to the bottom and read the “Website Security Checklist” section.
But! You will be missing out on a great story 🙂
How My Website Was Hacked
About 7 years ago my website was tracking quite nicely with 30,000 unique visits per month in a niche market, revenue from advertising was good and growing. It was about this time I decided to offer a new service to the website visitors to encourage them to stay longer on the website.
I asked the web developer, who was a contractor living in another country and did odd jobs when work was needed, to locate a suitable plugin for the website. So off he went and located a plugin that seemed to offer all that I needed and even better – it was free!
So, the web developer downloaded the plugin, installed it on the production website and off I went promoting the new features to my website visitors.
Now, some of you will already be shaking your head at what I did, and believe me I am too as I write this. It’s important to note that I was not in the IT security sector at that time and did not have any idea (nor care because hackers only target big websites, right?) of IT security in general – like most small to medium business owners.
The plugin was fantastic and kept a high proportion of visitors on the website for much longer, until of course, the website got hacked – and hacked good.
There is nothing worse for a business owner to have your “shop” broken in to and “products” stolen or damaged, and that’s what happened to me.
How did it happen?
In summary and without going technical on you, the plugin was riddled with security vulnerabilities big enough to drive a virtual bus through it. The plugin developer had no clue how to write secure code and every hacker knew it. I found out later my web developer didn’t have a clue either.
The worst part is that most plugins inject meta-data into the website HTML when a web page is visited so all the hackers need to do is search Google for that meta-data “signature” and instantly a list of websites running that plugin will be shown.
Once a vulnerability is discovered in the plugin that meta-data “signature” helps them locate all the websites running it, as mentioned above. You can try this out yourself with a simple search such as “vulnerabilities” or “exploits“.
Out of those results you will end up navigating to a website that will provide a step-by-step guide on how to exploit whatever vulnerability the software contains. This is how 11-year-old kids with no training in hacking can successful hack a website – they are provided with a “dummies guide” how-to for free!
In the case of the plugin installed on my website, it was one URL with some extra text at the end of it – which was a “SQL injection attack” that resulted in resetting the admin password of the software running the plugin.
That’s right, the admin account that manages the entire website could be reset to whatever the hacker wanted with one URL call to my website!
Thanks to the plugin a hacker had admin access to my entire website with one URL call.
The hacker, was not a simple 11-year old script kiddie that just wanted to deface the website.
No, this hacker was smarter.
The hacker wanted to remain on the website as long as possible, attempting to infect as many visitors as possible. To achieve this the hacker did the following:
- Uploaded hacker tools to allow for additional backdoors to be added to the site just in-case the original vulnerability used to gain control of the website was discovered and fixed.
- Downloaded the accounts of all the users to: 1) attempt to brute force the encrypted passwords (that failed since the encryption was strong) and, 2) grab all the email addresses to sell to spammers.
In fact, he was so good that it took a couple of website visitors to complain to us that every time they went to our site their web browser would crash.
When I investigated, I knew something wasn’t right so I rang the hosting provider who had a look and confirmed that the website had been hacked.
I rang the web developer only to find out that he was off on a 4-week holiday and did not bother to tell me.
Thanks for that.
I then went back to the hosting provider and asked them for help, but they only could provide assistance in a few days not right at this moment.
What to do?
The first thing I did was shut down the website, then emailed all the users informing them of the attack. I rang the advertisers and told them each personally about the attack and how I was going to refund existing payments.
Next, I was lucky enough to know another web developer who was based locally that I trusted. I contacted him and after having a look over the website concluded that it’s a better to roll back to the last backup then risk missing one of the hacker’s back-doors.
Excellent – that’s great news!
Except, when attempting to roll back we found the last 6 months of backups were corrupted! Finally, we located a backup that was not corrupted and rolled back the website to what it was 7-months ago.
This meant that my website was now missing 7 months of content!
Of course, this caused me a world of pain with issues such as: dead links back to my website, loss of 6-months’ worth of banner statistics for my advertisers, loss of trust with my visitors and advertisers, loss of revenue through refunds and the cost of the web developer helping me to roll back and secure the site.
Finally, when the dust settled and I was back online taking stock of the whole event the web developer who installed the plugin contacted me to touch base. After telling him what he missed and listening to blank silence on his end I asked him for his thoughts.
So, do you want me to install the latest version of the plugin?
Website Security Checklist
Below is a website checklist that I hope you will find value in using.
The checklist is based on the lessons-learned from when my website was hacked. The checklist is aimed at the business owner who is not technical and relies on third parties to help manage their business website.
- Patch, Patch and Patch – ensure that someone is responsible for keeping your website software up-to-date with patching. Make sure you have written confirmation from that person (people’s memory on who is responsible for what when an attack occurs seems to magically change). Also ensure that your hosting provider has a patching policy and that the web server your website is hosted on is patched frequently. Ask for the patching schedule and patching policy. If they don’t have a schedule or policy then it’s time to look for a new hosting provider.
- Review existing plugins – If you have installed plugins on your website then review each one and have a good hard think if you need the features offered. Every plugin you install increases the chances of a vulnerability entering your website. The plugin might be secure now but that can change with each plugin update. You can also apply this review to any other software you have installed that provides a service to your website.
- Review new plugins or functionality – if you have identified a new piece of functionality you would like to add to your website such as a plugin, perform some basic research first on the software before installing it. Key search terms I use are: ” vulnerabilities”, ” exploits”. If the search results look alarming such as discussion about how easy it is to hack then don’t install the plugin.
- Review Website Admin Accounts – who has access to the admin portal(s) of your website? Which admin accounts can be disabled and only active when needed? For example, the contractor you used 3 years ago for one job probably does not still need access to your website. Are all the admin accounts known to you and are they still needed? What about FTP accounts? What about SSH accounts? Reset the password on all admin accounts if they have not been changed in years, and make sure it’s a strong password. You don’t need to force a password reset every month – maybe once a year.
- Check your website backups – create a dummy website and restore a backup to test that it works. I know this will be very hard for most of you but I know from personal experience that if you need to roll back and the backup is corrupted or not complete, the other options you have will be far more expensive then loading up a test site and testing your backup.
- Have an Incident Response Plan – basically a document that records the contact details of all the people you need to engage when the website is hacked and what steps you are going to take, such as asking the hosting provider to block all incoming traffic. Record the hosting provider’s support contact details, including their after-hours support numbers (Tip! Perform a test run by ringing the after-hours line late at night and see how good they are at responding – you may be very surprised at the result!), contact details for the web developers or anyone else who helps manage your website, your clients and any other interested parties. If your website accepts credit cards for payment then you will also need to contact your acquiring bank and inform them of the breach (read Do I Need To Be PCI Compliant? for an introduction into PCI DSS). In my next post I will provide a basic incident response plan you can use.
- Webserver Hardening – check with your hosting provider that the webserver hosting your website is “hardened”. This means that the hosting provider has tightened up the security of the webserver such as turning off any services that are not needed, changing configurations so the security is better and a host of other technical things that are important. If the website hosting provider does not know what hardening is or doesn’t do it then it’s time to find another provider.
- Software Hardening – if your website software was installed by a third-party check with them that the software has been “hardened”. Just about every piece of software can be “hardened” as most have default configurations that do not have a focus on security. Like the hosting provider, if they do not know what “hardening” is, it’s time to start searching.
Since we are on the subject of securing your website, I would like to suggest a couple of recommendations that require thought, cost and planning to implement but are well worth the effort.
- I recommend that your website only supports HTTPS not HTTP. HTTPS allows the traffic between your website and your visitors to be encrypted. This is very important especially if you access the admin functions of your website using public networks such as free or hotel wifi. To provide a bit of encouragement in looking at HTTPS, Google has recommended using HTTPS and talk in the SEO world is that Google will prioritize websites that only support HTTPS in their search results – enough said.
- Consider using a service such as Cloud Flare that will sit in-front of your website and help protect it from attacks. Cloud Flare provides a “Web Application Firewall” or “WAF” which protects your website from attack via the Internet. Another WAF option to consider, if your website is using Word Press , is Word Fence which provides a security plugin for your website. I have not used this plugin myself as I use Cloud Flare but it looks interesting. NOTE: I receive no benefit from Cloud Flare or Word Fence in mentioning them. I use Cloud Flare and a person I highly respect in the IT security sector recommended looking at Word Fence.
- Look at a monitoring service to alert you if your website is under attack – the little bit of warning you get will allow you to alert your hosting provider who may be able to stop the attack.
If my post has sparked your interest in improving your businesses IT security then have a look at this post-> Five Basic (And Cheap!) Tasks That Will Dramatically Improve IT Security For Small Businesses
Benefits of Team Building Activities at Work
Off-site team building events are recognised in my businesses as pivotal to keeping staff focused, productive, and happy in the workplace. Also, the change of routine encourages employees to unwind and learn more about their work peers. You may not want to know this statistic, but on average, all workers spend over 13 years of their life working. This fact may depress some of you while it may have the opposite effect and motivate you, and this is due to the different personalities we spend a lot of time with, in the workplace.
A day out of the office with management and colleagues can be fun and provide other benefits. Team building activities for work have been proven to encourage better communication and lift productivity.
Here’s another interesting opinion, did you know experts say there are only five types of people from which 16 personalities are construed? The ‘five-factor’ model gives you insight into your staff’s personality types and their strengths and weaknesses, as well as how they can perform in teams. It’s worth researching into the basic personality types of your staff before witnessing how they get on together during a group event.
Regular Team Building Exercises Benefits
Get to know the different personalities in your office
Employees are not robots, and they react in their own way to change and how they interact with their colleagues and management.
How a team member deals with challenges and the new environment will reveal more of their personality. Using an offsite location for team building will encourage more openness and present the leaders from the followers among your staff.
Increasing productivity and motivation
The camaraderie among workmates increasing productivity as well as foster individual performance. Self-confidence and feeling at ease in the company of other people will lift overall company output, and future proof the business as a strong competitor.
Working in a team means everyone has to deal with personal and opinion differences. And that is the reason why effective communication is critical. Not every worker has a friendly or outgoing personality, and this is something that needs to be acknowledged. Some people are shy and timid, while others are naturally extroverted.
A team-building activity is one of the best solutions to break these barriers and gaps in communication. Team building involves games and other recreational activities forcing everyone to connect on a deeper level. It is one of the simplest ways to get everyone talking and conveniently align their precepts according to the values of the company.
As such, when staff return to work, there will be less reluctance to share their opinions openly in communication and transparency speeds up the identification of issues that need resolving, thus improving overall productivity.
Reinforcing a positive work culture
We all need to know how we perform outside our comfort zone, yet most personalities shy away from putting ourselves to the test. When the team day out is ‘work’ there’s no way out, with attendance compulsory, so we look for commonality, familiarity and find our group culture. Plus there’s time to work on the goals and visions of a company with the whole team altogether. On returning to the workplace the renewed energy among the workers, even the more introverted personality types who are expressing their emotions more freely, is proof these days offsite are good for business.
There’s little doubt that happy and satisfied staff is the foundation of every successful business and investing in regular company-wide team building is a low-risk strategy for apositive work culture.
Start the new year with an offsite activity or event, so your workers can come together, share their holiday experiences and reignite their focus on their job and how your business will meet its targets.
3 Terrific Niche Brands To Watch In 2020
Some successful businesses operate in very crowded marketplaces. For example, Amazon’s offering is as broad and deep as the river it borrows its name from – and since it isn’t the only operator in the online shopping stakes, it has differentiated itself through the speed of delivery and responsive customer service.
At the opposite end of the scale are organizations that are incredibly specialist in their offerings. With USPs (Unique Selling Propositions) being founded on products and services that are niche and in a league of their own, i.e. without competitors.
However, to survive in business, niche operators have to strike a fine balance between adapting their range sufficiently to cater to changing tastes and that of diluting their offerings so much that they no longer can claim a different category or point of different i.e. they’re now regarded as generalists.
There are specialists who manage this balancing act brilliantly – so if you’re in the same boat, with a niche business, you can learn a thing or two from for the successes of proven brands. With that in mind, here are three terrific niche brands to watch in 2020.
Few people of Scottish extraction can hear ‘the skirl of the pipes’ without the hairs on the back of their necks standing up and the blood surging furiously around their tartan hearts.
And don’t forget that it’s not just people in Scotland who love bagpipe music – there are bagpipers in immigrant communities of Scots all around the world.
Scottish music specialists McCallum Bagpipes are more than happy to serve this niche market with the beautiful artisan pipes they craft in their Kilmarnock factory before shipping them far and wide.
With an informative website, snazzy showroom and modern manufacturing techniques, this is one traditional business that’s moved with the times.
In any industry, technological advances and changing tastes mean that some products inevitably become obsolete. However, with the gentleman’s fashion accessories gurus, Albert Thurston, they’ve bucked the trend, and kept their products in demand, because their braces and sock suspenders have providence. Consumers want to be associated with the brand that has been proudly manufacturing quality garments since 1820.
Albert Thurston is enjoying a resurgence, perhaps thanks in part to the plethora of retro TV shows and longstanding movie series regularly hitting small and silver screens. If you happen to be a fan of Peaky Blinders or James Bond and you believe that classic accessories never go out of style, you’re probably a dedicated follower of this type of heritage brand.
When canny Scotsman James Ormiston first started selling spring wire for wigs and corsets in London in 1793, he surely couldn’t have predicted that today, wire specialists Ormiston Wire would still be thriving as an innovative family-owned business.
Wigs aren’t part of their current product offering, but this age-old business has survived by diversifying into everything from catenary wire for architectural installations to the fine wire for TV puppets. Through adapting the same core material to the needs of diverse markets, Ormiston has steered a steady ship for generations.
Take a leaf from the business books of these three brands and your own startup might still be serving customers a couple of centuries from now – with the right approach, carving yourself a niche can still be a recipe for success.
That’s our list! There are many more successful brands that stay true to their category and avoid diversifying as a catch-all strategy to grow sales and revenue. Staying niche and small is often a better strategy for the longevity of a brand. Share your own niche business advice in the comments section.
Why Gold: Our Top 3 Tips
Gold has always been popular and it’s where many investors today put their money during tough economic times. In fact if you see the price of gold going up dramatically it could be a indication of tough times ahead.
Buying and selling gold is a favourite pastime of hobbyists and of course it’s also a business with thousands of product and service suppliers around the world making their way in the business world via their expertise in the dealings of the precious metal.
So if you’re keen to invest in gold, you’ll need to know the ins and outs and not get too carried away with the romance of it all. It’s easy to lose your hard earned funds through ignorance and bad investment strategies.
Investing in gold over the long term is considered a low risk strategy so it’s not going to get your rich quick. Here’s some tips before you dip your toe in the yellow stuff.
Investment Risk Profile
Seek to understand then to be understood as Dr Stephen Covey says from his ‘7 habits of highly successful people’.
Wherever you start out, seek to learn first and take action second. Your goal is to learn all you can about your investment risk profile which is essentially the trade off of risk versus profit. Once you know if you’re high risk, medium or low risk you can then take the appropriate steps to invest.
Many investors that prefer other asset classes like real estate also invest in gold and shares. Real Estate investing also has it’s low risk and high risk strategies so if you’re already a real estate investor you’ve got some transferrable skills and you’ll be aware of your underlying risk profile. You’ll also know that to do well in any investment or business it takes time – lots of it.
The saying: an overnight success takes 10 years is spot on. There really is a sequence of events and even though we can learn from the mistakes of others, it actually takes time to learn of the mistakes of others! So hold back, don’t naively jump in and take unnecessary risks.
There’s another saying: if it sounds to good to be true it is.
Like any any industry and business, there are always scammers and rogue buyers to watch out for. You’ll want to know how to safely buy and sell gold. There will be some interesting stories online re. scammers and foul play and it’s heartbreaking to learn of other’s misfortunes but there’s a lesson in it for you. Knowing the types of scams, and cyberattacks is all part of lowering the risk to you and your investments.
Look Before You Cross The Road
It may be an odd title for this section but there’s a reason for it. Too often – fools rush in before they’re ready so research, read books, join discussion forums, sign up for newsletters, you need to do the lot. Plus you’ll need to get professional advice from your investment advisor, lawyer and accountant.
Remember you can never know too much about an industry especially when you’re investing it and learning never stops. There’s always new strategies and different conditions that can make or break economies and living in a global economy as we all do today means we can be forewarned by events before they actually hit us in the pocket and that’s way you’ve always got to stay on top of your game.
- Startups1 year ago
Essential Guide To Start A Detergent Powder Making Business
- Management4 years ago
20 Of The Worst Business Decisions Ever Made
- Finance4 years ago
What are the Advantages And Disadvantages of Business Loans?
- Marketing3 years ago
What You Can Learn From Amazon’s Marketing Strategy
- Social Media2 years ago
In-Depth Guide to Social Media for Small Businesses
- Marketing3 years ago
Creating Brand Identity for Small Business [Infographic]
- Tech3 years ago
5 Benefits of Custom Business Software Applications
- Mindset1 year ago
Negotiation Tips – How To Get What You Want