The advice provided in this article is based on real world experience of having an income producing website hacked – namely my website.
In this post, I will reveal how the baddies got in, what actions I took to restore my website, the assumptions I had around responsibilities – that were wrong, how much the attack cost my business and finally something for you – a checklist that you can use to review your own websites security right now.
If you don’t care about my wonderful tale of website hackery and just want the checklist then scroll down to the bottom and read the “Website Security Checklist” section.
But! You will be missing out on a great story 🙂
How My Website Was Hacked
About 7 years ago my website was tracking quite nicely with 30,000 unique visits per month in a niche market, revenue from advertising was good and growing. It was about this time I decided to offer a new service to the website visitors to encourage them to stay longer on the website.
I asked the web developer, who was a contractor living in another country and did odd jobs when work was needed, to locate a suitable plugin for the website. So off he went and located a plugin that seemed to offer all that I needed and even better – it was free!
So, the web developer downloaded the plugin, installed it on the production website and off I went promoting the new features to my website visitors.
Now, some of you will already be shaking your head at what I did, and believe me I am too as I write this. It’s important to note that I was not in the IT security sector at that time and did not have any idea (nor care because hackers only target big websites, right?) of IT security in general – like most small to medium business owners.
The plugin was fantastic and kept a high proportion of visitors on the website for much longer, until of course, the website got hacked – and hacked good.
There is nothing worse for a business owner to have your “shop” broken in to and “products” stolen or damaged, and that’s what happened to me.
How did it happen?
In summary and without going technical on you, the plugin was riddled with security vulnerabilities big enough to drive a virtual bus through it. The plugin developer had no clue how to write secure code and every hacker knew it. I found out later my web developer didn’t have a clue either.
The worst part is that most plugins inject meta-data into the website HTML when a web page is visited so all the hackers need to do is search Google for that meta-data “signature” and instantly a list of websites running that plugin will be shown.
Once a vulnerability is discovered in the plugin that meta-data “signature” helps them locate all the websites running it, as mentioned above. You can try this out yourself with a simple search such as “vulnerabilities” or “exploits“.
Out of those results you will end up navigating to a website that will provide a step-by-step guide on how to exploit whatever vulnerability the software contains. This is how 11-year-old kids with no training in hacking can successful hack a website – they are provided with a “dummies guide” how-to for free!
In the case of the plugin installed on my website, it was one URL with some extra text at the end of it – which was a “SQL injection attack” that resulted in resetting the admin password of the software running the plugin.
That’s right, the admin account that manages the entire website could be reset to whatever the hacker wanted with one URL call to my website!
Thanks to the plugin a hacker had admin access to my entire website with one URL call.
The hacker, was not a simple 11-year old script kiddie that just wanted to deface the website.
No, this hacker was smarter.
The hacker wanted to remain on the website as long as possible, attempting to infect as many visitors as possible. To achieve this the hacker did the following:
- Uploaded hacker tools to allow for additional backdoors to be added to the site just in-case the original vulnerability used to gain control of the website was discovered and fixed.
- Downloaded the accounts of all the users to: 1) attempt to brute force the encrypted passwords (that failed since the encryption was strong) and, 2) grab all the email addresses to sell to spammers.
In fact, he was so good that it took a couple of website visitors to complain to us that every time they went to our site their web browser would crash.
When I investigated, I knew something wasn’t right so I rang the hosting provider who had a look and confirmed that the website had been hacked.
I rang the web developer only to find out that he was off on a 4-week holiday and did not bother to tell me.
Thanks for that.
I then went back to the hosting provider and asked them for help, but they only could provide assistance in a few days not right at this moment.
What to do?
The first thing I did was shut down the website, then emailed all the users informing them of the attack. I rang the advertisers and told them each personally about the attack and how I was going to refund existing payments.
Next, I was lucky enough to know another web developer who was based locally that I trusted. I contacted him and after having a look over the website concluded that it’s a better to roll back to the last backup then risk missing one of the hacker’s back-doors.
Excellent – that’s great news!
Except, when attempting to roll back we found the last 6 months of backups were corrupted! Finally, we located a backup that was not corrupted and rolled back the website to what it was 7-months ago.
This meant that my website was now missing 7 months of content!
Of course, this caused me a world of pain with issues such as: dead links back to my website, loss of 6-months’ worth of banner statistics for my advertisers, loss of trust with my visitors and advertisers, loss of revenue through refunds and the cost of the web developer helping me to roll back and secure the site.
Finally, when the dust settled and I was back online taking stock of the whole event the web developer who installed the plugin contacted me to touch base. After telling him what he missed and listening to blank silence on his end I asked him for his thoughts.
So, do you want me to install the latest version of the plugin?
Website Security Checklist
Below is a website checklist that I hope you will find value in using.
The checklist is based on the lessons-learned from when my website was hacked. The checklist is aimed at the business owner who is not technical and relies on third parties to help manage their business website.
- Patch, Patch and Patch – ensure that someone is responsible for keeping your website software up-to-date with patching. Make sure you have written confirmation from that person (people’s memory on who is responsible for what when an attack occurs seems to magically change). Also ensure that your hosting provider has a patching policy and that the web server your website is hosted on is patched frequently. Ask for the patching schedule and patching policy. If they don’t have a schedule or policy then it’s time to look for a new hosting provider.
- Review existing plugins – If you have installed plugins on your website then review each one and have a good hard think if you need the features offered. Every plugin you install increases the chances of a vulnerability entering your website. The plugin might be secure now but that can change with each plugin update. You can also apply this review to any other software you have installed that provides a service to your website.
- Review new plugins or functionality – if you have identified a new piece of functionality you would like to add to your website such as a plugin, perform some basic research first on the software before installing it. Key search terms I use are: ” vulnerabilities”, ” exploits”. If the search results look alarming such as discussion about how easy it is to hack then don’t install the plugin.
- Review Website Admin Accounts – who has access to the admin portal(s) of your website? Which admin accounts can be disabled and only active when needed? For example, the contractor you used 3 years ago for one job probably does not still need access to your website. Are all the admin accounts known to you and are they still needed? What about FTP accounts? What about SSH accounts? Reset the password on all admin accounts if they have not been changed in years, and make sure it’s a strong password. You don’t need to force a password reset every month – maybe once a year.
- Check your website backups – create a dummy website and restore a backup to test that it works. I know this will be very hard for most of you but I know from personal experience that if you need to roll back and the backup is corrupted or not complete, the other options you have will be far more expensive then loading up a test site and testing your backup.
- Have an Incident Response Plan – basically a document that records the contact details of all the people you need to engage when the website is hacked and what steps you are going to take, such as asking the hosting provider to block all incoming traffic. Record the hosting provider’s support contact details, including their after-hours support numbers (Tip! Perform a test run by ringing the after-hours line late at night and see how good they are at responding – you may be very surprised at the result!), contact details for the web developers or anyone else who helps manage your website, your clients and any other interested parties. If your website accepts credit cards for payment then you will also need to contact your acquiring bank and inform them of the breach (read Do I Need To Be PCI Compliant? for an introduction into PCI DSS). In my next post I will provide a basic incident response plan you can use.
- Webserver Hardening – check with your hosting provider that the webserver hosting your website is “hardened”. This means that the hosting provider has tightened up the security of the webserver such as turning off any services that are not needed, changing configurations so the security is better and a host of other technical things that are important. If the website hosting provider does not know what hardening is or doesn’t do it then it’s time to find another provider.
- Software Hardening – if your website software was installed by a third-party check with them that the software has been “hardened”. Just about every piece of software can be “hardened” as most have default configurations that do not have a focus on security. Like the hosting provider, if they do not know what “hardening” is, it’s time to start searching.
Since we are on the subject of securing your website, I would like to suggest a couple of recommendations that require thought, cost and planning to implement but are well worth the effort.
- I recommend that your website only supports HTTPS not HTTP. HTTPS allows the traffic between your website and your visitors to be encrypted. This is very important especially if you access the admin functions of your website using public networks such as free or hotel wifi. To provide a bit of encouragement in looking at HTTPS, Google has recommended using HTTPS and talk in the SEO world is that Google will prioritize websites that only support HTTPS in their search results – enough said.
- Consider using a service such as Cloud Flare that will sit in-front of your website and help protect it from attacks. Cloud Flare provides a “Web Application Firewall” or “WAF” which protects your website from attack via the Internet. Another WAF option to consider, if your website is using Word Press , is Word Fence which provides a security plugin for your website. I have not used this plugin myself as I use Cloud Flare but it looks interesting. NOTE: I receive no benefit from Cloud Flare or Word Fence in mentioning them. I use Cloud Flare and a person I highly respect in the IT security sector recommended looking at Word Fence.
- Look at a monitoring service to alert you if your website is under attack – the little bit of warning you get will allow you to alert your hosting provider who may be able to stop the attack.
If my post has sparked your interest in improving your businesses IT security then have a look at this post-> Five Basic (And Cheap!) Tasks That Will Dramatically Improve IT Security For Small Businesses
Why Gold: Our Top 3 Tips
Gold has always been popular and it’s where many investors today put their money during tough economic times. In fact if you see the price of gold going up dramatically it could be a indication of tough times ahead.
Buying and selling gold is a favourite pastime of hobbyists and of course it’s also a business with thousands of product and service suppliers around the world making their way in the business world via their expertise in the dealings of the precious metal.
So if you’re keen to invest in gold, you’ll need to know the ins and outs and not get too carried away with the romance of it all. It’s easy to lose your hard earned funds through ignorance and bad investment strategies.
Investing in gold over the long term is considered a low risk strategy so it’s not going to get your rich quick. Here’s some tips before you dip your toe in the yellow stuff.
Investment Risk Profile
Seek to understand then to be understood as Dr Stephen Covey says from his ‘7 habits of highly successful people’.
Wherever you start out, seek to learn first and take action second. Your goal is to learn all you can about your investment risk profile which is essentially the trade off of risk versus profit. Once you know if you’re high risk, medium or low risk you can then take the appropriate steps to invest.
Many investors that prefer other asset classes like real estate also invest in gold and shares. Real Estate investing also has it’s low risk and high risk strategies so if you’re already a real estate investor you’ve got some transferrable skills and you’ll be aware of your underlying risk profile. You’ll also know that to do well in any investment or business it takes time – lots of it.
The saying: an overnight success takes 10 years is spot on. There really is a sequence of events and even though we can learn from the mistakes of others, it actually takes time to learn of the mistakes of others! So hold back, don’t naively jump in and take unnecessary risks.
There’s another saying: if it sounds to good to be true it is.
Like any any industry and business, there are always scammers and rogue buyers to watch out for. You’ll want to know how to safely buy and sell gold. There will be some interesting stories online re. scammers and foul play and it’s heartbreaking to learn of other’s misfortunes but there’s a lesson in it for you. Knowing the types of scams, and cyberattacks is all part of lowering the risk to you and your investments.
Look Before You Cross The Road
It may be an odd title for this section but there’s a reason for it. Too often – fools rush in before they’re ready so research, read books, join discussion forums, sign up for newsletters, you need to do the lot. Plus you’ll need to get professional advice from your investment advisor, lawyer and accountant.
Remember you can never know too much about an industry especially when you’re investing it and learning never stops. There’s always new strategies and different conditions that can make or break economies and living in a global economy as we all do today means we can be forewarned by events before they actually hit us in the pocket and that’s way you’ve always got to stay on top of your game.
Should I Outsource My Business Back-Office?
Outsourcing is often an excellent time save and money save for small and medium businesses. If you’re on a tighter budget than larger corporations, you need to find any way you can to run your business efficiently without wasting time or valuable funds. Many smaller companies have less manpower and aren’t able to use the resources they need to run a comprehensive enterprise with different departments and employees for each factor of their business. Outsourcing makes it easier to get things done without spending money on permanent employees or expensive solutions. However, you might be wondering whether outsourcing is the right choice for your business.
Outsourcing your business back-office might save you time and money, and there are various other benefits too. Before you look into outsourcing, see how it could benefit your company and the tasks you could outsource for a more efficient operation.
One of the best benefits of outsourcing your business’s back-office is the money you can save. Some businesses start off having one person dedicate all their time to doing one particular task, whether it’s answering the phone or handling invoices. But this can get expensive, and you can’t always afford to pay for a permanent employee who could perhaps be better off doing something else with their time. Outsourcing often makes it cheaper to get things done because it offers a flexible solution. You only pay for what you need, and all the resources required are set up and ready to go.
Another prominent benefit of using outsourcing services is that it can save your business a lot of time. You don’t have to redirect an existing employee to spend all their time completing a particular task, leaving them free to do what you hired them for. You won’t have to spend your time working on back-office tasks when you could be much more useful working on growing your business. You could reduce the need to work constantly on one thing down to a day’s work for your team. For example, some outsourcing services can provide the software and services you need to make it easier to track sales tax or manage your telecoms system.
Protect Your Business
Outsourcing can be vital for some tasks. If you want to ensure that everything runs smoothly and within the law, choosing to outsource can make it much easier. For example, outsourcing human resources, regulatory compliance, or legal work can all help to protect your company. As a small or medium business, you likely can’t afford to have a lawyer employed for you full time or on retainer. Outsourcing any legal issues you need to sort out will make sure you don’t get into any trouble while saving you time and money. Some industries can require a lot of work to ensure your business complies with regulations and standards and outsourcing can help to make it easier.
Access Skilled Workers
Choosing to outsource parts of your back-office gives you immediate access to skilled workers who know what they’re doing. There’s no need to spend time and money recruiting employees and trying to find the perfect match for your company. While you need to get the right outsourcing service, it will come complete with workers who have already been vetted to ensure they can do their job well.
Improve Accuracy and Consistency
Having all those skilled workers at your disposal means that you can ensure excellent quality. The job will get done right the first time, with professional results every time. You can make sure you receive a consistent service too, and you have the benefit of the outsourced service checking its own work to ensure quality. If you’re unhappy with the service you receive, it’s also easier to look for a new outsourcer than it would be to replace an employee.
Outsourcing will often help to make a business more organised and easier to manage. There are many tasks you might struggle to keep organised or that you require members of staff to spend their valuable time completing. With outsourcing, you can get it all sorted out without you or any of your permanent employees having to do anything. You can also ensure you have practical solutions to problems you were previously struggling to work around. For example, if you outsource your accounts, all you need to do is send them all the information they need. You can remain hands-off for the most part.
Is Outsourcing Right for Your Company?
There can be some drawbacks to outsourcing your back-office, so it’s important to decide if it’s right for your business. For example, you might be concerned about other services having access to confidential information or about coordinating services so that you can meet deadlines and targets. You can weigh up the benefits and the potential disadvantages to decide if outsourcing is the right choice. For some tasks, you might prefer to have one person dedicated to your company who can really understand your values and approach.
Back-office Tasks to Outsource
There are many different back-office tasks your business can outsource. It all depends on what sort of support services you need and where you think you could benefit from outsourcing the most. Consider some of these tasks to make the most of outsourcing:
Accounting – There is a wide range of accounting tasks that can be incredibly time-consuming, where accuracy is essential. Outsourcing makes it much easier to manage.
Payroll – Managing the taxes and regulations surrounding payroll is easier with outsourcing.
Social media – Social media is now a prominent form of marketing, but it can be very time-consuming. Outsourcing its management makes it easier to be more responsive to customers.
Telecommunication – Various telecommunications services can be outsourced to improve customer services and to make your office more organised. Having a service that forwards calls and takes messages is very convenient.
Content – Content marketing is also a major player in the marketing world today. Outsourcing it saves a lot of time and money on its creation and distribution.
Outsourcing your business back-office can have many benefits to your company. As well as saving time and money, you can improve efficiency and quality within your business.
Why Its Important To Engage An Accountant ASAP When Starting A Business
Many business owners forget about using the services of professionals that could be beneficial to their business such as lawyers and accountants. Instead, they head into the business world at full speed without even a passing thought towards the possibilities that services like this offer. They do this for a few reasons. Arguably one of the major considerations is financial. Business owners can’t help but see an accountant as another paycheck or bill that they need to cover. As well as this, they rarely understand the important role an individual like this can fill in their company. You shouldn’t make the same mistake. Instead, you should learn how an accountant could benefit your company and put it in a stronger position. However, before we look at the benefits, it’s interesting to examine when you should hire an accountant.
Day One Or In Time For Delegation?
There are two options to consider when deciding on the right time to hire an accountant. You can hire from day one at the starting point of your company. This makes a lot of sense as there are many jobs in that first year that will be a lot easier with a trained accountant at your side.
For instance, you will be putting together your business plan, decided what funds and resources to invest where. An accountant can help you make the right choices here and advise you on how to use your capital in the most effective ways. With access to financial software, an accountant will also be able to help you understand projections about the future of your company. The benefit of getting a service like this early on is that you can avoid making mistakes with financial planning that need to be corrected by an accountant later on. Essentially, an early hire could save you more money in the long run.
An accountant can help you set up your finances the right way. For instance, you may want to think about using cloud-based software to manage your business accounts. Skilled accountants from top firms can set up this software at the beginning. So, as well as having experts monitoring and organizing your accounts, you’ll be able to check on them yourself.
You’ll find that legality and financial issues often collide in your company. As such, usually, accountants and lawyers work together to fulfill your business requirements. There are a number of different business models that you can choose for operations within your company. The legal structure can vary, and an accountant can look at all the options with you to find the most suitable possibility for your business.
Of course, the other option is to begin your business and then choose an accountant when you are ready to delegate. But, as we have shown, this decision is filled with pitfalls. You might find that by the time you’re ready to hand the accounts off to someone else, they are already in a terrible state and need fixing.
Role Of Accountants In Business
We have already mentioned a few of the roles an accountant can have in the early days of your company. They can be involved in everything from setting up accounting technology to choosing the right legal structure, but there are many more.
You might think that it’s quite easy to understand whether your company is doing well on the market. Generally speaking, if you’re making a profit, you might assume your company is stable. But, you could have a number of different outgoings, investments, loans and incomes to try and dissect. Understanding the accounts of a medium sized business can be complicated. That’s why you should use your accountant to help explain the situation to you. This way, you’ll understand your true position on the market.
Keeping financial records in order is always going to be important for your business. On a basic level, keeping an accurate history of your finances will make things a lot easier if you decide to sell your company. It’s one of the first factors that potential buyers investigate. Financial records will also be a huge asset during the time of taxation or if you are audited by the government. An audit can be a daunting prospect for new business owners, but with an accountant, it can be relatively pain-free.
Although, if you hire an accountant there’s also the possibility that you are never audited in the first place. Various issues cause businesses to get audited. For instance, you might have excessive write-offs or mistakes on your tax returns. With an accountant on your team all year around, these errors should never come into play.
There will be plenty of situations where an accountant could be a fantastic advisor. For instance, you might be deciding whether to buy equipment for your business second hand or brand new. An accountant will be able to walk you through the financial benefits and disadvantages of each choice so that you can make a final informed decision.
One of the main basic advantages of hiring an accountant is that you’ll have more time for other areas of your business. If you’re not delegating finances to an accountant, you could be spending several hours every day on the accounts. This will drag down the efficiency levels in your business model and let’s not forget, you could be making mistakes as well. Eventually, these mistakes will need to be corrected, and that means you’ll need to hire an accountant sooner or later.
Ahead Of The Curve
Finally, an accountant can help you get ahead of financial issues. From day one, you can think about the future of the company and look at financial estimates. Don’t forget, accountants have contacts in the industry that you won’t be able to use. They will be able to examine the financial market for you and use their resources to provide you real-time data so you can make adjustments to your business model. As such, accountants can do more than just keep your business finances in check. They can help your company grow into the future.
- Management3 years ago
20 Of The Worst Business Decisions Ever Made
- Finance3 years ago
What are the Advantages And Disadvantages of Business Loans?
- Social Media7 months ago
In-Depth Guide to Social Media for Small Businesses
- Mindset8 months ago
Entrepreneur Newcomers Join Billionaire Rich List
- Marketing2 years ago
Creating Brand Identity for Small Business [Infographic]
- Finance1 year ago
Why Entrepreneurs Often Fail
- Marketing2 years ago
What You Can Learn From Amazon’s Marketing Strategy
- Mindset1 year ago
5 Positive Impacts of Green Businesses On Employees’ Wellbeing and Performance