How A Business Website Was Hacked And What Happened Next
In this Business Articles blog post, we will reveal how a site recovered from a hack and we have included a Website Security Checklist for your website.
How A Website Was Hacked
About 7 years ago an associate’s website was tracking quite nicely with 30,000 unique visits per month in a niche market, revenue from advertising was good and growing. It was about this time we decided to offer a new service to the website visitors to encourage them to stay longer on the website.
The web developer downloaded the plugin, installed it on the production website, and off they went to promote the new features to their website visitors.
The plugin was fantastic and kept a high proportion of visitors on the website for much longer until the website got hacked – and hacked well.
There is nothing worse for a business owner to have their “shop” broken into and “products” stolen or damaged, and that’s what happened.
How did it happen?
In summary, and without going technical on you, the plugin was riddled with security vulnerabilities big enough to drive a virtual bus through it. The plugin developer had no clue how to write secure code and every hacker knew it.
Installing a plugin with security vulnerabilities
The worst part is that most plugins inject meta-data into the website HTML when a web page is visited so all the hackers need to do is search Google for that meta-data “signature”, and instantly a list of websites running that plugin will be shown.
Once a vulnerability is discovered in the plugin, meta-data “signature” helps them locate all the websites running it, as mentioned above. You can try this out yourself with a simple search such as “vulnerabilities” or “exploits“.
Out of those results, you will navigate to a website that will provide a step-by-step guide on exploiting whatever vulnerability the software contains. This is how 11-year-old kids with no training in hacking can successfully hack a website – they are provided with a “dummies guide” how-to for free!
In the case of the plugin installed on the website, it was one URL with some extra text at the end of a “SQL injection attack” that resulted in resetting the admin password of the software running the plugin.
The hacker wanted to remain on the website as long as possible, attempting to infect as many visitors as possible. To achieve this, the hacker did the following:
Uploaded hacker tools to allow for additional backdoors to be added to the site just in case the original vulnerability used to gain control of the website was discovered and fixed.
Downloaded the accounts of all the users to 1) attempt to brute force the encrypted passwords (that failed since the encryption was strong) and 2) grab all the email addresses to sell to spammers.
He was so good that it took a couple of website visitors to complain to us that every time they went to the site the web browser would crash.
What to do?
The first thing was to shut down the website and email users, informing them of the attack. Plus, tell the advertisers.
Roll back to the last backup and ensure it has not been compromised.
Website Security Checklist
Below is a website checklist that you should useful. The checklist is based on the lessons learned from when a website got hacked. The checklist is aimed at the business owner who is not technical and relies on third parties to help manage their business website.
Patch, Patch and Patch
Ensure that someone is responsible for keeping your website software up-to-date with patching. Make sure you have written confirmation from that person (people’s memory on who is responsible for what when an attack occurs seems to magically change).
Also, ensure that your hosting provider has a patching policy and that your website’s web server is patched frequently. Ask for the patching schedule and patching policy. If they don’t have a schedule or policy, then it’s time to look for a new hosting provider.
Review existing plugins
If you have installed plugins on your website then review each one and have a good hard think if you need the features offered. Every plugin you install increases the chances of a vulnerability entering your website. The plugin might be secure now but that can change with each update. You can also apply this review to any other software you have installed that provides a service to your website.
Review new plugins or functionality
When you identify a new piece of functionality you would like to add to your website such as a plugin, perform some basic research first on the software before installing it. Key search terms are: ” vulnerabilities”, ” exploits”. If the search results look alarming such as a discussion about how easy it is to hack, then don’t install the plugin.
Review Website Admin Accounts
Who has access to the admin portal(s) of your website?
Which admin accounts can be disabled and only active when needed? For example, the contractor you used 3 years ago for one job probably does not still need access to your website. Are all the admin accounts known to you and are they still needed?
What about FTP accounts?
What about SSH accounts?
Reset the password on all admin accounts if they have not been changed in years, and make sure it’s a strong password. You don’t need to force a password reset every month – maybe once a year.
Check your website backups
Create a dummy website and restore a backup to test that it works. The other options you have will be far more expensive than loading up a test site and testing your backup.
Have an Incident Response Plan
Have a document that records the contact details of all the people you need to engage when the website is hacked and what steps you are going to take, such as asking the hosting provider to block all incoming traffic. Record the hosting provider’s support contact details, including their after-hours support numbers
(Tip! Perform a test run by ringing the after-hours line late at night and see how good they are at responding – you may be very surprised at the result!), contact details for the web developers or anyone else who helps manage your website, your clients and any other interested parties.
If your website accepts credit cards for payment, then you will also need to contact your acquiring bank and inform them of the breach (read Do I Need To Be PCI Compliant? for an introduction into PCI DSS).
Check with your hosting provider that the web server hosting your website is “hardened”. This means that the hosting provider has tightened up the security of the web server such as turning off any services that are not needed, changing configurations so the security is better and a host of other technical things that are important. If the website hosting provider does not know what hardening is or doesn’t do it then it’s time to find another provider.
If your website software was installed by a third-party, check with them that the software has been “hardened”. Just about every piece of software can be “hardened” as most have default configurations that do not focus on security. Like the hosting provider, it’s time to start searching if they do not know what “hardening” is.
Since we are on the subject of securing your website, your website needs to just use HTTPS, not HTTP. HTTPS allows the traffic between your website and your visitors to be encrypted. This is very important, especially if you access the admin functions of your website using public networks such as free or hotel wifi. To provide a bit of encouragement in looking at HTTPS, Google has recommended using HTTPS and talk in the SEO world. This is because Google will prioritize websites that only support HTTPS in their search results – enough said.
Consider using a service such as CloudFlare that will sit in front of your website and help protect it from attacks. Cloud Flare provides a “Web Application Firewall” or “WAF” which protects your website from attack via the Internet.
Look at a monitoring service to alert you if your website is under attack – the little bit of warning you get will allow you to alert your hosting provider who may be able to stop the attack.