Hacked charity websites seem to have been in the news a lot recently. Having your site hacked can be a pretty traumatising experience, and if it’s not quickly fixed it can incur big reputational risks, loss of income and the need to send some really awkward emails to your supporters telling them that their data might have been stolen.
We’re only a small charity, why would anyone want to hack our site?
This is a fairly prevalent ‘security through obscurity’ attitude among charity website owners who are shocked that their sites would be targeted. You didn’t make fun of the North Korean leader, you just help poorly cats. Why would anyone come after you?
It’s a dangerous and misfounded mindset though. The vast majority of internet ‘hacks’ are carried out by automated malicious programmes that browse through the web indiscriminately, looking for any weaknesses. A bit like a thief at night trying everyone’s back door to see if any have been left unlocked.
Since CMS systems like WordPress and Drupal power a lot of websites, these malicious programmes are often written to specifically look for vulnerabilities in the way that WordPress/Drupal sites are installed. Some are ‘brute-force’ attacks – whereby they automatically try lots of password combinations until they stumble upon the right one. Some are looking for the ability to upload malicious files to your web server – because you haven’t ‘locked down’ the file permissions properly.
Can i make my website hackproof?
Erm, no. Sorry. No website is 100% guaranteed hackproof. Major ones like Twitter, Sony and the U.S. Military have all been compromised, and they have much bigger, better firewalls than your cat hospital site. If the CIA or Anonymous are absolutely determined to hack your website, then sooner or later they probably could.
Having said that, it is quite easy to make your charity website hack-proof against 99.9% of the automated malicious scripts we’ve been talking about. This is reasonably straightforward and vitally important to do.
How do I know if my website has been hacked?
In some cases it’s pretty obvious. It will disappear completely or have an ISIS flag on its homepage. Other viruses are much cleverer though. To you, your site may look perfectly normal, but the virus is presenting a corrupted version of it to Google’s search engines – so they see a site filled with links to dodgy pharmaceutical sites for example.
What is the purpose of the hacks?
Some are malicious just for the sake of it. Many want to turn your webserver into part of a big ‘botnet’ – so they have control over a huge number of websites at their disposal. They may try to use your site to send out a load of dodgy emails, or inject a lot of hyperlinks in it (as a general rule of SEO, the more backlinks you have to your website, the higher it will rank in the search engine results. Google has cottoned on to this in recent years, but it’s still a way of getting yor Viagra website to the top of the list – and there’s plenty money to be made as a result.
Most of these questions are specifically about WordPress sites, but the same theory applies to Drupal/Joomla too.
- Do you use the default login url to log in to the Dashboard of your website – i.e. www.yourwebsite.org.uk/wp-login ?
- Is your username ‘admin’ or is there still a user in your system with that name?
- Does your username appear on the site? A common example of this would be a blog post, where underneath it might say ‘Posted by susan’ where ‘susan’ is a link to your other posts. If ‘susan’ is your username to login with, then it shouldn’t appear on the website.
- Is your password a complex one? I hope it isn’t a single word or two without any uppercase letters, numbers or symbols!
- Are you regularly updating your version of WordPress and all its plugins? (even ones which aren’t activated)?
- Do you know what all the plugins on your site do, and if they come from a reputable author who keeps them updated?
If you answered ‘yes’ to questions 1,2 or 3. Or ‘no’ to 4,5 and 6 – then it’s time to take action.
How to protect your site from being hacked
Here’s my quick step guide to hardening your WordPress website against hackers.
- Backup your website first. You have a good backup system, right? I recommend BackupBuddy if not.
- Make sure your installation of WordPress is updated to the latest version, and that all your plugins are too. You’ll need to be logged in as a user with administrator privileges to be able to do this.
- Knowing which are/aren’t good quality plugins is tricky for the non-initiated. If nothing else, check to see if you’ve got one called ‘TimThumb’ installed. That’s known to have had various security vulnerabilities over the years.
- If you’ve got more than 50 plugins ‘enabled’, then that suggests your site is too bloated. You should probably consider have someone audit it. Cleaning out unnecessary plugins will also make your website load a bit quicker. If you know you’re not going to use your ‘Disabled’ ones then delete them.
- Install the Better WP security plugin. It’s free and is widely used and constantly updated. When you first install it, it might give you a bit of a scare about all the potential vulnerabilities it finds. It’s OK to ignore some of them, and indeed some can only really be setup when the site is first installed.
- As a minimum, I’d recommend you implement the following Better WP Security tweaks:
- Hide login area – set it to something memorable like /catslogin if you’re all about cats
- Strong passwords – and get every existing one to upgrade if they’re not complex enough. This will probably be met with some grumbles from your staff, but do it anyway!
- Brute force protection
- System tweaks – I’d tick all the boxes in this section
- 404 Detection
- Finding out your web permissions is a bit trickier. Using a good web host is a good start. Beware super-cheap shared hosting and people like 123-reg, Go Daddy and 1&1.
- Don’t wait until you’ve been hacked to wish you had a backup system. Get one set up today if you haven’t already. It’s best to keep your backups separate from your web site. You can store them in a free Dropbox account for example.
- Sometimes you won’t know your site has been hacked. Set up a Google alert so you can find out if the search engines are being served a malicious version.
That won’t cast-iron guarantee that your site won’t get hacked – assurances like that are impossible to provide. However it makes it extremely unlikely that your site will fall victim to any opportunistic hacking scripts. Without knowing the technical details of the charity website hacks mentioned in the opening paragraph, I’m fairly sure that taking the steps outlined here would have prevented the sites being compromised.
So – no more excuses or burying your head in the virtual sand. Investing an hour or so in following the steps above could save your charity and its reputation from untold damage. Time to lock down your doors!