Top 7 Mistakes Organizations Make When Their Website is Defaced

It’s easy to slip into panic mode when your website is hacked.

There’s plenty of articles and “how-to’s” on securing your site to protect it from being hacked, but what if your organization’s website has already been hacked or defaced – or worse – has been compromised multiple times. This is a very real problem in today’s internet landscape. Unfortunately, it’s not always handled well.

First, you need to understand that it’s unlikely that you were directly targeted.  99% of the time, websites are defaced or compromised by automated malware and scripts which scan vast swaths of the internet looking for easy targets.  Knowing this, it’s not so hard to protect yourself from further intrusions.

  1. Fail to Erase and Restore the Whole Site
    If your site has been hacked, it’s quite possible that the intruder has injected malicious code within the website.  By leaving the website and trying to manually fix the site by editing what’s there, you risk having the site defaced again or being used as a bridgehead to infect other websites.  Your first order of operations should be having your web host erase and restore the whole website from the last backup.  Even if you lose some data, it’s still worth not having to deal with malware embedded in the site.
  2. Lock Down The Site in “Read-Only” Mode
    This is often a knee-jerk reaction to having a site hacked, but it’s far from a sustainable solution.  It may prevent further compromises of your site, but in the meantime the site is virtually unusable.  This should only be entertained as a temporary stop-gap measure.
  3. Fail to Change Passwords
    You may think that your password is secure, but if someone’s already been inside, it’s possible they might have gleaned it by looking at configuration files or the database.  You’re best off changing it immediately.
  4. Fail to Install Security Updates
    Your website is restored and back to the way it was and the passwords are changed.  Everything’s peachy now, right?  Not so much.  Chances are that it’s a software vulnerability that was used to gain unauthorized access to your site.  If you don’t patch that hole, someone (maybe even the same person) will exploit it again.  It’s critical that everything from top to bottom has the latest security updates, including:-Your website’s content management software (e.g. WordPress, Drupal, etc.) and all its plugins
    -The underlying software that runs the web server (e.g. PHP, Apache, Nginx, Ruby, MySQL)
    -The operating system of the web serverIn most cases, the first item is your responsibility.  It’s usually easy to do, but it doesn’t always happen automatically.  The second and third items fall to your web hosting provider (assuming you’re not hosting your own web server).  Most worthwhile web hosting providers will be on top of this – installing those security updates ASAP, often without you even knowing it, but some unscrupulous ones might skip them.  If your web hosting provider falls into the latter category, it’s time to say goodbye – they just see you as a passive income stream and are not interested in providing a reliable service.
  5. Fail to Properly Secure The Website
    Yes, it’s a pain to remember complicated passwords, but it’s much more of a pain to deal with the fallout from having your site hacked.  Most web browsers will offer to save your credentials for you, and that’s a much better option than having an easy to guess password.  Use a strong password generator such as https://passwordsgenerator.net/.
  6. Fail to Have a Responsible Party
    OK – site’s back up, it’s secure.  We can all go home now, right?  Still no.  Owning a website is not a passive activity.  In addition to posting new content, someone needs to be responsible for making sure the website is secure and up to date.  Automatic updates can’t always be relied upon, and aren’t always an option – especially when it comes to major updates or updates to plugins.  Make sure someone is responsible for logging in regularly – ideally once a month (set a reminder in your calendar!) and checking to ensure there’s no outstanding updates or warnings.  It’s something that can easily fall off the radar as people’s roles change and people leave the organization – don’t let this slip!
  7. Continuing to Run Outmoded/Out-of-support Software
    This goes hand-in-hand with installing security updates, and can often be overlooked if time and resources are short.  Some software is released in cascading “branches” or “major versions”, where security updates may be provided in parallel to multiple major versions, enabling them to fix security holes in older software without changing fundamentally how it works.  As major versions age, eventually updates will stop being released to them.  If you’re running an older major version of a given piece of software (or an abandoned, unsupported piece of software), those updates will eventually stop coming, leaving you vulnerable.  Once a year, you should be looking at the software you’re using and figuring how many years you have left before you need to replace it.  Software vendors will often publish this information on their website.

If you find yourself in this situation and need some help, give us a call.  We can help to put your website back the way it was, help you to secure it properly and put processes in place so it doesn’t happen again.  Call (226) 456-0741 or email jamie@praxica.ca.