Could your website get hacked without your knowledge? Here’s how to prevent it

You may believe that your website is not likely to get hacked – after all, what would they have to gain from it?

Contrary to common belief, smaller websites are much easier to hack than high-budget, corporate websites as they have less “defenses,” which makes it an easy target for automated scripts (“bots”) to scour the web and find security holes to exploit.

This requires little time investment from the hackers, as their bots can automatically crawl the web, targeting unwary websites.

For example, a client of ours in the construction industry approached us after their website was hacked. Their web developer was on holiday in Bali and couldn’t be contacted – all the while, their website was redirecting visitors to pornographic content.

After this client approached us, we immediately looked into the code and sure enough – it was a standard website hack performed by a script. The bot had found a security hole and injected code to redirect their navigation menu to a pornographic website.

This wasn’t obvious because the hack only affected the mobile version of the website. The website’s owners could go about their day-to-day maintenance on their desktops, while being unaware that their customers who were visiting via mobile, were getting redirected to pornographic content.

Another common exploit is when your website’s Google Search Engine Results gets hacked to show either irrelevant content (e.g. in another language) or have your snippet refer to porn references.

When this happens, Google will blacklist your website on a shared database (so it gets blocked not just on Google, but on all the other websites that share this database), effectively blocking all users from entering. See the image above for an example of how Google will treat your website if they believe your website was hacked.

This can damage your company in a manner of different ways, with the most obvious one being damage to your brand’s reputation. When current or new customers see this, they may decide to visit a competitor’s website instead.

Another factor to consider is that these smaller hacks can lead up to a much bigger one, as each of these can create another security hole to be exploited.

These are just a few examples of the many kinds of hacks that can damage your website and your company’s reputation. You’ve invested many hours and dollars to build your online presence and customer base – the last thing you want is to have a hacker ruin all your efforts by redirecting your online visitors to irrelevant content or even worse, a pornographic website.

Furthermore, these hacks often occur without the knowledge of the website owners – like how our construction client’s website was hacked only on its mobile version.

Being a business owner myself, I understand the vast amounts of tasks that need to be handled everyday to run a business smoothly, but dabbling in the technical details of web security is probably not one of your priorities.

This is one of the major reasons why we began specialising in web security over 10 years ago – so we could provide peace of mind for our clients for all things regarding the online space, including hack-proofing your website.

How does my website become a target for hackers?

Typically, most websites are made up of several different pieces of software interacting together. For example, if you have a WordPress website, you may have a number of plugins that help you run your day-to-day requirements. Each of these plugins is a piece of software that could potentially be hacked if an exploit is found, or if you have not kept these updated to the latest versions.

The scripts used by hackers crawl the web, looking for specific outdated or exploitable software. If they find your website outdated and exploitable, they will inject code to make your website do other malicious or undesirable things – often without your knowledge.

I have found that this is the most common way websites get hacked. It is a very impersonal and calculated method that is relatively easy to prevent by taking the correct measures.

This is why it is critically important that you keep your software up-to-date and have a “disaster recovery” plan (such as keeping your important files backed up elsewhere and creating regular backups of your website).

“But I have a great web designer who can fix these issues, why do I need your help?”

While your web designer or developer may be very good at creating websites – security is a specialist area that requires years of study and experience, separate from the act of creating the website itself.

For example, even if your web developer is able to clean up the damage done by the hacker, if they fail to identify the security hole that caused the hack in the first place, you will often see the same hack occur again.

This is how these bots are designed – they will come back to your website to check if the security hole has not been patched up. If it hasn’t, they will simply apply the same exploit again. It could take weeks before your website gets fixed. By then, the damage is already done to your reputation and you may have lost a significant amount of customers.

This is why we strongly advocate the importance of experience in web security and ability to work quickly to patch things up. The sooner you are able to fix up the exploitable code, the less damage done to your website and brand reputation.

Here’s a real life example of a why time is a critical factor when recovering from a hack:

A client of ours contacted us about a hack that happened during a very busy time, where thousands of people were visiting their website. The client contacted us on 5pm Friday and we were able to solve the issue by 7pm. By acting quickly, we were able help this particular client to minimize the damage done to their company reputation. Had we taken longer (e.g. the full weekend) this particular client may have suffered significant losses in customers, due to this hack.

What steps can I take to protect my website?

At the most basic level, I would suggest making sure that your website’s software / plugins are all updated to their latest versions. You should also create automatic backups of your website on a regular basis, so you have something to fall back on, if your website does get hacked.

However the best recommendation we can give is to take a proactive and preventative approach to web security. Most clients that come to us already have their websites hacked. While we do our best to clean up the hack as quickly as possible, there is always some amount of damage done, as we are working on the issue after-the-fact.

Because of this, if you are concerned about the security of your website, I encourage you to get in touch with us. We won’t push our products or services onto you – we just want to have a genuine and open conversation about the potential security issues your website may have and the steps you can take to patch up these holes.