Collaboration

Your website’s been hacked. Now what?

It’s Monday morning. You sit at your desk, hot coffee in hand, ready to kick off another work week. You turn on your computer, full of plans for the day…and discover your website’s been hacked.

Uh oh. As a purpose-driven entrepreneur, you’re furthering a mission you believe in, and setbacks like this can be frustrating–not to mention bad for business.

Now what?

Roughly 30,000 websites are hacked, on average, each day. Whether it’s via remote code execution, cross-site scripting, conditional redirects, malware, or any of the seemingly countless other ways, finding out you’ve been hacked can be downright panic-inducing. The response? Preparation. Be prepared to defend against your website being compromised, even before it happens.

Prevention begins with you

Every website needs a solid backup plan. A good place to start is with daily file system and database backups, which you can scale back to once a week or so if your site isn’t updated often or doesn’t involve e-commerce. On the other hand, if you frequently add content or process large numbers of orders each day, you should consider backing it up more than once a day. To avoid tampering, backups should be stored remotely, on a separate server.

Another thing to keep in mind: if you can easily remember your password, it might also be easy to hack. Using a password manager like LastPass or Passpack will allow you to generate and store longer, more complex passwords. Try not to reuse passwords, if you can avoid it; another thing to avoid is incorporating public information about yourself or your company into your password, or even into your username if you can help it.

Another thing you’ll want to do is stay on top of security updates, and avoid untrustworthy or outdated third-party add-ons. Unless you’ve got a dedicated, reliable server administrator, always try to use a managed hosting service. Most web hosts offer managed services or servers, which means someone will be on hand to help keep your server secure. This isn’t foolproof, but it will help prevent the majority of unsophisticated attacks on your site. There are lots of other tools & tricks to help keep your website safe. Get in touch with us to learn more!

Recover your site without losing your marbles

You wouldn’t start a purpose-driven business without a plan, right? Of course not–but a surprising number of people set up e-commerce websites without a recovery plan! You should have some idea what you’d do if disaster strikes your site.

There are global standards, such as ISO/IEC 27031:2011, which outline concepts and principles for a robust disaster recovery plan “to be ready to support business operations in the event of emerging events and incidents, and related disruptions, that could affect continuity (including security) of critical business functions.” This may be a bit much for many small businesses to implement, but a basic disaster recovery plan should at least cover the following:

  1. Defined goals of disaster recovery: Restoring critical systems, such as email or e-commerce.
  2. Personnel: Who’s in charge of the recovery effort, including who’s involved in the more technical aspects of recovery.
  3. Defined backup policies: When to back up your site, how often to do it, what data to back up, et cetera.
  4. Defined procedures: For emergency response, the recovery process, and an alternate or backup site while the original one’s in recovery.
  5. Rebuilding/full recovery contingency plan: Procedures to fully restore or rebuild your site if it’s damaged beyond repair.
  6. Testing process: It’s important to periodically test and evaluate your emergency plan.
  7. Record of changes in plan/system configuration: Any time you make a significant change, your plan should change or be updated to account for it.

Well, now I’m paranoid!

There’s an old saying: ‘you’re not paranoid if they’re actually out to get you.’ Of course, this is somewhat tongue-in-cheek, but the sentiment holds some truth. Hackers are plentiful, and they’re always on the job! The Q1 2016 “Website Hacked Trend Report” from Sucuri details the most affected CMS platforms. Here’s some food for thought from the “CMS Analysis”:

“In most instances, the compromises analyzed had little, if anything, to do with the core of the CMS application itself, but more with improper deployment, configuration, and overall maintenance by the webmasters and their hosts.”

In other words, your prevention work–or lack thereof–can go a long way.

While I sincerely hope this article hasn’t sent you into a panic, I do hope it’s opened your eyes. Planning, proactivity, and preventative measures are likely all you’ll ever need to do, and it’s never too late to start! If you’d like to discuss any of the topics I’ve outlined, or get started protecting your purpose-driven organization’s website, don’t hesitate to reach out. We’re all about helping you accomplish your mission!

All the best,

Jared Daubert and the Pollen Brands team