What to do if your website gets hacked?

Starting a website might seem like an easy job. However, just having a website can create another problem for you if not handled properly from the get-go.

Apart from ensuring that your website is designed to best serve the visitor and to showcase your business in the best light, you also need to make sure the website is secure.

If your website is not secure, this could cause problems for your business and even harm your business reputation.

Of course, there are many types of website attacks, and in this article, we will cover the most important ones.

Here are some website hacking facts to get started:

  • On average, a website gets hacked every 39 seconds
  • Most businesses are not prepared to deal with the damage done
  • 43% of cyber attacks are targeting small businesses

In this article we will go over common attack types, and how to secure your website to ensure you do not fall victim.

How websites get hacked

We’re using the word “hacked” quite loosely here, these are attacks on websites, but not necessarily hacks in all cases.

Website security breaches can be avoided with proactive preventative measures which harden your website’s security. This can save you a ton of money in the long run.

Bad access control

While it can be tempting to set up weaker authorization and access controls so you can log in to your website or control panel easily, this is the downfall of many websites.

Any type of authorization, authentication, or user privileges should be set up to ensure the correct mix between security and convenience. To be safe, you should always lean to the side of security.

Brute-force attacks are very common and if the username and password to your WordPress website is admin/admin123 then they’ll have a very easy time gaining control of your website and possibly causing serious damage to your business.

Applications, Plugins, Themes, and other additions to your website

WordPress is the largest application that comes to mind when it comes to application vulnerabilities.

While WordPress itself is not unsecure, it is built to be extendable by plugins and themes. Because of this, there are many plugins that are not secure enough and can allow hackers to damage your website or take control of it.

Even plugins or themes from reputable vendors do, although rarely, face security issues that are quickly patched.

Hackers will usually crawl applications for vulnerabilities and specifically in the case of WordPress if they manage to find a vulnerability on one website, they’ll likely be able to use the same exploit on many other websites.

Other websites on your hosting account

While shared hosting has grown to isolate hosting accounts from one another so that other hacked accounts cannot affect your account, there is still the risk that another one of your websites can.

With websites hosted on the same shared hosting account (or the same server if not isolated), there is the risk that, depending on the hack, they might be able to take control of other websites on the account.

This can happen if they acquire the hosting panel login credentials, however, hacking a website can allow them to place additional files on your web host which can allow them to do more harm to other websites or files on your hosting account.

Due to this, you should never skimp on securing your websites, especially ones you do not actively use.

Third-party Integrations and Services

The last attack vector we’ll mention in this article is third-party services that are connected to your website in one way or another.

These can be services such as Content Delivery Networks – such as in a recent example where Washington Post got hacked – or other services such as social media integrations, among the most popular ones.

When it comes to third-party services, the big problem is that they are beyond your control. Integrating with a third-party service means that you give up – even if just a little bit – control over your website and accept that hacks on their end can affect you just as much.

Any integration with a third-party service should be a calculated risk.

How to repair a hacked website

While unfortunate, hack happen and in many cases in the digital world, it’s not a matter of if it will happen, but when it will happen. As such, you need to have measures to restore functionality to your website should your website get attacked.

Backups

The easiest option to recover your website is to restore it to a previous backup, whether that’s the previous day, or a date further in the past. In this case, there is the possibility that you will lose some work you’ve done after the backup.

It is always recommended to have multiple backups of your website. Eltris automatically backs up all data on your hosting account and retains it for 30 days. This means you can restore your website to the state it was 30 days ago.

Note that there might be other harm done that is not covered by the backups, such as your domain being blacklisted for Spam by Google or another company.

Scan your website

In many cases, your website might not be beyond redemption, meaning you do not have to resort to restoring a backup.

You can scan your website with a security tool that can provide you with information on the infected files. These can usually be fixed or removed from the account. This requires more technical knowledge and there’s never a guarantee that all files have been taken care of.

How to secure your website

The best measures to secure your website are the ones you take before the hack which will prevent hacks from happening in the future.

If you’ve been hacked in the past, and you’re malware-free now, this is not the end of it.

Did you know that websites that have been hacked in the past are at higher risk of being hacked again?

In many cases, you might’ve spent days cleaning up your website, just for it to be hacked again the next week.

This is why you need to take preventative measures to secure your website.

Access control checks

It depends on the hack, however, the first thing to look at is access control. To be on the safe side, update all users’ passwords and set up two-factor authentication if you can. This will ensure that admin accounts will not get compromised in the future.

Furthermore, if you are using a hosting control panel, make sure to change the password on that as well and add two-factor authentication if possible.

Software vulnerabilities

This advice is mostly related to those using WordPress and similar applications to run their website – the number of which is pretty high.

Always ensure that your applications are up to date and that all plugins are secure and do not have any known plugins.

Make sure that your PHP version is not deprecated and that any external code you are using has been vetted and deemed secure.

When it comes to WordPress, Eltris web hosting comes with a tool called WordPress Toolkit that makes securing your WordPress website a breeze. The security of WordPress on cPanel hosting is greater due to how easy it is to apply security measures.

Secure other websites on your hosting account

It goes without saying, you should also ensure that other websites you have are as secure as possible. This is especially true about inactive websites.

Inactive websites are a huge target for hackers – especially WordPress websites. Due to being inactive, the owners do not update them frequently and they become riddled with vulnerabilities.

Make sure to enable auto-updates for your websites if possible to stay up to date with all patches.

Third-party Integrations and Services

Unfortunately, when it comes to third-party services there is not that much you can do to protect yourself.

When you integrate with this service, their security practices are beyond your control.

However, you can always thoroughly vet services before integrating your website with them.

You can even contact their customer support service and ask what the measures they’re taking to secure their systems are.

Conclusion

While you can never be sure that your website is free of vulnerabilities and security issues, you should always aim to take all the measures you can to ensure that the security of your website is as good as it can be.

Good hosting companies such as Eltris provide security tools within the control panel with intuitive interfaces which ensure that anyone can use them and have a higher standard of security.