I’m asked these questions quite often: “Why was my church’s website hacked?” And, “Why would a hacker want to hack my little non-profit WordPress website?”
First of all, if your non-profit-related website has been compromised, try not to take it personally. In my experience at HackRepair.com having worked on thousands of hacked websites over the years, I can tell you that it’s almost never personal.
In this article, I’ll cover the basics of website account security and describe how you can greatly increase the security of your non-profit’s website today. Topics are:
- Why do website hackers hack websites?
- So how do website hackers break into a website’s account?
- Why is segregated website hosting important?
- I update my website password often. Isn’t that enough?
- What should I look for if my website has been compromised?
- What is a backdoor script?
- What are some common website hacking related terms?
- How can I help prevent my website from being hacked?
Why do website hackers hack websites?
Well, believe it or not, hacking websites is big money according to security researchers. Some hackers make more than $80,000 a month.
Church and non-profit websites are often targeted by hackers for a variety of reasons. Some of those reasons are:
- Non-profits are more often maintained by part-time volunteers with limited WordPress expertise.
- Well maintained religious-based websites have better-than-average domain authority, credibility, and readership, which is especially appealing to black-hat SEO hackers.
- Non-profit websites’ donation forms are appealing targets for harvesting credit cards.
So how do website hackers break into a website’s account?
You may think your website is secure because your web designer is reputable and experienced. In my own experience over the past decade over 80% of all the compromised websites I’ve helped clean and secure after being hacked were the result of hackers taking advantage of exploits through either:
-
- Outdated plugins.
- Outdated themes.
- Or poor “key control.”
The majority of exploited website accounts I’ve encountered were then compromised in one of two ways:
-
- The hacker either injected files into the website account.
- Or the hacker injected text or code into posts or web pages.
And once hackers have a foothold into a website’s account they rarely give it up easily, often hiding their back-door scripts in various placed throughout the hosting account. I’ll cover back-door scripts a bit later.
Why is segregated website hosting important?
There’s a common misunderstanding among website owners about the dangers of hosting multiple websites within a single shared account.
Many people have fallen prey to unlimited shared hosting account services. While on the surface it seems like an unlimited shared hosting account is an efficient and low-cost way to host multiple websites within a single website account. In actuality, this type of service is akin to renting office space where all of the internal office doors share the same front door key.
If you are hosting multiple WordPress websites within a shared hosting account, your risk of being compromised is exponentially greater than a website hosting account with a single WordPress installation.
For this reason, segregating each website into its own separate hosting account is an important long-term website security strategy.
I update my website password often. Isn’t that enough?
Now back to my earlier note about poor “key control.” Non-profit organizations, in particular, are susceptible to password “leakage.” Because the roles of volunteers within a non-profit organization may change regularly, both real-world physical security and website password security can be a challenge.
For instance, a single segregated website account may have dozens of sub-passwords, each being a potential entry point for hackers. If you are working to improve your organization’s password management I recommend locating and periodically updating each of the below passwords at least every few months:
-
-
- Your web hosting company’s “billing” login password.
- Your web hosting company’s website control panel (cPanel, Plesk, et al.).
- All FTP passwords within your website’s hosting account control panel.
- All WordPress administrative user account passwords.
- Your organizations social media accounts as well (Twitter, Facebook, et al.).
-
While reviewing a client’s list of WordPress user accounts, look at what I stumbled upon:
What should I look for if my website has been compromised?
A website hacker’s modus operandi is injecting malicious code or text into files or web pages. This injected code can do any number of things, like redirecting site visitors to other websites; advertising text or links; or harvesting visitor data.
Today’s websites can be a mix of thousands of files. That’s a lot of hiding places to consider when reviewing a compromised website account. And nearly all of these files, from text files to PHP files and even images, may harbor malicious code.
Hacker files or code injections most often fall into one of three categories:
-
- Backdoor PHP scripts.
- Malicious text or code injected into legitimate files or databases.
- Or a combination of backdoor and malicious text or code injections.
When reviewing a recently hacked website I always start by sorting the directories and files within a website by date. With code injections, it’s often possible to quickly identify compromised files by viewing the text within the most recently changed files.
Theme files like the 404.php, functions.php, and header.php are commonly exploited files, example below:
What is a backdoor script?
Backdoor scripts are files or code injected into legitimate files that give hackers access to add or edit files or databases within a website hosting account.
Once in place within a website, these files or code injections may allow hackers unrestricted access to an account until they’re removed.
And with all of the places a hacker may hide malicious code within a website, you can’t assume anything when it comes to locating and removing backdoor scripts within a website’s account. Every file and directory must be carefully reviewed for signs of malicious content.
In the case of WordPress, even the latest malware monitoring security plugins often miss or misidentify these files. Written by financially-motivated black-hat hackers, backdoor scripts often require a bit more effort to identify than running an off-the-shelf malware scanner. Human eyeballs haven’t yet been automated out of this job (at least not yet).
Below is an example of hacker code injected into a legitimate WordPress file, which allows the hacker to pass commands along to another file added by the hacker:
What are some common website hacking related terms?
Since you are reading this article, I suspect you are hoping to better educate yourself about website security. Below are a few of the commonly used terms associated with the website hacking “business”:
Phishing is the fraudulent practice of masquerading as a reputable company in order to trick you into revealing confidential information.
SEO spam, also known as spamdexing or injected backlinks, is an attempt to manipulate search engines by including links or content within a legitimate website to help increase the search engine position of another website.
Black-hat SEO hackers inject SEO spam within legitimate websites to improve the search engine position of less legitimate websites.
Harvesting credit cards may be possible by injecting code into a payment page in order to “sniff” credit card information while information is being entered.
Badware or drive-by downloads refer to the unintentional download of malicious code into a computer or mobile device. The scary part is that a click or other action may not be required to inject the malicious code into the device.
DDoS attacks or “distributed denial of service” attacks may involve surreptitiously using the processing power of a number of unsuspecting websites against another website in order to interrupt the services of a specific target website.
Ransomware is a form of virtual blackmail, where malicious software is employed to lock data until a ransom fee is paid.
Malware is a term used to describe malicious code that may cause harm to a website, it’s reputation, or devices connecting to a given website.
Website defacing most often refers to someone changing the content on a website with malicious intent.
A quick Google search on any of these phrases will bring up hundreds, if not thousands, of stories describing the criminal behavior relating to each of these website security-related terms.
How can I help prevent my website from being hacked?
Below are four actions you can take today that will greatly improve the security of your website account and decrease the likelihood your website will be compromised by hackers tomorrow.
- Backups. Maintain a weekly automated backup of your website to a cloud service account like AWS, Google Drive or Dropbox.
While you may not be able to monitor your website every minute of every day, a solid backup program will help turn a potential disaster into a one-click-to-recover insurance policy. For WordPress, try one of these plugins: UpdraftPlus, BackupBuddy or JetPack Backups. - Updates. With content management systems like WordPress, the regular updating of your website’s plugins, themes, and WordPress are required steps in improving the security of your website and hosting account.
- Monitoring. If your website was built with WordPress, there are a number of well-regarded security plugins to choose from. WordPress security plugins are not foolproof but they may help reduce the impact of bad bots and automated intrusion attempts by monitoring and notifying you of bad behavior on your website as it happens.
- Management. And lastly, use a secure password management system to save passwords. This is a great way to reduce our very human tendency to use the same password for every website we password protect.
Have questions?
If you have comments, suggestions or questions, Jim Walker may be reached at [email protected].
“A thing done well is rarely done alone.”
And many thanks to the following good folks who helped in proofreading and editorial review: Joyce Walker; Mike Dudas @tvcnet; Mark Glover @servingwithamission; and others.
Jim Walker, Website Security Professional
I am a website security professional, with HackRepair.com, where I’ve been helping non-profits and businesses recover from compromised website situations and have been helping to secure websites against hackers for over 20 years.