Hackers, how do they get in to your website and hosting account? In today’s wild web, it just seems like sometimes you can’t keep hackers out!
Here’s what happened recently to me. I set up a new hosting account at a quality hosting service (not GoDaddy). The same day I loaded the site files, the site was hacked. Files were loaded and links to malware installed in newly created pages that mirrored my own site pages but with a .shtml instead of .html.
The host told me that all was secure and although the site was in a shared hosting environment that their network was not where the hack came in.
The only thing that I can possibly think of that caused the problem for this non-WordPress site is I emailed the passwords to the client. What the client did with the logins, I do not know. I am not sure if he even tried to login, but doubt it.
The host said that possibly a hacker got into the site via a field in the contact form, but there is a Captcha and tests for validity of information and on top of that no database connection for the form. I am mystified!
What I do know is that sometimes you just do not know how hackers get in, could they tunnel in from the host? Could they intercept logins by email? Could they be trawling the web for new hosting set ups and attack them? Your guess is as good as mine.
One thing I do know is that there is a new hack for WordPress websites that targets new hosting accounts where WordPress installation has not been completed. There are bots that are scanning the web for these new sites and coming in via WordPress setup files and taking control of hosting. Could this type of attack possibly be what I experienced? It is possible.
What I do know if that prompt action to clean up, wipe the server, and change all passwords for hosting and FTP and also no longer emailing logins is our newest protocol.
Once you use AMP on WordPress, and if you want to use AMP pages on your regular HTML site, you’ll need to do a little research. There are lots of sites and information from Google on how to set up and how to validate your new AMP pages.
This is what I have learned in the process of working on my own website pages.
The original and new AMP page need to be pointed to each other. The AMP page points to the original page using a canonical reference telling Google that the non-AMP page is the original. The non-AMP page then points to the AMP page so that Google can discover it using a special meta tag amp reference.
There are specialized AMP image references and specialized CSS references. Additionally, Google will require that the viewport be set in the page head section to validate the page.
It is not complicated to set up these static AMP pages, but it is complicated to get them to validate. That being said, the future for Google is all about AMP and mobile. With a little effort you can make your blog and website more attractive for Google to index (and cache) in this new “Mobile First” world.
Many legacy website owners are now looking at upgrading their websites to leverage new technologies but what type of site should you consider as you weigh your options?
WordPress Websites Pros and Cons
I have a love/hate relationship with WordPress. I love the power and adaptability. I love the free plugins, but I hate the security problems and I hate the lack of really fine control both for SEO use and for image placements.
If a client decides that they want to do their own content updates, WordPress is perfect for them, but at a cost.
If a client does not buy a security monitoring service like WordFence or SiteLock, they may leave their expensive new website open to becoming hacked and banned on Google (until remediated from a hack).
Being secure costs money and WordPress is not a set it and forget it application. Be prepared if you decide to do your own updates that you need security software and need to do your own weekly site updates to keep WordPress secure.
HTML Websites Pros and Cons
For clients that are never going to do their own updates and do not need special plugin features from WordPress, I love a regular HTML version website. I love the control of page and image naming, the ability to have total control over site architecture, and the security of knowing that hackers do not typically use HTML websites as a platform to spew spam or malware.
HTML websites do not need regular security review, analysis and monitoring as WordPress sites do. But as technology changes they typically should be replaced about every five years.
If you need help with a SEO focused information-rich website for your service business and are not using ecommerce, pick up the phone and chat with me about your needs at 540-693-0385. I’d be glad to let you candidly know if our services would be a good match for your needs.
Security, you never realize how much you really should be thinking about it until your site is hacked. For business owners, let me caution you to not leave this most important aspect out of protecting your online presence to staff without some oversight.
Here’s what you as the business owner need to know about security.
You need a back up and redundancy plan.
You need to know what your webmaster is doing on security.
You need to routinely monitor the Google Search Console for messages.
Sometimes the Bing Search Console will notify you faster of a hack, so monitor there too.
Look for weird URLs and strange activity in Google Analytics.
Make sure you do regular back ups of your website files and keep several archives not just one.
Back up your back up!
If you use WordPress as the backbone for your site see below.
Remain vigilant. If you have security plugins monitor the messages.
If you have WordPress…
I like WordFence as my security plugin. I am getting nice results and actionable message about access, updates to do to stay secure, and not too many messages that I get “security fatigue”.
I do use other plugins as well for WordPress. Below are the ones I will typically install for clients.
Locks out brute force attacks and bad passwords.
WordPress File Monitor
This plugin monitors the core files for changes and uploads.
Sucuri or WordFence
I have used this program but found that the number of messages was too overwhelming so at this time I am using WordFence instead. Just make sure you use something AND make sure to actually read the alerts!
Everyone likes a bargain! Sometimes however you’ll want to pay for an app or WordPress plugin that is really valuable, but why pay when you can get one that does the trick for free?
I deleted Askimet as my spam plugin in WordPress when they moved to pay to play and really tried to wring $5 a month out of their users after years of free service. I understand that everyone needs to make a buck, but in the world of WordPress what they offered was not unique.
I searched for spam filtering plugins. I found Cleantalk and tried it for the seven day free trial period. I liked the interface, but just did not feel that paying for it was worth it to me. Cleantalk bills $8 per year. Not a lot, but free is free.
Now I am trying out the free WordPress plugin Anti Spam Bee. This plugin appears free – well at least for now.
Before you buy of any plugin, make sure to try it out. I may be back with Cleantalk, but for now I am going free, free, free with the big yellow bee of Anti Spam Bee.
My firm blogs for many clients and in the process we’re on blog sites more frequently than the blog owner. In some cases my team was the first to notify the client of a hack. Typically when a site is hacked, we cannot login to write or see the WordPress site when we go to gather links for a blog post.
To keep your WordPress blog or WordPress website from being hacked these are my tips for security.
1. Make sure you are using a secure password. Many times the client’s webmaster will send us our logins and the password is something like 123456. For security, I like passwords like this A&Ji3nGba*3!. Impossible to remember but really hard for a hacker to guess.
2. Secure your site from brute force login attempts. I like the WordPress plugin Login Lockdown. This plugin allows you to lock out intruders who are repeatedly trying to get in by blocking their IP address.
3. Monitor your core WordPress files. I really like this plugin. It monitors your core WordPress files and emails you when there have been changes and advises you what files have been changed. I cannot begin to tell you how easy this makes fixing a hack attack by having an idea where to start.
4. Use an exploit monitor. I use the WordPress plugin called Exploit Scanner. We’ve found several deep hacks with roots in a parent website feeding into an on-domain blog this way. By scanning the WordPress files for explode and hidden elements we have been able to quickly identify a hack and work fast to remove it.
There is nothing worse for a website owner than to do a search for themselves on Google.com and find a note next to their site for users not to visit it due to malware or Google to turn off the links to their site.
These simple preventatives are what we suggest for every blog owner they are easy to install and require just minimum of vigilance.