Small business owners often downplay the risks of their websites being hacked. Yet, thousands of sites are hacked every day. Here are a few thoughts about what hackers might find valuable beyond your website itself.
There's a lot going on behind the scenes to put your website online. The computer that hosts your site (web server) has internet connectivity and resources beyond most personal computers. If hackers can place their software into your site, they can use the server's resources to launch more vulnerability scans, hacks and attacks against other sites. You've probably heard about Distributed Denial of Service attacks (DDoS) that take down large sites. They do that by using thousands of computers (botnets) to flood another site with traffic, ultimately overwhelming it. Your website's server resources has value to a hacker, thus giving them a reason to want to hack your site to access the server.
Compromising Your Visitors' Computers
If a hacker can put some software into your website's code, they can surreptitiously infect computers that visit your site. If your site receives 100 unique visitors a day and 10 of their computers get infected, that's 10 opportunities for hackers to retrieve sensitive data from your customers. You may think that because your site doesn't store sensitive data that it's not a target. Hackers think of your site as a means to an end.
Some common hacks involve redirecting visitors to one site to another. One customer came to me to let me know their site (created by another developer) had been hacked and that it was intermittently redirecting visitors to a porn site. It's also possible for hackers to redirect visitors to a webpage that tries to install malware on the visitor's computer. Gaining access to your website gives hackers easy access to visitors they wouldn't otherwise get.
You're Not Paying Attention
Small businesses generally don't pay as much attention to their sites as do larger companies. As a result, small business websites are often easier targets for hackers. Especially when it comes to self-managed WordPress websites which may not have core components, themes or plugins updated regularly. I did some checking on WordPress-based websites to see what version they were running. Out of 13 sites checked, 6 were running current versions of WordPress (4.7+). 3 were running version 4.6.3. The others were versions 4.5 and earlier, including one running version 3.5.1. If you think nothing's changed from a security perspective since WordPress 3.5.1, you're mistaken and your site is a sitting duck unless you've taken other steps to secure your site.
Your website by itself probably isn't that valuable. Hackers aren't going to deface your website and make it obvious they've been there. Instead, they'll rely on stealth and subterfuge to get access to the information and resources they're after.
How Do I Secure My Website?
If you have a static website, assuming your host has done a good job of security the web server and all of its software components, you will have somewhat fewer vulnerabilities than a dynamic, CMS-based website. Access passwords for FTP and any scripts you run may provide opportunities for hackers to get into your site. With a CMS-based site, your usernames and passwords to access the CMS are common ways to access sites. Make sure your passwords are strong. Additional approaches for all sites is to use a service like Sucuri to filter visits to your site so those trying to access it improperly are taken out of the mix. With WordPress specifically, ensure the WordPress core, themes and plugins are all updated regularly. You can add additional security plugins like iThemes Security Pro or WordFence to help bolster your site's defenses.
Websites get hacked every day. You can help secure your site and protect your visitors by being aware of the risks and taking the appropriate steps before you get the call saying your site's been hacked. It's the best thing you can do for your business, and it could even protect you from being sued by a site visitor because you didn't take appropriate steps to secure your website. I'm not sure if that's possible, but it's a question I've posed to my LegalShield team. I'll have an answer in an upcoming post.