Well, one of my websites was hacked last week, just before the story broke about Talktalk, so I thought I would just document my experience and let people know the lessons I learned about website security.
I have been doing a lot of editing on the site that was affected (Not this one), and I first noticed there may be a problem, when it was taking ages for any of my edits to be saved, and it was even slow just selecting menu options in the control panel of my WordPress site. Now there are a number of possible reasons for slow response, such as:
- Computer problem
- Internet Connection
- Website Server traffic
- Website Themes/plugins
- Local viruses or malware
- Server-viruses or malware
I therefore had to work through these to eliminate them in turn to see which was the root cause. The first two potential causes were eliminated by trying a different computer on a different internet connection, which resulted in the same slow response. I was using anew and complex wordpress theme, so I thought maybe it was this that was causing the problem, although the fact that the whole WordPress control panel was slow seemed to eliminate the theme as the source of the problem. I had run my local anti-virus/malware scan and that yielded no problems, so it looked like it was probably a website server issue.
I then contacted my website hosting service, to see what they said about this. Their initial response was ‘there is a high traffic load on the server at present, response is just due to high traffic’. I was not sure about this, so I started to look in more details into the response, using a very useful website at www.gtmetrix.com . This site allows anyone to get a detailed analysis of the response time of any website (for free!) and was crucial to this investigation. I could now see that there were significant delays during the loading of any page, that were not explainable by any of the above issues except the delays must be originating server-side. I went back to the hosting service with this data, and eventually they found that one of the files in my website code had some unexplained binary code in it, that must be malicious and must be causing the delays.
At this point they then acted very fast, and suspended the website, backed-up and then deleted all the code on the site, and told me to create a new WordPress instance and restore the database content (this was not corrupted). Eventually I restored everything and the site was now running fine.
Lessons learned from this incident:
- I don’t know what the binary code that we found was doing to my website, but it was obviously doing some processing that was taking up a significant amount of processing power when accessed. The site affected did not have any personal information stored – the only user information was for testing purposes – Mickey Mouse and Donald Duck were my two test customers, so that wasn’t much use to them, even if they did manage to capture it!
- Ensure your website is protected from hackers getting into your code, by using security plugins! Ironically, I did have a security plugin installed, but I temporarily deactivated them while installing another plugin as there seemed to be some interaction causing a problem. The hacker must have got in while I was doing this! I use a plugin called ‘Wordfence’, which seems to have the right level of security features for my needs, and also has several add-on features, such as a ‘Maintenance Mode’ switch and caching/speed-up features , and I did resolve the problem that led me to deactivate Wordfence as the problem was nothing to do with this plugin in the end.
- If you do store personal information regarding customers, or even if it is just details of those who post comments etc., make sure it is encrypted so that it is no use to the hackers if they get hold of it. It seems that Talktalk had a significant amount of information about their customers that was not encrypted, and this is often the default design for simple WordPress sites that use a simple plugin or HTML/PHP code for a contact form – be careful and check how the data is stored before choosing such a plugin to capture your users’ data. Even if you use a separate payment processor such as Paypal to go capture and process payment details, your site may capture names and email addresses that need protection.
- Ensure you have backups of your website code to enable you to restore the site if there is a problem. It does not take very long to create a backup, unless you have a very large website, and in fact the larger the website the more important it is to maintain regular backups!
- It is not just the big companies that are targeted by the hackers – I suspect these attacks are sent out to large numbers of domain names at random, and automatically, so one day it may be Talktalk that is hit and the next it is a small website like mine!
- If you have an unexplained change in the responsiveness of your website, follow the steps I went through to try and isolate the problem – remember it may not be hackers causing the problem, but it could be!
- Hackers are determined but misguided people who love to just cause havoc with websites and other IT services and will get into your code using as many means possible to achieve their distorted objectives. This doesn’t mean we should refuse to trust any websites that store our personal information, but keep following the guidelines published by the websites that you use, regarding setting passwords and other security practices in order to make it as difficult as possible for the hackers to get in.