Hacked! Prevention & Recovery

If you own a website, the chances of being hacked are real. It happens to big companies as well as small, and most likely you’ve already been affected by a hack. As they say, there are two types of consumers: those who’ve been hacked and those who don’t know they’ve been hacked.

As a website owner, a hacked website means lost revenue and even worse, loss of customer trust. This article will help you know how to protect your site from hackers and if you do get hacked, critical steps you’ll need to take to recover.

How To Protect Your Site

  1. Keep your site updated. If you’ve read Proper Care & Feeding of your WordPress Website, you already know that many if not most updates are security related. Platforms (like WordPress), themes, and plugins all require continual updates in order to address newly discovered vulnerabilities and technical changes. Leaving outdated files on your computer is like leaving the door wide open to eager hack attempts.
  2. Install security plugins, when possible. Free or low cost plugins like iThemes Security and Bulletproof Security offer affordable ways to tighten security on your website. There are several technical processes a senior level developer can implement to reduce your chances of a hack, but for many small businesses the cost of the developer may be prohibitive. Using a security plugin may help reduce the need for custom security work. Many hosting providers also offer additional security. It might seem pricey at first but most likely it’s a bargain compared to the costs of having your site down, content destroyed, customer information compromised, and repair services.
  3. Don’t use “admin” or other common usernames. Hackers look for common usernames as keys to directory paths. Using a common username like “admin” is like putting a neon arrow that says “Look Here!” to key entry points in your website.
  4. Rename the wp-content folder on WordPress sites. You’ll want to do this when the site is new, before you’ve uploaded any images that appear on posts or pages, otherwise it could break linked images stored inside the wp-content/uploads/ folder. Like the “admin” username, hackers look for common paths so changing the name of this folder will make access more difficult.
  5. Use strong passwords. I’ve lost track of how many sites we’ve worked on that were hacked due to simple passwords. Here are the rules to a complex, secure password:
    1. 8 digits or more
    2. use both lower and upper case letters
    3. use both numbers and special characters
    4. don’t use the same password for multiple sites
    5. don’t use words that can be found in a dictionary
  6. Remove unused plugins and inactive users. There’s really no point in leaving unnecessary paths into your website by keeping unused extensions or plugins installed or keeping users who no longer need to login to your website. Clutter is rarely a good idea and this applies to your website as well.
  7. Backup your site regularly. If you site does get hacked, restoration will be easier if you have an un-hacked version of your site on hand.

What To Do If You’ve Been Hacked

Your next steps:

  1. Don’t panic. You’re not the first and you won’t be the last. Keep calm and start work on recovery.
  2. Call in your professional support team. Strong technical expertise as well as someone who is familiar with your site—most likely your web developer or hosting provider. Web designers may not have the technical skills required to find and repair the problem however an experience web developer should be able to help you. You’ll need to provide:
    1. WordPress (or other CMS) login
    2. web hosting login
    3. FTP/sFTP access credentials
    4. any backups you have
  3. Take your website offline. Your web host may have already done this but if not, you’ll want to remove it to a secure folder while you assess and fix the website.
  4. Make sure the hack is limited to your site and not the entire web server. Your web host should be able to provide this information.
  5. Scan your local computer(s) for viruses and malware. Sometimes trojans or other infections can come from your local computer to your website. Be sure your anti-virus software is up-to-date, then run the scan.

Your web developer’s steps:

  1. Change your passwords for website logins, databases, FTP, etc.
  2. Download and inspect all of the hacked site files to determine how and when the website was hacked. This information is important to properly clean the site and fix it to prevent future hacks from the same hacker.
  3. Check all plugins or extensions to make sure they are up-to-date and do not have known vulnerabilities. If you’re using a plugin that no longer has updating and support, consider ditching it for a better, supported plugin.
  4. Check any custom code for security flaws or vulnerabilities.
  5. Clean up the issues and put the site back online.
  6. Update your site to the newest version of your platform (WordPress), theme and plugins.
  7. Test that everything is working.
  8. Backup your new, clean website.

Taking the steps mentioned in the first part of this article will definitely reduce your chances of being hacked. While there is never a guarantee you cannot be hacked, you can certainly take steps to make sure you’re not easy prey. With regular monitoring and backups, if you do get hacked, the repair work will be easier and faster.


Who *Really* Owns Your Website?

You’re way too busy running your business and in a rush to get your website up. Since you’re not very tech savvy and you’re preoccupied with your own work, you trust your developer to get your domain registered and get your site set up on a good host. It’s a very normal to leave it to your web tech to handle these tasks. I’ve done it myself for many of my clients. Perhaps I even did it for you.

In the early days of the web (I remember them well), it might have made sense. The internet was as ethereal as space exploration and only a few people knew how to navigate. I remember creating websites for business owners who had never used email. I even helped a couple people learn how to use a mouse.

These days, we’re much more comfortable with computers and most have at least a fair idea of how the internet works. Still, many still don’t understand the basics of website ownership. If you’re one of them, I’m about to enlighten you. Why is it important that you learn a bit of geek? Because you may be in a highly vulnerable position and not actually own your website.

The “Title & Deed” to Your Website

  • Your domain. No one really owns domains. We just register them from an accredited registrar like GoDaddy or eNom. Your domain gets associated with an IP address on a web server so when someone types in your domain name, server computers will know to send that person to your website on that server. Whoever registers the domain essentially owns it. If you hire me or anyone else to register your domain, the registration technically belongs to us.
  • Your web host. Whoever sets up the account on the web host is the one with the power.  They’ll have the “credentials” or login info and most likely, the account will be billed to their credit card. Web hosting companies work hard to maintain tight security for their web clients. They will absolutely refuse to talk with you if you can’t provide authorization of credit card info, password and/or PIN access.

As personnel changes occur in companies and organizations, the domain and host login info (credentials) may get lost. I’ve seen it happen a lot. Of course, if we built your website we’ll have the original info in our records. I recommend that clients keep a hard copy of all their web credentials in a secure but easy-to-locate file.

But what happens if your developer never gave you the login credentials? What if you never knew to ask for them? In a perfect world, that might be okay. Last I checked…it’s not a perfect world. Stuff happens.

Your developer might move and never tell you nor provide updated contact info, or get hit by a bus, or have sudden health issues, or get arrested, or hit sudden fame and fortune, or forget to pay the electric bill, or get angry at you for any number of reasons. You get the idea. When only one person has such vital information, you’ve created a single point of failure that could have devastating results. I’ve had new clients (yes, plural) who came to me, begging for help because they didn’t have their website credentials and their website was held “hostage”. They didn’t understand the power of owning those credentials.

Eliminate Unnecessary Risk

How can you prevent losing control of your website from happening to you?

  1. Register your own domain and purchase your own web hosting service. If you’re unsure where or how, your developer can advise you and even give you the links to click through. You’ll have the confidence of knowing you have the rights to your own website. You will need to share the login info with your developer, of course, but you can rest assured that should you no longer choose to work with that developer (even in best scenarios), you’ll have access to your domain and web host.
  2. If you have a trusted relationship, allow your web tech to setup your domain and hosting service but insist on having all login credentials in your records, too. That way, if you choose to part ways or something tragic happened, you have the necessary information to talk with customer support or hire someone else.

What if your developer can’t share the domain registration login info because of other clients in the management account? You can request the domain be transferred to you or at least insist the domain registration include your name and contact info as the registrant.

It’s not really a matter of trust (or lack of) to insist you have access to your domain and website. It’s good business stewardship. Share the credentials when you need to but don’t keep yourself purposefully in the dark.

The vulnerability is huge and the fix is simple. Keep a record of your login credentials. 



Top 10 Email Marketing Platforms

Email marketing continues to be one of the most effective tactics in digital marketing. There are a number of platforms to select from (and new ones popping up every day), making it difficult to figure out which platform is best for you.  While all platforms have pre-made templates so you won’t need to hire a developer to create a custom HTML template, but beyond that, their features can widely differ. Some of these options include free accounts, drip campaigns, integration with CRMs, drag and drop, etc. We’ve curated the top ten email marketing platforms for you to help you find the best fit for your needs and strategy.

  1. For years, MailChimp has been my favorite due to ease of use and number of features. It’s free to use if your subscriber list is less than 2000. Features include: subscriber profiles, built-in segmentation, in-depth reporting, advanced analytics, send time optimization, mobile optimized, integrates with hundreds of apps and services, RSS-to-Email, A/B testing, geolocation.
  2. Mad Mimi is a serious contender for the top of my list. They are working hard to become the best platform and have made great progress. Features include: good list management tools, attractive reporting & tracking tools, webforms including newsletter signup form for your Facebook page, drip campaigns, social links, RSS-to-Email, Google analytics, free under 2500 subscribers.
  3.  As a company, they have several community and social initiatives which makes them super cool in my book. Features include: mobile optimized, subject line split testing, analytics, segmentation, easy interface, social media integration.
  4. Features include: landing page capabilities, A/B testing, list segments.
  5. Features include: social media integration, mobile optimized, free under 1000 subscribers.
  6. Features include: scheduled drip campaigns, helpful 3000+ image library, tracking.
  7. Definitely the biggest name out there but not the easiest to use. They’ll also charge you for image storage if you have more than 5 images uploaded. Tons of features but nothing that other platforms don’t offer for less cost and friendlier interface.
  8. Features include: Basic tracking, sign-up forms (including Facebook), autoresponders, split testing.
  9. Free if your mail list is under 2000 subscribers. ZOHO email marketing can be used as part of the ZOHO product line which has business, CRM, and productivity apps. If you’re looking for a more comprehensive toolset, ZOHO seems to cover the spectrum of small business needs or you can choose to only use their email marketing tool.
  10. (now called Salesforce Marketing Cloud). Salesforce is one of the big boys when it comes to CRM and business platforms. If you’re already using Salesforce, it makes sense to use their email marketing. It may not be the most user-friendly, but the ability to fine tune your target and analyze the results is pretty cool.

Proper Care & Feeding of Your WordPress Website

Your website is like your pet—it needs continued care and maintenance. Website content updates (the new posts, text, photos, events, etc, that you do regularly) will help keep site visitors and search engines happy. Yet content updates aren’t the same as technical care and updates. Technical updates are essential for a healthy, fully functioning website. Your website is built on thousands (and thousands and thousands) of lines of code. Even with regular maintenance and updates, you may still experience glitches.

Even if you’re a technophobe, I beg you not to glaze over the following information. If you own a website, you need to be a responsible website owner.


Your WordPress Website Basics

There are four main layers that make up your WordPress website: the web server, the WordPress platform, the theme and optional plugins. Here’s a brief description of each of these layers and how they work together:

  • Web servers. These are the computers that host your website files. Your hosting company has the vault of web servers that keep your website files safe, in a temperature controlled, secure environment. The web servers are machines that require servicing, repairs and upgrades for the sake of function and security. These changes typically run in the background but on occasion can affect your website by conflicting with scripts on your site or forcing you to make site updates.
  • WordPress. WordPress is a pre-made platform that started years ago as a blogging platform and has evolved into a wonderful Content Management System (CMS). It has a Dashboard that allows non-techs to locate pages and posts on their site and make changes to the content. WordPress belongs to an open source community and allows you to freely use it’s products. WordPress also releases updates. These may be new features, bug fixes, or security related. These changes may create conflicts in the theme or plugins you are using.
  • Theme. The theme is what gives your website design and functions that aren’t a part of the rather sparse, default WordPress platform. Themes help determine the color and layout of your site and often provide extra features that help your website shine. Themes also require updates for new features, bug fixes and security. These changes may create conflicts with plugins. Not all themes have ongoing author support which means your theme may have conflicts with other system updates (web servers, WordPress, etc.) It’s nearly impossible to know which themes will have ongoing support however over time, nearly all themes will be discontinued as new themes emerge that are designed for more up-to-date user expectations.
  • Plugins. Plugins allow you to really amp up the capabilities of your website. Each plugin also has updates for features, bug fixes and security. Plugins are wonderful but they are also one of the easiest entry points for hacks and most common cause for bug issues or script conflicts. Free plugins should be used with care, because they often don’t have ongoing support. In general, don’t keep any plugins in your Dashboard that you aren’t actively using. Some common uses for plugins include:
    • Enhanced SEO capabilities
    • Site caching for faster page loads
    • Form editors that allow non-tech people to create and edit forms
    • Membership forums
    • Directories
    • Site analytics
    • Backups
    • Security
    • Special slider or portfolio effects
    • Shopping carts
    • Polls / Surveys
    • Social media feeds, etc.

If you don’t keep up with the tech updates, your site may become vulnerable to hacks or conflicts with any of the advancing tech layers that support them. Certain features may quit working, including the ability to edit your site at all!


But first, backup!

Before you do any updates, it’s strongly advised that you create a backup of your site in the event that the updates create a conflict with other scripts on your site and “break” the site, thus requiring a developer’s repair. You should be running backups of your site regularly anyway, because “stuff” happens (server failures, hacks, etc.)

There are plugins that you can use for backups. Most web hosts also offer backup services, too. Some are free, some aren’t. While it’s easier to backup your website to the same server that hosts your website, you need to be aware that if the server fails, you’ve lost your backup copy as well. It’s best to save your backup to your own computer. If that’s not a possibility, then save it to a location on your web host that’s different from the place you keep your regular website files.

Most backup services allow you to schedule backups. This is very helpful but be sure to check every now and then to be sure backups are indeed happening.

When Your Site Breaks

If an update causes a script conflict, you then have a choice to:

  • revert back to the previous version of whatever was updated (if you have been saving your backups)
  • have the developer find the conflict and write a custom repair
  • work with the author of the theme/plugin to issue a repair (if they’re still offering support for what you’re using)
  • find another theme or plugin and convert your content over to it

Your choice will depend on the severity of the issue, of course. While WordPress, themes, and plugins make amazing websites tangible (both financially and feature-wise) for the average person, each layer comes with its own vulnerabilities. On the tech side, responsible website ownership requires three things: website maintenance, backups and security. In order to avoid as many problems as possible, you need an experienced web technologist that’s up to date with WordPress and (best case scenario) your website.

Speaking of Security

When it comes to security, you have a few options. You may wish to use a plugin to amp up security within WordPress. Your web host may also offer extra security (for an additional cost, naturally). Many web hosts are setting up servers especially designed for WordPress websites which includes security to address issues common to WordPress. Keep in mind, there is no such thing as an un-hackable website.  Big budgets can use mirrored hosts and a plethora of security layers. As a small business, you may simply need to make your choices based on the level of budget and effort you want to contribute.

Web Vets: For the Health of Your Website

Be sure to keep a good relationship with your web technologist. Quite often, staff changes overlook passing on website information. I can’t count how many clients we’ve helped over the years by keeping records of their website credentials and other key details related to their websites. If you change any web-related passwords, let your technologist know as well. Familiarity with your website and current credentials will save time and stress if an “event” happens.


New Security Fixes

I don’t understand why people intentionally hurt other people. I watch the news and simply shake my head at the culture of terror and harm. It’s not something I like to dwell on.

Yet the nature of my work forces me to daily consider protection for my clients. Like many web companies, we love WordPress for is ease of use and great search engine optimization. Unfortunately, so do hackers. A couple of weeks ago, a new virus began moving through the web specifically targetting WordPress websites.

In an effort to provide the highest level of service to you, our great partners, we are now including improved security procedures and functions to every new website. This includes:

  • Changing the default User ID from “admin”
  • Installation of Password Encryption – This will encrypt the password dynamically each time you login. You will not be able to use your browser to save your login information. We apologize for the inconvenience but it’s a small matter compared to having your website hacked, yes?
  • Installation of Login Lockdown – This function will lock down any brute force attacks that occur by locking down the admin area after 5 failed login attempts. The admin area will remain locked for 1 hour for the offending IP address. If for any reason you do get locked out and need in quickly, contact us and we’ll attempt to reset the password or wait the designated hour.
  • Installation of back end security software – This software is installed to protect key files that are targeted by hackers.

Yes, it’s extra work but I don’t want you or me to wake up to a website hack. WordPress is a great website solution but requires perpetual vigilance to keep secure.

As a website owner, please be sure to install any updates available as these usually pertain to security. I also recommend you make regular backups of your site so if the unseemly event happens, you’ll be able to restore your website based on the most recent backup.



Better than 1,000 Words

We’ve all heard it before but it’s true: a picture is worth 1,000 words. While search engines can’t read pictures (that’s an article for another day), your site visitors can be magnetized by them. Or not. Bad pictures have just as many words attached as good pictures.

Here are some low-cost photo resources you may find helpful:

  • Flickr. These may or may not be free to use. Be sure to abide by the Creative Commons licensing for the photo you have selected.
  • FreeStockPhoto. Not the prettiest website but if you’re not too picky, you may find just what you’re looking for. Just be sure to give credit and abide by the licensing.
  • Dreamstime. You’ll buy credits to apply to photo purchases. Depending on the photo and number of credits you have, some photos can cost as low as $ 0.20. Crazy, but true.
  • iStockphoto. Like Dreamstime, you’ll need to buy credits to apply to photo purchases. iStockphoto has been around longer so has a bigger selection and their prices are a bit higher, but still extremely reasonable.

Your Message Needs Focus

Have you ever been to a website that had so much information on it you were lost before you could even get started? I’ve yet to hear a user say “I love cluttered websites”. However, website owners often feel that if they don’t put everything important on the home page, they will lose opportunity. And when I say feel, I mean driven. And when I say driven, I mean obsessed. And when I say obsessed, I mean maniacal. Get the picture? Now you tell me, how many maniacal people make healthy decisions for good communication?

If you’re a website owner, slow down and focus. Pick ONE thing–yes, I said ONE–that you want your site visitor to do as a result of coming to your site. Then drive 80% of your content messaging with that goal in mind. Make it easy for your visitor to do that ONE thing.

That leaves you with 20% of your messaging to address other website goals. It may be hard to believe but you’ll actually get more results by limiting your message.

Think of it this way. You walk into a room with a wall lined with shelves filled with shiny balls. Hidden somewhere in those shelves is the ball that will bring you the most sales. What is the likelihood that people will find the ball easily or perhaps at all? You’ve given them too many shiny balls to chase.

Now, walk into the room again. This time you see the wall lined with shelves but only 3 shiny balls are there, and one of those balls is really huge and has sparkles. Which ball will get the most attention?


Thanks to VideoHive for the photo. They’re a great low-cost resource for stock footage.


Your new website is just the beginning

You are all excited about your new website, right? You’ll get new customers or members and sit back drinking lemonade as you watch your numbers go up, up, up.

That actually may have been true — fifteen years ago. Today, there are millions of websites out there and more coming every day (like yours). The more people use the internet, the easier it is for them to find information but the harder it is for them to find you. And once they find you, what do you offer that helps you stand out from the million others?

Here are some important strategies you can use to get results:

  • You will need to have multiple ways of getting people to your website. Use online resources, print, web-only offers, social media, and promotions that drive people to your website.
  • Let your message be crystal clear. Don’t make your site visitor work to figure out who you are and what you do.
  • Drop the ego. It’s not about you — it’s about the people coming to your website. They aren’t nearly as interested in hearing how many awards you’ve won or how your sales are increasing. They come to your website with one burning question: how are you going to help them?
  • Keep your content up-to-date. If you have outdated content on your site, you will be sending the wrong message. If you are a sole proprietor or have a small volunteer staff, it can feel hard to find time to update your site but dated content tells your site visitor you aren’t really there. Think of it like money being taken out of your bank account each time someone leaves your site because it’s dusty and ignored. If you are ignoring your website, so will they.