Worried about your website getting hacked? Learn the steps you can take to protect your website from hackers in this episode featuring Tim Hendershot, BizMarketing’s web developer. Peter and Tim discuss the most common website attacks and how businesses can defend against them.
Guest: Tim Hendershot
Tim: Probably the most common one that I end up having to fix is the redirect hack, where if you go to your website directly, you just type it into the browser bar and visit it, everything works perfectly fine. There are issues with the site, everything looks normal. But if you visit it from Google, Yahoo, Bing, or any search engine, it will suddenly redirect you to lots of fun places.
Peter: Welcome to the Biz and Life Done Well podcast, where we explore what it means and what it takes to do business and life well. I’m your host, Peter Wilson. If you’re like me, you’re intrigued by stories of common people who have achieved uncommon success in business and life. Join me as I interview fascinating people about how they got started, their successes and failures, their habits and routines, and what inspires them. Today, my guest is Tim Hindershot.
He is the web developer with bizmarketing.com. He has been working on computer technology, I think he said since he was 10
Tim: or something like that. Somewhere around there is when I first started building computers with my dad.
Peter: So let’s just say Tim knows his way around a computer and certainly knows his way around the internet. Today, we are going to talk about common ways websites, AKA your website, could be compromised or hacked and what you should do about it. We’ve seen, all kinds of things happening with websites. So what what’s what’s some of the stories you’ve seen, Tim? What what sorts of, hacks or situations have you had people bring to you?
Tim: Probably the most common one that I end up having to fix is the redirect hack, where if you go to your website directly, just type it into the browser bar and visit it, everything works perfectly fine. Are issues with the site, everything looks normal. But if you visit it from Google, Yahoo, Bing, or any search engine, it will suddenly redirect you to lots of fun places, or it will completely modify the site with weird weird advertisements. You can kinda guess the kind of advertisements they’re gonna show on there. Mhmm.
I’m assuming it’s affiliate link stuff where they’re trying to get your users to click on the ads so that they get some sort of money back.
Peter: Right.
Tim: But the way that they hide it makes this one, I would say, more devious.
Peter: So what you’re saying is if I were to go to my website directly, bizmktg.com, just type that into my browser, the website would pop up, everything would look good. But if I came from Google, my website would detect that I came from Google and therefore would redirect me to another site.
Tim: Pretty much. It just watches where you came from. A lot of times, this will either be in the h t access file, or sometimes they’ll just put some extra stuff in the header. That’s it’s pretty simple, but it it’s effective.
Peter: So they hack the website. They hack the the guts of the website, basically. So how did how does that happen?
Tim: There’s lots of ways that they can get in there. Probably the most common is when somebody has, essentially, admin as their username. They can’t think of what they wanna call themselves, and they put that in there. Wouldn’t be horrible just to have that, I guess, at all, but they have to pair that with no sort of brute force protection where there’s no limiting the logins. There’s no checking if the password’s wrong.
You know, there’s no limitation how many times they can try. And so they’ll just set their machine to brute force it. We’ll keep guessing over and over and over again till it gets in. And if it has the username because it’s an easy one, it’s already halfway there.
Peter: So we I recall we did something on our site where we, A, we don’t have any users with the name admin, but B, we have a firewall that looks for people trying to log in on our website as admin, and it sends them it what’s to do? It times amount so they can’t visit the site for a week or a day or something like that?
Tim: I’ve been setting it to two months now. And not just for admin. I’ll block them for any username that’s not there, not accurate.
Peter: Accurate. Not in our website. Okay. That’s interesting. So they’re not just phishing because we do see occasionally people trying to log into our site with the name of one of our employees or they try to guess the, you know, like our email just because they know one email address.
So they try to guess other email addresses, and they’re completely wrong. The other one that I’ve heard about is just weak passwords.
Tim: Well, it depends if it was well, if it’s a really weak password, they can pretty much guess it. Sometimes they don’t have to actually guess your username because by default, certain plugins like Yoast SEO, by default, that one wants to create a archive for the for your users, basically, if they wrote a story. So it’s trying to do an author archive. Kind of the problem with that is sometimes it will leak out what your username actually is.
Peter: Oh.
Tim: So then they get half the equation right from that.
Peter: Right.
Tim: So they can use that data just to start brute forcing again.
Peter: Or the other one that I’ve seen is that there are I mean, we were just talking about this earlier. There’s there’s probably billions, literally billions of username and password caches that hackers share among themselves.
Tim: Some of these you can buy.
Peter: Yeah. Some are for sale. I noticed there’s a website you can visit called I’ve Been Owned or something like that, where you can actually see if passwords were ever leaked, and then, you know, if they’ve been if they’re on one of these lists. It’s kind of an interesting thing. Bottom line is don’t reuse your passwords.
Don’t use weak passwords and use sophisticated passwords. By the way, I hate passwords. I I I hope they go away at some point.
Tim: You have to have some sort of method. Sometimes, depending on the plugins you have on your site, you can even get two factor authentication. That way, at least it’s linked to your phone. Mhmm. The worst thing is when you have absolutely nothing protecting your site, because then they can just keep guessing and guessing.
It’s just time. They’ll get in eventually.
Peter: The less sophisticated hosts are not gonna stop those folks.
Tim: So In my experience, most hosts won’t stop them anyways. They consider that part of the user’s responsibility. Their job is to keep the server running. It’s your job to maintain the site, unless you have a higher tier support with them.
Peter: We were talking about using a password manager. So what what are the benefits of using, like, LastPass or OnePass? Isn’t that a password manager, I think?
Tim: That’s another one, I think. The advantage of it is you can create really complex passwords that are going to be hard to guess. Probably the biggest disadvantage is it’s all contained in one area. So in theory, if one of these password managers gets compromised, they have everything. Right.
There’s also the aspect that some people have this really complex password manager and then a really simple password to actually get into it. Oops. Which defeats the purpose.
Peter: Yeah. I’ve noticed Chrome browser has a way to save passwords in Chrome. I’ve always been a little suspicious of doing it that way, though.
Tim: I think Edge has it as well. I I I worry about those as well. In theory, they should be fine, in theory, but, well, anything can be compromised. Yeah. There’s also the aspect that where do those live, and it’s how much do you trust Google to just protect it.
Right. A lot of it’s gonna end up being who do you trust more.
Peter: Right. Yeah. Well, I I do like I’ve been very happy with LastPass so far. The nice thing about it is we use it and then we can share passwords among ourselves in the case that there’s a specific website that we need to share access to. That’s kind of cool.
They have a team feature that allows you to do that. So a couple other things that we were talking about earlier, one of them that I thought was interesting was, so if you have a website, it’s most likely going to be running on something called WordPress, which is a content management system. It’s basically, I think, what, about half the websites out there run on WordPress.
Tim: I guess they’re at 40% right now.
Peter: So one of the things that a lot of people use are things called plugins to make the basic WordPress code do, different things. Right? Makes it easier to program.
Tim: The nice part about it is you can expand upon what your site can do pretty well. Definitely. There’s a plugin for about anything. It’s its own little app store, if you will. Mhmm.
The kind of bad part about that is filtering out anything, you know, some bad code. I kinda look at it as a general rule of thumb is try and get something that’s been around for a while. Looks like they’re they’ve updated relatively recently. Mhmm. And, honestly, you get what you pay for.
So if you’re just trying to get every free plugin you can to try and just get everything you can out of your site without paying a dime, you’re gonna get what you pay for. That does lead to some risk. Typically, if you’re paying somebody a fee, even if it’s just a yearly fee of, say, $50 Mhmm. They’re gonna pay a lot more attention to their code and anything that goes wrong with it than somebody who’s doing it for free or for donations for coffee.
Peter: So that brings up a good point. So what happens is the people who develop WordPress core code are constantly testing and checking, and even stuff flies by them sometimes. But the plug ins, it’s a lot more the chances of of, bad code being in there that could easily be, hacked, it’s just it’s just a lot more likely. Right?
Tim: Pretty much. Because it depends on how interested they are, how quickly they’re going to fix it, and how much they care. Yeah. Some people even abandon plug ins. They may have been working on it for I’ve seen somewhere the guy will work on it for two or three years, and it’s running well.
It’s doing great. And then they something maybe changes in their life, and they just abandon it. They don’t sell it to anybody. It just exists.
Peter: In the it’s still in the in the plugin directory on WordPress. So people are downloading this plugins.
Tim: They’ve gotten better about marking things as abandoned. So I think after about two years, they’ll just mark it as an abandoned plugin. The disadvantage of it, I guess, is or the way that they have their system set up is you’re not going to know that it was abandoned unless you have another plug in that checks Oh. By default. If you have something like Wordfence in there, it’s going to tell you that this was abandoned.
Yeah. If you don’t, won’t know. You just won’t have any updates for that plugin. So you won’t know that it’s been compromised or that it hasn’t been updated since however many versions of WordPress back, which can be a real problem when you actually have to update other plugins. Because if this one hasn’t been updated, it could be using older code and interacting with WordPress in an older manner, and it could essentially break the site.
Peter: So you’ve got different things that can happen. So, you know, you had given me a list of some things, cross site scripting, malicious code, SQL injection. So of with respect to plugins and just people using bad code on the site, what are they actually doing to the website? Are they hijacking the site, or what do they do?
Tim: It all depends on what they’re trying to accomplish. Half the time, somebody’s trying to make money. With the cross site scripting, a lot of the times when I’ve seen that one become an issue, it’s usually somebody taking advantage of their current account for it, if that makes sense. Mhmm. Because in WordPress, there’s a lot of different levels of user.
The admin, of course, has full control. Subscriber essentially has a login. Sometimes it’s just so that you can send out emails to them. Author can write their own stuff, etcetera, etcetera. So sometimes people are basically putting in code that they shouldn’t be able to put in.
But with cross site scripting, it kinda seems like one where they already have some level of access to the site, so there is already some level of trust. Mhmm. It seems like it really becomes an issue when you have maybe an ecommerce site where you’re allowing users to actually input data.
Peter: Oh, like a credit like a credit card.
Tim: More like a field that’s not maybe not checked. Somewhere where they’re somehow able to put in JavaScript code. Okay. The credit card fields, most of the time, those are in little iframes or they’re heavily checked because, again, money changing hands, and that usually ends up being
Peter: a lot more secure. Pretty well regulated. I mean, I do remember one that we worked with where there was a crypto locker virus that was somehow put on a website. So if you visited the website, somehow, if you had a web browser that wasn’t protected, it would put a crypto locker virus on your, I mean, on your computer. Now does that still happen?
Tim: If it’s exploiting something that Chrome hasn’t patched yet or another browser hasn’t patched, it can happen.
Peter: So CryptoLocker virus is one where you get this malicious code from a website, gets onto your computer, and then it basically, what’s it locks up your hard drive, and then you have to pay a ransom to get all your data back.
Tim: Further yep. I guess validation for having an external hard drive. Although sometimes it’s it’s connected at the time. It’s probably gonna encrypt that too. Me, I’m a little bit paranoid, so I have ones that just sit in drawers.
Peter: Just like that. We like paranoid, Tim. So the so the biggest thing is the sites are getting hacked, then they’re either getting redirected. One of the things I talked to one of our clients recently, and they had, a patriotic term in the name of their website, and their website got hacked. And, there was some foreign actor decided because of the name of their website that they would deface the website.
Tim: I’m not shocked.
Peter: Yeah. Mean, I haven’t seen that. Personally, I haven’t seen that much.
Tim: Ones, that’s somebody who basically is trying to make a point.
Peter: Right.
Tim: I mean, they’re targeting you. Most of the hacks, they’re passive. It’s they have basically a server set up or a computer management set up. It’s just searching the web to try and find somebody. They’re trying to exploit known things.
They’re usually not targeting you directly.
Peter: Right. So that that’s a good point. So the a lot of the hacks that we’ve just talked about are being done automatically where they’re just the the the hackers just write the code and they just let it go, and it just goes searches the web all over the place. Right?
Tim: Pretty much. They don’t really care who they hit. They just hit people. They’re just they’re relying on, you know, such a fact that most people, a lot of people, when they build the site and they set it up and everything’s good, they never go and look at it again.
Peter: So they don’t update the code?
Tim: Yeah. They might not be clicking the updates or updating the code or even checking on their site.
Peter: What what are some things that you recommend outside of the password thing? You mentioned I mean, we talked about Wordfence just a little bit. I I think we’re we’re pretty big fans of Wordfence. You wanna talk about that a little bit?
Tim: Yeah. That that’s pretty well standard. I’m if I’m building a site, I’m gonna put Wordfence on it just because so far, they’ve been really the best at preventing hacks. Their paid version is the best. Honestly, my favorite feature, the paid version, is that they will limit where somebody can log in to your site from because that takes out a lot of bad actors
Peter: Geographically.
Tim: Yeah. Where you can limit it to just users in The United States based off of IP address because that just knocks off just a lot of the attacks. It seems like a lot of them try to use either, you it’d be Russian servers, Chinese servers, or wherever they can find the cheapest hosting, and then they’ll have those ones attack. That way they’re not using their own stuff, and that way they can distribute it. Yeah.
Peter: So let’s talk a little bit about actual website hosting. We’ve had some bad experience with one provider in particular for website hosts, GoDaddy. They got hacked a while ago. Was it four or five months ago, six months ago?
Tim: Yeah. I don’t think they actually I don’t know if they actually well, I’m pretty sure they didn’t announce it to their users, but it was some sort of hack with their managed WordPress hosting, which you would have thought since that was more expensive.
Peter: Tier of service. Yeah.
Tim: Yeah. But apparently, they got compromised. Something on their back end got compromised, I believe.
Peter: We we we had one of our clients who, as a result of that, thanks to GoDaddy, encouraged the user to log into their account and change their password or something. As a result of that, it ended up rolling the website back several months to an old, old version of the website. And all kinds or all kinds of crazy things happen as a result of that. So yeah.
Tim: That’s why it’s also good to have backups. You wanna at least have an up to date backup. I guess it depends on how often you’re going to be updating your site.
Peter: Right.
Tim: So if for one of those users who maybe only updates it once a month or maybe once a week, there’s different plugins you can use to just back it up real quick. Just to be safe, most sites are not gonna be huge. Mhmm. So I would say take the time to just have your own backup. Just in case anything goes wrong, you can restore it.
Because if the hosting has to do it, it their backups don’t seem to happen as often, depending on who your host is. Some of them will have it just built right into it. But some, especially if you haven’t paid for their whatever backup tier, whatever service they have, they don’t care. They’ll just do whatever they had last.
Peter: Yeah. So we so the bottom line is we don’t recommend GoDaddy at all. Sorry. GoDaddy, if you’re listening, we really don’t like, your web hosting packages.
Tim: Well, honestly, that’s not the main reason that I have been a little upset with GoDaddy. The biggest reason I would say is they’re they’re kind of they want you to pay for every little service, including the SSL certificates. And about any other host that I’ve worked with, especially now, will give you an SSL certificate for free with Let’s Encrypt or
Peter: So SSL they’re doing. You wanna talk about what an SSL certificate is real quick?
Tim: It basically encrypts your connection, and it’s a verified key for it, essentially. You know that website.
Peter: So if you look at your website browser, it’s got a little lock on it. If it says h t actually, it doesn’t even say HTTPS. You just look in the top of your browser, you see a little lock. Right?
Tim: It depends on the browser. But it’s kind of standard anymore that you are what you transmit between you and the server is going to be encrypted. Encrypted. Yeah. That’s kind of the point of it.
At this point, this SSL certificate should be free because this is should be common practice.
Peter: Standard. Yeah.
Tim: And most hosting providers will give you that because a lot of them use cPanel. And cPanel actually has it’s set up to either use Let’s Encrypt or think it was Comodo that they use. And it will just generate it for all the domains that you listed. It basically will look for a file to make sure that you are the actual host for that, and then will issue you the SSL certificate. Right.
It will re up them every, I think, ninety days. And that’s just built into the program that GoDaddy is using. They would just have to turn it on. And, honestly, that’s what upsets me. They all they would have to do is let users use it.
Peter: So they’re but they’re charging, so they’re just making
Tim: Well, they want their extra $80 a year.
Peter: Well, that adds up when you look at the amount of people that they host. So the other thing, I mean, we’ve been talking about a lot about, it’s like do it yourself as if you’re gonna do this yourself as a website owner. Now, Tim, 99% of the business owners I know don’t want to do any of this. So we do have a solution for that. Not the reason we’re doing this podcast, but there is an alternative to trying to do all this yourself.
Right? It’s, you know, have somebody actually host and manage your site for you, which is something we offer, for example, and there’s other companies that do offer. I would say the reason that we offer it is because of everything we just talked about. There’s just so much to think about. The last thing a business owner wants to worry about is all this stuff that we just talked about.
So you wanna talk a little bit about kinda what we do, how we do it?
Tim: Well, well, we don’t host with GoDaddy anymore. No. Luckily, we were moved off almost a year ago. Yeah. And we’ve been using Kinsta since.
Honestly, that has made my job a lot easier because they’ve simple all they do is WordPress hosting. That’s all they do. They have thirty days of backups, and they make things simple. Of course, they give us the SSL certificates for free. They also give us a content delivery network.
Included Cloudflare. It’s all included in the price, and it has made things a whole lot easier. I mean, staging is one click staging. It’s just a simpler interface. And since it’s not a full cPanel, it doesn’t have all the excessive other items that you could deal with.
It just makes everything simpler for this is just a WordPress site. It’s gonna be hosted. It will work.
Peter: Yeah. So, you did mention DDoS attack, and I’m I’m curious what that means and if, you know, if the way that we’re running things I know our hosting company has something called Cloudflare. Does that
Tim: Oh, that’ll that should block most of those.
Peter: So what is a DDoS attack?
Tim: Distributed denial of service. Essentially, well well, they’ll do it with bots, but, essentially, it’s a it’s a spike in traffic.
Peter: So they’re, like, flooding your website with requests for pages. Sometimes
Tim: this can happen organically. I’ve seen this happen organically where you send out a newsletter. Oh, yeah. And you send it out to a whole lot of people. Yep.
Depending on the timing of that and how much your actual, you know, click through rate is, If they all decide to visit at the same time, it has to try and serve to all those people at the same time, and it can just lock up the server. Most of the time, these are going after your DNS server, though, I believe.
Peter: So are those targeted or are those automated?
Tim: It’s usually targeted.
Peter: So it’s it’s targeted, like, political motivation or companies. Somebody doesn’t like something that particular company did. Right? So they’ll they’ll
Tim: It’s somebody’s upset. Most of the time, like, if some if it if it’s just gonna be one or two, you know, another person, you can block the IP address, and that’s pretty quick. Yeah. And even Wordfence has that built in where you could, well, you could set it to however many pages they tried to view Right. And then you can start blocking them outright
Peter: Yeah.
Tim: Or for a time period because they’ve been hitting the site too much. But if you don’t have anything on there, of course, it’s going to keep trying to answer the request. Caching will also help prevent some of this too because if you already have the answer, it’s less it’s just less on the computer to try it.
Peter: So if you’ve ever seen that happen to your website, it it just basically, you just get a blank page on the browser. Right?
Tim: Yeah. Well, serve. Some sort of error, probably 500.
Peter: When you try to go to the website, it just says, sorry.
Tim: It’ll either time out or outright break. Usually, those ones, once the attack like, basically, once a wave is gone, it’s usually fine. So those ones, I don’t see that happen as much.
Peter: This has been, this has been really interesting, Tim. Kind of a nice look at, what happens these days. You know, a lot of people have websites, and they don’t even think about it until it’s dead, you know, or gone or, you know, hacked. Right?
Tim: Unfortunately, it seems to be the case. That’s why whenever I build one, I like to at least have an initial backup, the first build, because it does happen. If something happens with the site, then I just have to restore it. And then usually when I’m doing just random edits, sometimes I’ll just take a backup because I’m paranoid.
Peter: Yeah. I mean, the way that we do backups, you’re doing what? Daily backups every day for thirty days.
Tim: And then I’ll do quarterly.
Peter: Chances are you’re never gonna have to restore a site off of that. Have you had to?
Tim: No. But what if I do?
Peter: That’s what we love about you, Tim, that paranoia.
Tim: Just in case.
Peter: Well, Tim, I really appreciate your time today. Thank you for this enlightening look at what could happen if your website gets hacked and how to prevent it from happening. If you’d like to learn more, check out our website, bizmktg.com, and you can get in touch with us for a free consultation. Until next time. Thanks, Tim.
Tim: Thank you.
Peter: Thanks for listening to this episode of Biz and Life Done Well with Peter Wilson. You can subscribe to us on iTunes, Google Podcasts, Spotify, and most of the other popular podcast platforms. Please tell your friends about us and leave us a review so even more people will find out about us. Thanks again. We’ll see you soon.
