Can My Website Be Hacked?
A Simple Guide to Protecting Your Business Website
Every website can potentially be hacked. Unfortunately many small business owners believe it won’t happen to them because their website is too small.
Admittedly, we generally only hear about large company websites being hacked and that may be what has contributed to the belief that if you own a small businesses no one would be interested in targeting your website.
But nothing could be further from the truth. Some hackers do it for financial gain, but many do it just for the challenge or bragging rights, out of boredom or out of curiosity.
Since most small business owners don’t have the technical knowledge or financial resources to have their own security teams, they are often an easy target for spammers and hackers. Their websites tend to be vulnerable because they don’t get regularly upgrade their technology and often use easy to hack passwords.
of INFECTED WordPress sites
are out of date
Cyber-attacks often compromise customer data collected through your website as well as your information and according to Inc.com almost 60% of small businesses, which get hacked, go bankrupt within less than 12 months.
Getting hacked can harm your business many ways, including:
- Identity theft of your, your staff or customer information.
- Your website can completely crash or the functionality or speed of your website can be compromised
- Important data can be erased or changed
- Your usernames and passwords can be stolen
- Inappropriate information and images posted on your website for everyone to see, thus hurting your company’s reputation
Since the start of the pandemic we have seen a big increase in websites getting hacked.
You can read more about it here:
Small Businesses Get Targetted by Hackers
A while ago I spoke at a women’s business conference about website design and one of the topics I covered was website security.
The audience was very engaged in the presentation, but when I hit the topic of website security and the importance of doing back ups, I started seeing glazed look over their faces.
And I realized it was mostly because they didn’t think website security applied to them, since they are only small business owners and surely no one would want to hack their website.
About two weeks after the conference finished, I saw a post on Facebook, from one of the conference attendees. She said:
Any of you that were in Sydney at the Doers weekend, you’ll remember Ivana Katz talking about making sure that your website was secure and protected against hackers.
At the time I thought to myself “I’m sure mine is okay. I’ve had many different websites over the last ten years and nothing has ever happened”
haha you should NEVER say never.
I’ve had my website shut down by Hostgator because it’s been compromised and there’s a long list of things to be fixed.
I have no idea how it happened and now trying to get on top of it. I suppose my message here is to take Ivana’s message seriously and do your due diligence to make sure your website is protected.
Unfortunately, often people don’t realise their website has been hacked until Google drops them from their listings altogether or displays a warning message next to their website address.
** Source: https://wpmanageninja.com/wordpress-security-statistics/
Wordpress is the most popular website development tools and it is because of this that it is often targeted by hackers. Generally hackers get in through vulnerabilities in the WordPress files, theme files and plugin files.
How do you minimize your chances of getting hacked?
There are a number of things you can … and should do to ensure your website stays safe.
1. Upgrade WordPress, theme and plugins regularly
WordPress releases new versions every few weeks, so it is a good idea to upgrade when the new releases come out. For most of my clients we do the upgrades every 3 months or so.
Your theme should also be upgraded, not only to prevent you getting hacked, but to ensure your website continues to work correctly. I strongly recommend that you (or your developer) build your website using a paid theme such as Enfold or Divi. That way you can be sure the developers will continue to upgrade the files, whenever WordPress releases a new version.
If you use a free theme, you may find it becomes outdated (and hence vulnerable) very quickly since the developers don’t get paid.
Upgrade all your plugins whenever they release a new version.
2. Delete any plugins and themes that you are not using
Deactivating your plugins is not enough – you should also delete them if you are not using them and the same goes for your theme. You should only ever have the theme that you are using installed on your website.
Be aware that whenever you upgrade WordPress, it often installs its default theme, so you may need to go and delete it.
3. Only download plugins from reputable websites
There are thousands of different plugins available for just about any task or function. It is a good idea to only use plugins that are compatible with the most recent version of WordPress and ones that also get upgraded regularly.
When you search for a plugin, WordPress will provide a list of the most popular plugins. If you click on “More Info”, you can find details such as:
- Version No
- Who the author is
- When it was last updated
- What version WordPress it requires to function correction
- How many active installations there are (ie. how many people are using the plugin)
Other things many developers provide include
- Installation instructions
- Frequently asked questions
Look for plugins that have:
- Thousands or millions active users
- Great reviews and five star rating
- Get upgraded regularly
4. Never ever use “admin” as your username
Ensure your username uses a combination of upper and lower case letters, numbers and special characters. Never ever use “admin” as your username.
One of the things hackers often do is send automated bots that try many combinations of usernames and passwords and since “admin” is the default username, they only have to guess the password to get in.
5. Make passwords secure
Just as with usernames, ensure your passwords are secure:
- Use upper & lower case letters, numbers and special characters.
- Your password should be 16 characters or more
- Each account should have its own password – ie. you should not use the same password for your bank account, email account, website
- Do not use any personal information such as address, phone number or date of birth
- Password should not contain any consecutive letters or numbers
People often use common words so they can remember their passwords, but this is never a good idea as they can get easily hacked.
If you want to see how quickly a hacker can figure out your password, go to
Here are some examples of passwords and how long it would take someone to break them
123456 – instantly
Happy – 9 milliseconds
happy2021 – 42 minutes
Happy2021 – 3 days
australia – instantly
Australia – 19 hours
Remembering and storing password securely can be a challenge, especially if you are used to writing them down in a notebook or keeping them in a spreadsheet. But luckily there is an easy solution – Password manager such as LastPass, Dashlane or 1Password. Then all you have to do is remember one master password and the rest of your usernames and passwords are kept securely in your admin area.
6. Set up additional users & give them minimal access
If you have other people managing your website, such as an assistant or search engine optimization company, make sure you give each their own username and password and the minimal access they require. Do not give anyone full administrator access unless it’s absolutely essential.
There are several different roles you can assign to users
Subscribers can generally only read posts, however if you offer members only content, users can create profiles on your website and login to specific areas of your site.
Contributors can add and edit their posts, but they cannot delete or publish posts. They generally can’t add images or media files
Authors can write, edit, publish and delete their own posts and also upload files, but they are not able to edit other users’ pages
Editors can edit, publish and delete posts and pages. They can also manage links and comments
Administrators have access to all parts of a website – they can publish and delete posts, upload images, videos and audio files, change themes and add plugins. They can also manage users and delete a website.
7. Install security plugin & limit logins
Whilst it is a good idea to minimize the number of plugins that you install on your WordPress website, a security plugin such as iTheme Security or Wordfrence Security is a must to protect your website from the bad guys.
Website security is a complex process and both these plugins allow you to easily secure your website, even with their free versions. However, you may wish to consider upgrading for more advanced features.
8. Back up your website regularly – every time you do changes
Having a back up is like having an insurance policy for your website. Webhosting companies do back ups, but those are generally only suitable for restoration of a complete server. The back ups are usually not for individual website restoration.
Even if you are able to restore a backup from your webhosting company it may already be infected. So it is better to keep your own back ups as well.
I offer my clients a manual back up service, so they know even if something happens to their website or with their webhosting account, they have a 3rd party back up. For some clients I do it monthly, for others quarterly or annually. And it costs less than a cup of coffee a day.
The backup frequency depends on how often you update and upgrade your website – you always want to have a copy of the latest version of your site.
I cannot stress highly enough how important it is to keep your own website back ups in case your website suddenly stops working or gets hacked (unfortunately this happens more often than most small business owners are aware of).
There are many things that can go wrong with technology – both with the hardware (computers and servers) as well as the software.
And if your website gets hacked, you may not be aware of it for several weeks or even several months as hackers can install code within your website without you seeing any difference to the functionality.
It is not until Google displays a warning message instead of your website which says “This site may harm your computer” or drops you from their listing that you may become aware of it. And by then your backups may be infected as well. So it is vital you keep several copies of your backups.
If you need help backing up your website, we can do it for you. Choose one of the packages below, depending on how often you update your website – if you update it once every few weeks or months, then choose either the monthly or quarterly backup.
When each backup is done, we will share it with you via Dropbox so you always have access to it.
52 Weekly Backups – $1144 ($22 per back up)
12 Monthly Backups – $396 ($33 per back up)
4 Quarterly Backups – $176 ($44 per back up)
1 Annual Backup – $55
What are signs that a website has been hacked?
Website security is complex and unless you know what you are looking for, you may not realise your website has been compromised.
Some ways you may discover your website has been hacked:
- Your web browser, such as Google Chrome or Firefox displays a warning
- Your website gets shut down by your hosting company
- Google flags your website as harmful
- You get notified by Google Search Console (previously Google Webmaster Tools) that malware has been installed on your website
- You start receiving bounced spammy emails that you did not send
- Your website security plugin alerts you
- You see a traffic spike, sometimes on pages that do not exist
- Strange pop ups start appearing on your website
- Your website becomes very slow
Here is an example of one hacked website … excuse the language!
Learn more about signs that your website has been hacked and what to do about it.
What happens if a website is hacked?
If your website is hacked, much depends on the reason for the hacking. Some things that can happen include
- Hacker can gain access to confidential data
- Direct visitors to malicious websites
- Perform denial of service attack – in this instance a flood of traffic is directed to your site, causing the server to become overwhelmed and crash
- Phishing – sending out fraudulent emails, asking customers to divulge confidential information such as login details
A few years ago one of my websites got hacked. I had not updated it for a number of years, so it wasn’t a huge disaster, but I recorded a video which shows you how I found out the website had been hacked and what damage the hacker did.
Can a hacked website be recovered?
A website can sometimes be recovered, but much depends on the circumstances.
In the first instance, notify your webhosting company – sometimes they can help you recover the website.
If you have a recent backup, you can restore it via your admin or CPANEL or your hosting company can help you do this.
Also make sure you change all passwords immediately.
If your hosting company can’t help, you may need to hire a security expert to clean the website for you and this may be expensive, especially if you don’t have a website backup or the website hacking happened some time ago and your domain name has been blacklisted as a result.
How does a hacked website affect my business?
There can be many consequences for your business if your website is hacked. Some of these include:
- Your customer personal and sensitive information compromised
- Identity theft
- Website data changed or erased
- Hosting / email account suspended thus preventing you from communicating with your customers
- Business reputation damaged
- Loss of income
- Cost of cleaning and repairing your website
Website security is not a fun topic, but it is an important subject that needs to be discussed and dealt with.
Just as you would protect a regular store by installing security doors and cameras and heavy duty locks, you need to protect your website, especially if that is your main stream of income.
What would happen if your website was shut down tomorrow and took weeks or even months to recover?
Follow the steps outlined in this article to ensure you reduce the chances of having your website and business compromised.
by Ivana Katz
Websites 4 Small Business – www.web4business.com.au; Ivana makes it easy for you to get your business online very quickly. If you’re looking for a professional and affordable website designer, CLICK HERE and download your FREE copy of “Ultimate Website Design Secrets Blackbook – 10 Bulletproof Strategies for Designing an Outrageously Successful Website”