Businessman hand holding money banknote for paying the key from

When your website helper becomes your website hacker!

We are just six weeks into 2019 and I’ve personally helped recover three websites and one social media account so far this year after each was hacked. Every one of these cases caused panic and alarm in the website owner. Two of them involved fraud, or attempted fraud, and one caused a website to be flagged as malicious by Google.  We’re still trying to recover its ranking and reputation. Let me say, whatever you can do to protect your website is worth the investment, rather than dealing with the stress of a stranger attempting to destroy your hard-won livelihood.

But today we had an incident different to the norm, and it’s prompted me to write because it’s a flippin scary scenario.

Businessman hand holding money banknote for paying the key from

This particular client has strong connections to businesses overseas, her family often travels and her husband actually works with outsourcing centres abroad. Consequently, rather than use our services in the UK, they had engaged a website support in another country they worked in. This made sense finanically and they felt they had a trustworthy person on board. He had been working for them for about six months I believe. Then today, out of the blue, this person contacted them threatening to delete both their business websites unless they paid him a large sum of money.

Website sabotage by a person you trust

Our saboteur had logged in to both sites with my clients’ details that she had given him to do the work. He then defaced both websites by deleting all the posts and pages. He created himself a new administrator account and deleted all of the other users, so nobody could login directly. Moreover, he accessed a back-up plugin that we had installed and deleted all the back-ups on the server and, using the same plugin, deleted our copies too from remote storage. (Happily we do not rely on that particular back-up plugin for this sort of emergency.)

Keep back-ups that are separate from your server

This guy was quite clever in that he thought he could hold the business to ransom because he believed he had deleted all their back-ups. But thankfully, as part of our support package, we also create copies of our websites overnight and store them remotely on a completely different server. Plus any web host worth their salt will create a daily back up of their server – so we usually can restore a website that way as long as you contact them right away.

In this situation then we were able to restore both websites quite quickly and lock the perpetrator out. Thankfully, he wasn’t as smart as he thought he was. And luckily he wasn’t technically able to break into the hosting account or the server directly to plant any nasty viruses or malware. Consequently he was cut out fast.

We could also identify his IP address and block that too!

But it left me wondering… after all there was no way of penalising the perpetrator now, even though he wasn’t an anonymous hacker, he’s not exactly within reach. I’m guessing he will sink into the shadows with very few or nil consequences. Unfortunately, it goes to show that even those you have built a relationship with can and do try to hurt you.

To help yourself, please do take note:

What saved my client from losing her sites?

  1. We kept remote back ups that this hacker could not access.
  2. We had a savvy web host who could lock out this hacker and give us access to a back-up of their server quickly. (IONOS in this instance – not usually my favourites, but they did a great job today!)
  3. We changed all our passwords immediately. This included passwords to the hosting account, database of the website, as well as website logins.
  4. My client had us on the phone to help restore the right files and database within a couple of hours.
  5. We used Wordfence to help lock down her site from future attack. (Our clients have the Premium licences to give them the best chance of avoiding a hack). We identified the perpetrator’s IP address and blocked it. And if he attempts to login to the sites again with his old username or email he will also be blocked.

And what could you do to prevent this happening?

  1. Be very careful giving access to anyone working on your website. Check them out thoroughly, and ideally go and meet them. Get a physical address for their place of work. Obtain client reviews and check a couple to make sure they are genuine.
  2. Avoid giving Administrator access to your website. WordPress has a few standard options, like Author or Editor, for people preparing content for your site. Or you can create a custom User Type to give more access than that. For example, if you employ someone to work on your SEO, they might need to install plugins and work on the structure of your site, so they would need greater privileges than Editor to do that. There is a plugin called User Role Editor to help you give the access they need without giving them the keys to the car, so to speak. Basically you do not want a person to easily be able to add or delete other Users without your permission. Otherwise they can delete you! Just like happened today.
  3. Check any third party who requests Administrator access to your website in order to troubleshoot a plugin or theme problem. Read their Support reviews. Find out where they are based and how long they have been around. Do they have a credible website and associated domain? Did you find them through a well known platform like Envato Market or WordPress? If they approach you directly, rather than you going to them with a problem, I would see red flags for sure. Many well-established theme and plugin authors have developed alternative ways of checking your website if you have a crazy error on it, so they no longer need Admin access. It’s always better to pay for premium support than risk a dodgy person having complete access to your website.
  4. Lastly, if you keep any sensitive data on your website, this one is really important. You must not give access to the sensitive data on your website to a third party unless you have told the people who have given the data to you. This will be stated in your privacy policy as part of GDPR. Therefore, if this is you, and you want a new third party to work on your website, you have to lock down that sensitive data, which you can do with the User Role Editor or with another plugin like Adminimize which can hide chosen links in your left-hand column of options from that user. Alternatively, you must advise your customers that you are sharing their data and informing them of how it is protected and how it is (or is not) used.

I hope this all helps. Please do get in touch if you need support.

Posted in This week I was asked... and tagged , .