Sorry, didn’t mean to scare you with that headline, but if you’re like 50% of small websites out there, you know it’s true. Maybe you’re one of the lucky ones that hasn’t experienced the pain of having their site hacked. In which case, mazel tov! Trust me, it’s not because they haven’t tried. Why? Because your site has one thing that all hackers want. And no, it’s not necessarily your customer’s data, although I’m sure that’s very enticing. No, more often than not, hackers want something even more basic than that. It’s why they’re attacking your site even if your traffic is as low as 4 visitors a month
But first, 2 Scary Stories
Years ago we started on the road of web security with a simple phone call. A client we built a site for 12 months prior called to say their site was being blocked by Google because of a malware warning. To get to the bottom of the issue we asked how they were alerted of the problem. It was from one of their site visitors. That’s important so let me repeat it. They were informed that their site was compromised by a potential customer. Getting over the embarrassment, and potentially lost revenue, they contacted us to figure out what went wrong. Thankfully we were able to fix the issue, get their online reputation back in good standing and began educating ourselves on how best to mitigate these types of attacks in the future.
As I write this, my personal blog, which has less than 4 viewers a day, has been attacked 320 times this morning, 982 this week, and 2,282 this month. Attacks detected from within the United States, Turkey, Ukraine, Netherlands, India, Poland… the list goes on. All this for a tiny blog about coding, dad jokes and [BBQ recipes].
When we started looking into it, the 1st thing we realized was that the size of a site’s traffic had nothing to do with the chances of it getting hacked. Take a look at these stats from a few sites we monitor:
As you can see with these stats, the number of attempts don’t relate to the size of the user base in any way. In these instances, attacks have little to do with the targeted site and its users. So what is the target if it’s not the company’s traffic? What are these attackers after if it isn’t our precious data?
Why We’re targeted
There’s a simple reason why your business, our clients, and my tiny personal blog are being bombarded with attacks. Even though we aren’t banks with massive financial transactions and data sets ripe for theft, we do have one basic thing in common with all of them.
Our sites all have access to the internet.
Thanks to a server (that’s just a fancy word for a computer plugged directly into the internet) we’re all connected to the same internet as all those other “more important” sites. And since it’s all the same web of connected computers, it doesn’t matter if they get in through my blog, your site or a toaster.
Yes, a toaster. Let me explain.
Back in 2016 there was an attack against Dyn, a major service that powers many of your favorite sites. Amazon, Twitter, AirBnB, Reddit, and more were all offline for hours. This happened because someone hijacked not just computers, but any device connected to the internet. That included printers, cameras, baby monitors and routers. They used these devices to bombard Dyn with so much traffic that it was crippled, taking down many of the biggest sites on the internet along with it.
So the fight for your site isn’t necessarily about your content, your users, or your intellectual property, although all that may be up for grabs too. It’s the gateway to the internet that your site provides that’s most valuable. With it attackers can:
- send massive amounts of spam email,
- launch attacks against services like Dyn,
- take down other sites by overloading the capacity of their services,
- use the power of an army of servers to brute-force attack someone’s login page
- and even add your server to their evil legion that’s attacking some other poor site.
More on that in a future post.
But, you can stop all this. There are simple things that you can do, right now, to help mitigate the attacks against your WordPress website and keep your site’s server focused on delivering a great experience for your customers.
If you haven’t already, take a look at our easy-to-use guide 6 Simple Ways to Protect Your WordPress Site from Hackers and start implementing those security measures, like yesterday. If you need help implementing them or would like to talk about a more robust security setup, please get in touch.