Story 1: Years ago when we started on the road of web security with a simple phone call. A client we built a site for 12 months prior called to say their site was being blocked by Google because of a malware warning. To get to the bottom of the issue we asked how they were alerted of the problem. It was from one of their site visitors. That’s important so let me repeat it. A potential customer was who told them about their security issue.
Getting over the embarrassment, and potentially lost revenue, they contacted us to figure out what went wrong. Thankfully we were able to fix the issue, get their online reputation back in good standing and began educating ourselves on how best to mitigate these types of attacks in the future.
Story 2: As I write this, my personal blog, which has less than 4 viewers a day, has been attacked 320 times this morning, 982 this week, and 2,282 this month. Attacks detected from within the United States, Turkey, Ukraine, Netherlands, India, Poland… the list goes on. All this for a tiny blog about coding, dad jokes and BBQ recipes.
When we started looking into it, the 1st thing we realized was that the size of a site’s traffic had nothing to do with the chances of it getting hacked. Take a look at these stats from a few sites we monitor.
As you can see with these stats, the number of attempts don’t relate to the size of the user base in any way. In these instances, attacks have little to do with the targeted site and its users. So what is the target if it’s not the company’s traffic? What are these attackers after if it isn’t our precious data?
There’s a simple reason why your business, our clients, and my tiny personal blog are being bombarded with attacks. Even though we aren’t banks with massive financial transactions and data sets ripe for theft, we do have one basic thing in common with all of them.
Our sites all have access to the internet.
Thanks to a server (that’s just a fancy word for a computer plugged directly into the internet) we’re all connected to the same internet as all those other “more important” sites. And since it’s all the same web of connected computers, it doesn’t matter if they get in through my blog, your site or a toaster.
Yes, a toaster. Let me explain.
On Friday, October 21, 2016 there was an attack against Dyn, a major service that powers many of your favorite sites. Amazon, Twitter, AirBnB, Reddit, and more were all offline for hours. This happened because someone hijacked not just computers, but any device connected to the internet. That included printers, cameras, baby monitors and routers. They used these devices to bombard Dyn with so much traffic that it was crippled, taking down many of the biggest sites on the internet along with it.
So the fight for your site isn’t necessarily about your content, your users, or your intellectual property, although all that may be up for grabs too. It’s the gateway to the internet that your site provides that’s most valuable. With it attackers can:
But more on that in a future post.
There are simple things that you can do, right now, to help mitigate the attacks against your WordPress website and keep your site’s server focused on delivering a great experience for your customers. The first would be to take a look back at our easy-to-use guide 6 Simple Ways to Protect Your WordPress Site from Hackers and start implementing those security measures, like yesterday. But if you need help implementing them or would like to talk about a more robust security setup,