My Website Was Hacked. 4 Lessons You Should Learn from My Experience
In early August, my website was hacked several times. It was a phishing attack by AnonymousFox, a hackers group that targets WordPress websites. The group took over not only the website but also my CPanel account. And the funny thing was that I didn’t quickly realise that the website has been hacked until I started receiving several emails from Internet security companies.
Google also sent an email, accusing me of social engineering. And in the course of the battle with the hackers, my hosting company deactivated my account, sending the website offline. That was the first time I experienced my online asset being hacked, and it wasn’t a palatable experience.
But while fighting the battle, which I have now won, I learnt some lessons that I believe will be useful for owners and admins of WordPress websites. This experience also taught me a lesson in marketing, and being a digital marketer, I found the marketing lesson fascinating. Below are the lessons from the experience.
- Keep an eye on your WordPress plugins and themes
From my research, I discovered that the hackers broke into my website through an outdated plugin. I installed the plugin 3 years ago, but since then, the developers have abandoned it. New updates weren’t pushed, and this resulted in hackers taking advantage of a loophole in the plugin. I have now uninstalled the plugin, but the lesson here is that you should always keep an eye on your plugins and themes.
Always update them or enable auto-update, and If their developers didn’t push an update in two years, it is safe to say that they have been abandoned. And when a WordPress plugin or theme is abandoned it is better to remove them from your website so that hackers don’t take advantage of any unfixed loophole.
In the same vein, if you are someone that uses null plugins and themes, you have to be careful. These plugins are likely to carry malware through which your website can be hijacked.
2. Be comfortable with CPanel and HTML
WordPress is a fantastic CMS. The platform allows you to easily build a website, and it has been a no-code platform before low-code and no-code became buzzwords. However, the issue with using WordPress to design a website is that it discourages you from learning to code. And, with the provision of some hosting companies, you don’t even need to log in to your CPanel to install WordPress. The drawback of this is that the day you have a slight issue with your website, you wouldn’t know what to do.
In my case, I am conversant with CPanel and have little knowledge of HTML, CSS, and PHP. Because of this, when my website was hacked, I did some troubleshooting myself, and during that, I came across the email accounts used by the hackers to access my CPanel and deleted all of them. Also, I deleted the malware files installed in the file manager of my CPanel.
While doing the website clean up, I reached out to my hosting company and asked if they can help. They declined but recommended I buy a malware remover product. During the period, I got messages from unknown freelancers requesting to help with the cleaning for a fee. (I wonder how they knew my website was hacked).
If you manage a website and don’t want to be an “ATM” for people when you have an issue, it is good to learn to code, especially HTML and CSS. You should also be familiar with using CPanel.
3. Use a reliable and responsive hosting company
Although my hosting company wasn’t willing to help with the malware clean up, its customer support agents were very supportive. I chatted with them several times during the period, and they provided me with a free malware scan of my website.
When they deactivated my account because the malware keeps regenerating itself, I reached out to them, they did another scan, told me the source of the issue — and immediately I fixed the issue my account was restored.
I am impressed with how they quickly respond to chats and do their best to get problems solved. Many people I know complain about their hosting companies not being very responsive and helpful in fixing issues. I realise that the reason is that they use cheap hosting companies because they want to save costs. I have experienced that too when I was still using a cheap hosting company.
If you care about your website and want a quick response whenever there’s an issue with your website, go for a reliable hosting company. But sorry, a reliable hosting company isn’t cheap.
4. Set a limit and upsell
This is the marketing lesson I learned from the hacking experience. When the website was hacked, I didn’t want to go through the stress of cleaning the malware myself. Besides, I am not an expert in cyber security. As a result of this, I requested that an agent of my hosting company help to reset my WordPress login details and also remove the malware files. The agent reset the login details, gave me a list of the malware files, but said he is not permitted to remove them. He then recommended that I should get the premium version of a website security product offered for sale by his company.
He said WordPress security is porous, but by getting the premium product, the product’s expert can help remove the malware files from my website and lockout hackers. I know the product he is talking about, as I use its free version and have gotten several emails asking me to upgrade but I decided not to do so.
However, with the malware regenerating itself after several cleaning, I was seriously thinking of upgrading to premium. In the end, I went for an alternative product, but I learnt a marketing lesson from the interaction with the agent.
The lesson is that, as a business person, you should know the limit of service you will provide to your customers for a certain fee. When the limit is reached, don’t compromise; pitch them an upgraded package and you get a very high chance of converting them. This is the best way to upsell to customers.
To conclude, my access to the website has now been restored and the malware has been permanently removed. However, the lesson from the two-week battle with the hackers will never be forgotten.
