🦍 Most of my new customers find me after their website has been hacked. Almost every time, the problem is bad behavior, in other words, don’t have your password written on a sticky note up on your computer monitor.
I’m going to take you through my hack prevention and repair procedure because it’s actually simple and easy to do, and you don’t necessarily need my help to get the job done. Skip ahead to the procedure.
But first, let’s talk about the illusion of security. I say illusion, because it doesn’t exist. I don’t mean to be scary here, but it is just a simple fact, that if someone has the password to your email address, then they can get into your bank account. They can also lock you out of everything else, including your website, by just clicking forgot password and resetting it. What’s worse, is that it is very easy to break into your smart phone to do this, and a hacker wouldn’t need to actually have physical possession of the device to do it. For those of you who remember “bluejacking” in airports a few years ago know what I’m talking about. I don’t want to go into crypto security and offline keys or using secure communications apps like Signal here because it’s just not realistic for most normal folks’ everyday use, but if you wan’t to go in that direction, contact me.
Okay, here goes:
No joke, there is such a thing as a “key logger” that records every thing you type, and there is nothing your virus scan can do about it. The only thing you can really do is cripple your browsing experience by disabling mostly everything that also makes it fun. Most websites use “cookies” and some of them use literally hundreds to spy on what you’re doing. You can hire companies that have access to this “meta-data” for marketing purposes. So yeah, any time you have an account on a website, you can be sure that whatever you’re typing, whether it be a shopping site, or a search or social media platform, it’s been aggregated and sold to advertisers.
If you wouldn't say something out loud with your mother, a competitor in business, or TSA airport security in earshot, then don't type it into a computer.
If you really think corporate espionage is a concern for your business, then you’re going to need a very expensive cyber security firm to handle your account. But know this. Recently, nearly all of America’s private, personal information was hacked out of the credit bureau breach. It actually happens more often than you would think, with more major retailer casualties than need to be named here. And if the biggest companies in the world can’t do anything about it, then what hope do any of us have?
Don't visit suspicious websites, don't open suspicious emails, and just hang up on suspicious callers. Also, don't go to any hotel seminar that tries to sell you kitchen supplies with the promise of a free vacation.
The good news is, you can relax. Your website is not the target of an aggressive human threat. Yes, the viruses were made by humans (some of them are now exiled to a private island paradise, but that’s another story). Most of the hacking threats we face are just robots. What I mean is that there is no specific person out there trying to break into your life, seriously. Just robots. Robots that also go by the name virus, malware, or ransomware, to name the most recognized.
Create a scheduled time, as often as possible, to back up any valuable files, especially anything that is in "the cloud", and set your virus/malware scan to update and scan regularly. I also recommend that you back up your computer and reset to factory settings at least twice a year. This will keep things running smooth and fast, as well as reliably remove anything that may have been missed by scans. Add my 2018 backup schedule to your calendar.
Ultimately, your personal identity matters most in this society when you interact with banking and transportation, otherwise it’s nothing more than your virtual avatar gaining experience points in a massive mutiplayer online role playing game (MMORPG). So, to protect against people banking and traveling in your name, you’ll need to be able to prove your legal identity in the event of some type of fraud. In a general sense, even if your website and/or email has been hacked, that shouldn’t really have a way of putting you personally at risk, so long as you use common sense and also have legitimate legal disclaimers and terms & conditions in place on your website. For more on the legal subject, check out my friend Lisa Fraley, Legal Coach®.
Keep personal identity documents, their copies, and any protocol for acquiring replacements in a secure location with any hard drive file backups. Should you do a credit freeze, too? I don't know, maybe. Just be vigilant, okay? After the hard copies are secured, check out this personal organizer: Jazmine
So, one time, a friend called me and said their site was hacked. I checked it out and couldn’t reproduce the issue. M friend clarified, “you have to visit it on mobile”. That’s when I saw it. As soon as you tried to log onto my firend’s website on mobile, it redirected you to an X-rated website! Most types of hacks are silent. Your website won’t go down, and you might never notice anything is wrong.
Another time, a different friend called me and said nobody could receive their emails. We quickly discovered that they had ended up on a SPAM blacklist, and that it was affecting the emails of more then 35 employees in mutiple locations around the country!
If you're using Outlook, Thunderbird, or any other program from a desktop or laptop computer to access your email, then you must stop immediately. These programs are the primary target of nearly all robot hacks, and the most common way to get buggered.
Please understand, that your email address is the one and only gateway. The password to any other account can be reset from here, so it’s important to learn how to protect it. Password-guessing robots are able to guess a password that is ANY combination of 7 characters or less faster than you would think, so as of writing this it is important to have a password this is more than 8 letters long, probably more soon enough. Also, you should NEVER write it down, anywhere. If it can be found, then it can be stolen, so you must learn to remember it.
Also, I recommend changing it to something completely new at least once or twice a year. And please, don’t put your debit card pin number in it! With all the different password rules out there, where sometimes you need a capital letter, and sometimes you need a special character, and other times you can’t have a special character; well, don’t bother with it. Recognize that you can reset the password to any other account from your email address, so it’s not necessary to remember another password, ever. Just use a random password generator, save it when the prompt comes up in your browser, and then just reset it again the next time you have trouble logging in to whatever account is giving you trouble.
Whatever you do, don't forget the password to your primary email address, but if you think you might, and you should anyway, activate two-factor authentication. This way, if a suspicious log in attempt is actually detected, then a confirmation code will be sent to your smart phone for verification. You can use this method to reset your primary email password if it comes to that. If your email doesn't offer two-factor verification then you need to migrate your email to a better solution.
There is such a thing as a lock and erase feature, and that’s great if it works. But it most likely will not if you, yourself, trigger the two-factor authentication when trying to log into your email from another device. So, what happens if you forgot your password, you have enabled two-factor authentication, and your phone is lost or stolen?
I call this the Omega Protocal because it's your last resort; these are the end-game measures for a complete lockdown.
- Calm down, say your prayers, and relax. Everything is going to be fine.
- Attempt to log into your email from another device, and if successful, change the password. Then, initiate the lock and erase feature for the lost/stolen phone.
- Contact your cellular provider and disable the phone number immediately. This way, no two-factor authentication can even occur.
- Contact your banking institutions and disable your cards and accounts.
- Contact your Web Guy and initiate a full backup.
- Wait for your new device to arrive, and re-activate the phone number. Initiate the two-factor authentication to log into your email.
- Change your password. Contact your banks.
Adam’s Hack Repair / Prevention Procedure
1. Divide and Conquer
- If your hosting also includes email, that’s a red flag.
If your website gets hacked, your email is hacked and vice versa. So the first thing to do is separate your hosting from your email from your domain. Basically this type of hosting is almost always on a server running cPanel, which has multiple points of entry, and is a popular target for hacking robots. You’d be amazed at the damage a robot can be programmed to inflict with cPanel.
- always check with me for the latest coupon before signing up for anything I recommend.
- Transfer your domain name to NameCheap where they don’t charge you extra for to keep the ownership data private.
- Secure your website on WPEngine where they had a $26 Million first-round funding to make sure WordPress websites are safe.
- Migrate your email to G Suite where so much more is possible, I can’t even get started. Let me show you what can be achieved with the productivity of Drive, Docs, Sheets, Calendar, Slides, Drawings, and Keep.
- Process payments with Stripe so that your website does not store any secure billing details in the database. Also, now you can accept BitCoin with Stripe!
2. Start Fresh
- If your WordPress core, theme, or plugins are not up to date, that’s a red flag.
There are lists of vulnerabilities that affect more than just WordPress. SSL had a big scare just last year and literally everyone was at risk. But knowing where to check for vulnerable plugins, plus being on a server that monitors these breaches with a team of people dedicated to patching the holes, is a lot of peace of mind.
- Don’t “migrate” your infected site. Re-build it from scratch. It shouldn’t take that long.
- Export your posts, pages, products, and widgets from your old site.
- Export THEME OPTIONS!
- Make a detailed list of any customizations whatsoever.
- Beginning with a fresh installation of WordPress, download and install the latest version of your theme.
- Install the required plugins and any additional plugins (minus any from the vulnerability list). Now everything is up to date.
- Import your posts, etc and you’re back in business!
- Check your comments settings and make sure they are moderated, so that no unauthorized comments get posted.
- WPEngine provides a free Let’s Encrypt SSL to save you money. So connect that, and then set your site to be served securely through https only.
3. Add Monitoring & Firewall
- Use a free uptime monitoring service like Down Notifier.
- Worry less by knowing that the good folks at Sucuri are working round the clock to ensure your website is safe, and if something happens, they’ll fix it within 4 hours! I recommend the Sucuri business plan for total peace of mind.