If you run a blog in the 20-teens then you could get hacked.
Dear Blogger was hacked just a week ago, meaning anyone visiting the site saw a 403 error page and we were de-indexed from Search. Let me say that again, we were removed from Google. Zero traffic and zero revenue for 1 week. I wrote this post because “getting hacked” is still a very misunderstood concept and to explain what I learned.
This will help you prevent a hack, or clean things up should it ever happen.
Who should be reading this
Imagine seeing your analytics flatline. Daily subscribers and sales too. Not pretty eh? Not going to happen to you, you say? Well, that’s what I thought.
So I’m writing this post to warn:
- Niche bloggers
Niche bloggers have a long checklist to become profitable. You can forget security. And the sheer profitability of these blogs makes them ideal targets.
- WordPress business website owners
It’s becoming more and more common for WordPress business owners to start 10-20 WordPress sites and make a living out of it. More sites = more potential for a hack, which can then infiltrate all your sites.
- Bloggers who blog full time
Anyone who blogs full time needs to take precaution. And anyone who runs a lucrative blog can be crushed with a hack that leads to de-indexing. It’s average bloggers operating sheerly alone that can suffer the most from a hack because the world simply keeps moving and other bloggers will take your place almost instantly.
As I said it’s average solo bloggers – moms, dads, community managers – that can suffer the most from a hack so this post is for you. I’m here to help.
But before I talk about the two things you might not be doing – how can a hack really lead to being de-indexed aka taken out of Google Search and losing all your free traffic?
A hack often leads to de-indexing
Sitenote: thanks to Anya, an awesome blogger and subscriber, who first emailed me about our potential hack. I should have taken action then…
What is a hack? As Google puts it, a hack for website owners usually means a malicious third party has uploaded spammy content or malware to your site.
Example: Let’s say you have an awesome site about socks. You recommend the warmers, most athletic and always cutting edge socks. Then one day, Google crawls your site and finds all sorts of links to some irreputatable phramaceutical company (spammy content was put on your site). Or worse, Google crawls your site and finds malware, which is prying at your passwords and can be uploaded to visitors computers.
Google will mark your site as “This site may be hacked” to protect both you and all your visitors.
Here’s a hacking help video from Google I’ve already watched thrice:
If your site goes un-fixed for too long, it can be removed from Search entirely, the worst nightmare of any blogger.
What causes a website or blog hack?
Now that we know what a hacker wants to do once they get in – upload spammy content or upload malware – what makes your site vulnerable to a hack? Again, two things:
- Outdated plugins or versions of WordPress software
- Weak passwords
As trivial and simple as it sounds, these are the two most commons ways a WordPress site is hacked. Think about all the sites you run. Are your plugins up to date? Are you running WordPress 4.0 now?
Plugins, when outdated, can develop what are known as exploits – basically holes that allow a hacker to target lots of sites at once with their own malicious scripts. And weak passwords speak for themselves.
These causes are not mutually exclusive either. A hacker can enter through a plugin, obtain your password, and even then gain access to your server (like GoDaddy, Bluehost, or HostGator) and this is when it gets really serious.
Maybe it’s time to start taking the password meters more seriously? For me it is.
How to prevent a website hack
So, a hacker can use outdated plugins or core WordPress software combined with weak passwords to upload spammy content and malware to your site. Once they’re in, all hell breaks lose.
So, how can you ensure that your WordPress site or blog never gets hacked? Here are my suggestions:
- Spend at least one day each month updating all of your site content including plugins, versions of WordPress, eCommerce addons like WooCommerce and anything else you feel looks out of date.
- Purchase security software for WordPress (ask for recommendations)
- Develop a good relationship with your host
#1 will prevent you from 95% of hacks alone, and as such I don’t recommend purchasing expensive software especially if you have just started blogging.
However, #3 is paramount. When this website was hacked, HostGator acted swiftly to bring in security admins and quarantine the site. The downside was a few days without revenue or new subscribers, but the upside is we’re all clear now, some 5 days later. You absolutely need to act quick on these matters, and need the assistance of a good host or “hoster” as Google calls them to clean up all the graffiti.
Building a good support team now will help you figure out how to fix a WordPress website or blog hack quickly when it actually happens. The final step will be to request a review from Google.
Are you at risk?
Getting hacked is not something you want to prolong, but it is something you need to address quickly both on your end and to your readers. Having a quick strategy will help you fixed a hacked site and get back to business asap. Here are the main takeaways:
- Always update your plugins (and delete plugins and themes you don’t use for a faster site).
- Update WordPress often
- Delete plugins and themes you don’t use
- Start building a support network with your host today, so they know who you are when you rush to them for help. This is crucial.
- Use medium-strong passwords
- And you should be okay
I’ll be sending a more personal, elaborate story of the hack at Dear Blogger to my email club so hop on if you’re curious on the deets!
Let me know any questions in the comments and I’m happy to explain further.