Keep Your Website Updated to Stop Hacks
At Sucuri, we specialize in cleaning hacked websites. Our Incident Response Team cleans hundreds of websites every day, sending samples and statistics to our research team. The analysis of these incidents helps us gather valuable information about how websites get hacked.
Outdated website software is responsible for the highest number of malware removal tickets we see. In our latest Hacked Website Report (2016-Q2), over half of WordPress websites and 86% of hacked Joomla sites that we cleaned were out of date in some way.
Keeping your website software up to date is a key part of website security. This includes your core CMS software, plugins or extensions, themes or templates, and server stack (ie. Apache, cPanel).
A lot of website owners think updates are just functional enhancements, but updates often include security patches. If you delay an update, you could be leaving the door open for hackers to enter your website.
Why Are Updates Critical to Website Security?
Zero-day exploits are vulnerabilities that the developer doesn’t know about yet. These are extremely dangerous, because without a patch, one of the only ways to protect yourself is by leveraging a website application firewall (WAF).
As soon as the developer patches the vulnerability, the world knows about it. The question is who will act on this information first - the website owner, or the hacker? As you might expect, hackers get notifications when updates are released for popular software. They compare the old and new versions to find fresh vulnerabilities, and the first few hours are almost as dangerous as a zero-day due to the number of unpatched sites.
You might be asking, “How can the hacker find my website in the first place?”
It’s surprisingly easy (if you’re a hacker). They use automated tools to scan the internet looking for websites running vulnerable software. From here, they take the list of websites and use scripts and attack tools to infect them all.
To illustrate just how quickly this happens, in October 2014, Drupalgeddon infected every single outdated Drupal site within 7 hours. On this kind of timeline, when are admins supposed to sleep?
Impacts of Website Hacks
Your visitors, traffic, reputation, and sales are all at stake when your website is infected.
What happens when your website is hacked? Here are a few things we see quite often:
- Blacklist warnings from search engines, browsers, and antivirus programs.
- Spam keywords (ie. “viagra”, “cheap raybans”) showing up in your search results.
- Redirects that send your visitors to malicious websites.
- Server resources being used to host malware downloads and spam pages.
- Credit card swipers that steal your customer’s personal data.
- Suspension by your website host for dangerous activity.
- Malicious advertisements and pop-ups on your site.
This is by no means a complete list. There are countless ways for attackers to use your website and server resources with malicious intent. We still see a lot of website ransomware and defacements, which may be the most shocking to visitors and website owners.
It can also take time to recover. If your website is blacklisted, you need to ask Google (or another authority) to review your site once it’s clean. If your site is infected with SEO spam, it can take time to recover any lost rankings. Ecommerce websites can be fined if they are not PCI compliant. Of course, the loss in visitor trust after a hack is difficult to measure.
How to Keep Your Website Up to Date
Automatic updates are a great feature, but they can be problematic when website functionality is broken. This is especially true for Joomla sites running on older branches. Virtual patching through a WAF is a great way to plug these holes even if the underlying website software remains outdated.
Website owners who use a management service don’t need to worry about updates because they have a dedicated team who keeps the website up and running. For website owners who need help staying on top of maintenance, it’s wise to invest in a solution like Perfect Dashboard. Updates, testing, and backups are all important parts of responsible maintenance and website security.
One thing that a lot of people miss (when performing maintenance) is old versions of your site. Get them off your server! If backups and dev sites are publicly accessible, hackers can find them and exploit them. We see a lot of servers being cross-contaminated because one vulnerable backup was stored on the same server.
There are many pieces to website security, but at the bare minimum you should understand the importance of updates, use a good backup strategy, and enforce strong passwords for all users. If you can afford to get a team to help you, the peace of mind that a maintenance and security package will give you is worth it.