Hacked! Spammed! Spoofed!

by Barry Shuchter,

Despite the title of this note, I’m not an alarmist when it comes to malicious hacking. However, should your email or website become compromised, it’s a problem which can be time-consuming and costly to fix.

At the bottom of this note are some basic recommendations for protecting your content, but first I want to provide some information to help you understand the nature of malicious hacking. I use the term “malicious” hacking to distinguish it from the benign or beneficial forms of hacking, where hackers search for vulnerabilities in order to correct them.

While some malicious hacks are meant to annoy you, the vast majority are attempts to find vulnerabilities that can be exploited to make money.

Some examples are:

  • Code is added to your website that automatically redirects readers to other websites which are under the control of malicious hackers.
  • Things are displayed on your website that aren’t really part of your website.
  • Tools are inserted to snoop around on your server in order to find other vulnerabilities.
  • Your website is scanned for credit cards or other personal information that can be stolen or exploited.
  • Website posts are created in your name, undermining your credibility.
  • Emails appear to be sent from you, but are not really from your account, which is called “spoofing”. You may even receive one of these emails falsely claiming that you’ve been hacked and that you need to pay money to stop it.
  • Your email inbox or website comments are filled with spam attempting to sell things.

While all the above examples can be detrimental, it’s important to understand is that a malicious hack is rarely personal. Most malicious hackers are not targeting you in order to undermine what you’re doing on your website. Generally, they are scanning the internet for vulnerabilities to exploit. Often, a malicious hack is not the result of a human being doing things directly to your website, but rather the result of automated programs that scan the web and insert malicious code wherever there is an opportunity.

Safety and prevention recommendations

Here are some steps you can take. If they seem too complex, feel free to reach out and I can help.

  1. Make sure to install the most recent version of all software on your website, which include the newest security features. If any of the following are outdated, they can be vulnerable to malicious hacking: server software (PHP), website software (WordPress), themes, and plugins.
  2. Install plugins to monitor your website and block malicious activity and spam (many of which are free).
  3. Ensure that the forms on your website are secure. Adding a “recaptcha” button will help block spam.
  4. Install an SSL certificate on your website, which will encrypt information as it travels between your website and the internet.
  5. There are settings you can add to the email account on your server which will help mitigate against spoofing.
  6. Make your passwords difficult to guess. Change them regularly. Don’t share them widely.
  7. Make sure that anyone who can log in to your website is trustworthy. Sadly, there have been occasions where I’ve had to clean up malicious hacks created purposefully by other web developers.
  8. If you work in a public space, be mindful of who’s around you when you’re typing on your keyboard, and be careful of what you say out loud.

Next steps

Though a nuisance and annoying, and occasionally quite problematic, unfortunately it’s impossible to entirely prevent malicious hacking.

Luckily, as outlined above, there are steps you can take to mitigate the problem.

If you’d like help, I offer an assessment of your website to look for vulnerabilities and other critical issues. Please visit my WordPress Website Assessment page for more information, and to sign up.