It’s a mean old world out there.
You may be running a smallish local business, focussing carefully on delighting your local customers and doing the job better than your local competition, but if you are connected to the internet – and who can afford not to be these days? – you may inadvertently connect to some very unpleasant people who would very much like to use your computer, website, email or social media accounts for their own dodgy purposes.
If you are using a content management system such as WordPress or Joomla to power your website, you have a lot of power that the bad guys could potentially be using. I was just moving a new customer’s WordPress website to new web hosting, and I took a quick look at the files, just to make sure that a couple of items I didnt’ recognise were being currently used by the website rather than being old things left over from previous projects that were no longer in use. When I looked at them carefully, I realised that they had been placed within the website by someone who was clearly up to no good. Some of them were virus infested, others were designed to collect credit card numbers.
How did those bad guys get into the website? Well, there are several possibilities, and it’s hard to pin down which was definitely the culprit.
The Hosting
The site was hosted on very very cheap hosting – probably skimping on security and updates – so it’s possible that someone had got into the server hosting the site and had done bad things to all the sites that were hosted on it.
A Dodgy/insecure WordPress plugin?
Or it could be that someone wrote a WordPress plugin with the deliberate intention of using it as a way in to websites that installed it. Or, perhaps more likely, it could be a plugin that accidentally left a security hole that was later discovered and used to affect this particular site. Be very careful about where you get WordPress plugins from, and if you are not at the point where you can look at the code of your plugins, and see what it’s doing for you, stick to widely installed regularly updated plugins, with a lot of users.
Password Stolen or Guessed?
It could be that a password was sent insecurely in email, and someone picked up the details, either on the email’s journey through cyberspace, or after it arrived on the owner’s computer. Never send passwords by email. It could be that the password was simply guessed – this is why password programs tend to insist you choose a nice long password containing numbers and capital letters. Yes, they can be harder to remember, but they could save you an awful lot of time and trouble.
Cheap hosting is not worth it on many levels. It’s insecure, it’s slow (so customers get a bad experience). It’s well worth spending a little more and getting hosting that won’t kick you in the back. And if you are running any system that uses plugins or apps or third party add-ons of any kind – don’t just click ‘install’ without thinking. Every one is a risk. Only use the ones you really need. And, change your password!