Hackers damage your Business, not just your IT

Not actively maintaining your WordPress site? That lackadaisical approach may have lead to the Mossack Fonsec breach.
What damage could a hacking incident could bring to your business…?

The devastating impact of an un-maintained WordPress site.

The widely publicized Mossack Fonsec data breach has exposed sensitive information for high profile clients with catastrophic consequences for Mossack Fonsec and their clients.

WordFence’s investigation of this high profile hacking has identified an ‘innocent’ out of date WordPress slideshow plugin was the point of entry (ie the ‘exploit’) hackers used to gain access to Mossack Fonsec’s computer system. From here the hackers also hacked into the organisation’s email server and so to 4.8 Million emails.

Hackers are everywhere!

Closer to home, this week my PC’s personal firewall alert ‘lit up’ when reviewing a website. It turns out that a ‘Mass Injection’ ‘trojan’ in another website linked to the site I was reviewing tried to compromise my PC.  Wow! I didn’t even visit the remote site and it was attacking my PC!  Thankfully I had a good personal firewall installed. The client representative didn’t…

Is a hacked website a business priority?

I immediately advised the client representative, but got a rather complacent response to my recommendation to immediately shutdown their website.

I was concerned about protect other website visitors from potentially having their PCs hacked, and also protecting the client’s liability in case this happened. Prospective clients visiting your website might remember your business if you crash their PCs, but will they do business with you anyway? – Maybe not…

Hackers damage your business, not just your IT

With hack attacks on the increase including ‘ransomware’ – where you have to pay to unlock your hacked computers or file servers – now is the time to take action to review your business exposure, should you loose your computer systems, file and email server or even your website.

Hack attacks create business liabilities

Consider your liability should your computer systems or website spread virus/trojans.  Infecting your client’s computer network may not be good for the ongoing business relationship… You could even end up in a litigious situation.

WebSite Concierge Services

Succinct Ideas provides high performance, ‘hack hardened’ website hosting and website maintenance services to help avoid embarrassing and potentially commercially disastrous situations like Mossack Fonsec data breach.
Contact me to find out more.

A soapbox moment

Wouldn’t it be nice to have so much income that I’d consider offshore tax ‘shelters’… Hmm. If Ive got that much money do I have to rip off the tax system to get even more?

Robin Hood Hackers ?

Most hackers or hack attempts seem to be digital vandals. But then this hack target are tax cheats… Who is doing wrong? Maybe there’s a well-meaning ‘Robin Hood’ hacker out there exposing unjust activities. If there are, they are certainly the minority amongst hackers.

What are governments doing ?

Its notable that Mossack Fonsec’s tax evasion strategies operate globally and it seems their business model was known to governments and tax enforcement agencies around the world. Immoral but legal…

If the same level of zeal was applied in policing these schemes as is used in scrutinising small business and individuals, wouldn’t the tax burden surely be eased for everybody? I was stunned to see recently circulated data on how little (some) corporations contribute to the local tax…

Wouldn’t the increase in tax funds from solving this issue take pressure off our political masters? Couldn’t they then concentrate on ‘real issues’ rather than the ongoing political pantomimes about finding budget for essential services?

It seems I’m just another dumb small business owner and don’t understand…

SEO Sabotage – Can you trust your SEO Provider ?

I picked up a new project recently and was shocked and appalled to become embroiled in an ‘SEO Sabotage’ conducted by the previous SEO service provider – clearly an organisation with no professional ethics.

The client’s site was blocked from Google and instantly plummeted out of ranking. Site Users were deleted and worse a hacked file was installed into the site. With Simon Perrin’s valuable assistance we discovered code buried in the site that enabled the SEO service provider to remotely control the site’s Google performance as they pleased.

In the beginning

It all started shortly after commencing a new SEO project when my WordPress user ID suddenly disappeared. I restored access using the client’s hosting details to access the MySQL database.  Then a horror story of blatant sabotage started to unfold.

Site compromised but what did they do?

Simple History – an activity logger plugin I had fortunately installed captured a activity log reflecting a frightening story of professional deceit. Someone located in Melbourne accessed the site; deleted all other users then installed WP-FileManager then 24 minutes later deactivated it.

My concern about what happened in that 24 minutes was vindicated when I found the site spirally out of ranking.

The original robots.txt had been overwritten with one configured to ‘block all’ crawlers – ie remove the site from Google. On further investigation I found two robots noindex metatags buried in the site’s code which did the same thing. Someone was serious about killing this site!

Remote control on the Site’s SEO performance

One blocking meta tag was removed from the site’s header template but I had to resort to expert WordPress help from Simon over at Duografiks to locate the second meta tag – This was very concerning as the meta tag was controlled remotely from a non-public area in the SEO service providers website; i.e. the SEO Service Provider could turn the site’s Google performance on and off remotely as they wished – I wonder how many other client sites they remote control like this ?

I’m still trying to come to terms with the ethics of a business that would do this. A debt management strategy perhaps? My new client claims he didn’t owe money.

What should you do to avoid this ?

Nobody wants the get tangled up in these situations, but clearly they do happen so what should you do to manage risk in these situations ?

Backups

Keep up-to-date off-line backups of your website – my personal favourite is BackWpUp a free backup plugin for WordPress. It allows backups to be automatically pushed out to DropBox which will in turn copy the backups onto your local PC. Importantly BackWPUp copies WordPress files as well as the database.

Audit Trails

Simple History helped me identify what this person did, including time and date, activity and even IP and network details – somewhat naively the hacker used a fixed Telstra IP address in Melbourne – easily identifiable to authorities should my client decide to escalate the matter. Keeping track on what people are doing in your site is important.

Find a Reputable SEO Agency

Its abundantly clear this hack originated from the previous SEO Service Provider – there’s multiple layers of evidence including a direct tie to their website, but maybe this action was a disenchanted staff member and hopefully not company policy…

You’d hope its not a strategy they use to snare or blackmail clients – go else where and your ranking will fall – the embedded code to remote control Google ranking concerns me greatly….

Where’s the SEO Industry going?

Either way it’s a disappointing comment on my SEO industry. Client experiences reported to me suggest the SEO/SEM industry is increasingly plagued by dubious operators – local and off-shore.

Now we see evidence of blatantly unprofessional activity from an Australian multi-state SEO company. I’m very disappointed!

Should you migrate to HTTPS for better ranking?

Google HTTPS EverywhereGoogle are encouraging ‘a safer internet’ by rewarding websites that use HTTPS with improved ranking. I’ve had several calls from concerned business website owners wanting to know if they should also change over to HTTPS to maximise their website’s Google exposure.

What is HTTPS?

HTTPS secures the online communications between your site and your visitor by encryption. HTTPS stops ‘middle men’ from listening into your visitors ‘conversation’ with your website. HTTPS is typically used for sites where sensitive information (like credit card details etc) are sent across the wire and encrypts the data so it is only readable by the two participating devices.

Interesting, HTTPS is not as secure as you might think, as a major security flaw code-named HeartBleed was discovered recently in an open source implementation of supporting software and impacted many high-profile websites globally.

Should you go to HTTPS?

I unreservedly recommend that website owners do everything that will improve their online exposure, and as Google is ‘King of the Internet’ for the foreseeable future then sure, it makes sense to do everything they want.

BUT…

Has your site other significant SEO issues?

Let’s put this into perspective – the HTTPS benefit is apparently very small and likely completely masked/wasted if your site has other SEO related issues, such as a Google penalty from backlink naughtiness, or poorly SEO tuned. If your site is not already operating at peak SEO performance, in my view it’s probably not worthwhile migrating to HTTPS straight away, and certainly not until you address any other issues.

Does HTTPS cost anything?

Implementing HTTPS involves registering and deploying a SSL certificate for your site which costs around $AU 300 per year plus installation fees. Your website may also require a dedicated IP address which is likely to incur additional web hosting costs.

A soft-cost is the slightly reduced performance that comes from the on-the-wire and server processing overhead of HTTPS. Notably web page load performance is also a ranking factor, so the slow down of a poorly specified web server loaded with the additional processing of HTTPS may further reduce any SEO gains for the HTTPS migration – What a dilemma!

What should you do ?

  1. If your site is already performing well for organic traffic, (ie you get about 70+% of your visitors via organic search)  then monitor your online exposure and if you see a performance dip, then consider rolling over to HTTPS.
  2. If your site doesn’t already compete well in the organic space, invest the money on identifying and resolving the current SEO issues and on-site tuning. You’ll see a dramatic increase in organic traffic and if its done well an increase in online sales leads.
    Once you’ve done that, go to step 1 and reconsider.

 

More reading:

Have you stepped over the BlackHat line ?

Google Webmaster Tools Manual Actions

Google Webmaster Tools Manual Actions

Have you or someone else been using BlackHat SEO tactics in your website ? Maybe you just want to be sure all is good with Google and your website, or maybe you are trying to find out why you arent getting any sales leads from your website.

Google’s online diagnostic toolset, Google WebMasters Tools (WMT) now provides a quick and easy way to find out if Google have slapped a ‘manual ban’ on your site.

The Manual Actions enquiry is under the Search Traffic Menu and provides an instant indication if Google has decided that your website is so bad they’ve put it in the naught corner.

Here’s Matt Cutts’ video on how and where Google might apply a manual ban on a site: