Some of you may have noticed over the last fortnight that online searches for the Chamber’s website have led you instead to a Canadian pharmacist selling viagra. So yes, our website has been the victim of hackers. We have now restored the website, installed a new version of the affected plugin and moved to a more secure hosting facility.
Our website is based on WordPress, one of the most commonly used website platforms, and uses a series of software applications (or plugins) to provide much of the functionality. One of these plugins, Ultimate Member, was attacked by a hacker who placed malicious code in the software. When we installed the latest version of the plugin, the infected code came with it. Ultimate Member is one of the most used membership plugins and is installed on more than 100,000 websites – so we were not the only ones infected.
To recover from the attack we contracted PAAC IT to restore the website and provide ongoing support. Full disclosure here – PAAC IT is my son’s business. PAAC IT have:
- Moved the website to a more secure, UK based hosting company;
- Restored the website from a backup copy provided by Phil Clifford-Brown of Lion Lane Consulting who initially built the website for the chamber. Good move to take a back up;
- Reloaded recent content;
- Upgraded the site to HTTPS – which adds a level of security and encryption;
- Added security software to continually protect and monitor the site from malware; and
- Installed the latest and hopefully more secure, version of Ultimate Member plugin.
We are almost out of the woods, but not quite. If any of you have concerns about our website, please do get in contact.
Is your website safe?
We have seen several local websites suffer attacks in recent times – it is not only the “big boys” that are the victims of cyber attacks. Here are some tips for keeping your websites (and other IT) safe:
- Ensure your website is HTTPS. This makes communication between your browser and the website secure. An additional bonus is that Google now “down rates” websites that are not secured with HTTPS. You will need to purchase an annual SSL certificate and then have the security protocols properly applied to your site. You can see if a site is secure by the Site Identity button (a padlock) that appears in your address bar when you visit a secure website;
- Keep software up to date. This applies to all IT, not just websites. Software updates generally include security patches to fix known security flaws in the software. By not upgrading, you leave your systems open to attack. This can be a two edged sword as we found out to our cost as the software patch was itself infected, but this should be a rare occurrence. If you have a managed service agreement with your website provider, they should be doing this for you;
- Use strong passwords and change them regularly. We all know this but few people do it. We talk now about “pass phrases” more than “passwords”. You could create a passphrase from a noun, a colour, a number and a special character. We urge all members to review and update their passwords on the Chamber’s website;
- Website security software. Use a website security application to continually monitor your site for malware. There are many free and commercial products available, but we use Wordfence. Wordfence includes both a firewall and malware scanner. You should also be using security software to continuously monitor all of your IT such as PCs, Apple Macs and servers.
- Backup your site. Regularly take and safe a backup copy of your site so that you have a clean version to recover from in the case that something goes wrong. This applies to the rest of your IT as well.