Aside from WP Operations, I also run a small web development agency based on WordPress. And occasionally I'll get the question from clients :
"Why should I protect my WordPress website? It's just a plain website without eCommerce or anything? "
All in all, that's a fair question, and I enjoy the fact that clients dare to ask it. In this article, I'll share some insights that can hopefully shine some light on why hackers are targeting 'simple' websites and how they earn money doing so. In this article, you'll find 4 reasons why hackers break into your website.
There are billions of websites on the internet, and all of them are (deliberately or not) fighting for a place in the search machines (Google, Bing, DuckDuckGo...). This means that search engine optimization (or SEO) is more important than ever, and every site owner should be at least familiar with the basics of SEO (but that's for another blog post 🙂 ).
In short, SEO is the process of improving your website to get organic (or "free") traffic. This means paying attention to things like content length, keywords, (back)links, etc.
And those backlinks (which means that another site is linking to your website) are one of the primary reasons people will want to hack into your site.
Hackers will try to submit (spam) comments to your website, which contains a lot of keywords and links out to other sites. Good spam protection will catch most of these types of abuse.
In order to place spam comments, hackers don't need access to your site, they'll just make clever use of your comments forms or WordPress endpoints which allow (mass) submission of spam comments.
As if spam comments aren't bad enough, hackers who have actual access to your website's backend will inject posts or even pages into your website.
A quick Google search show's the result of that:
In the above image, you can see multiple legitimate websites who fell victim to this kind of hacks. Intruders insert pages (most often for dating or illegal drugs) into a website. This, in turn, gets indexed by search robots and increases the SEO score of the linked website.
If your site is used for SEO spam, chances are very high that Google (and the other search engines) will mark your website as spam and will either remove the search results or give your website a serious penalty in the ranking.
Hackers earn money with this type of link insertion to help increase the ranking of their clients.
Another way by which hackers can benefit from having access to your website is by using your server's resources. If they have access to the backend of your website, or even your hosting panel, they have the option to insert malicious code or objects which can save them, or earn them money.
An example of this would be to insert malware that earns money by generating cryptocurrency if people visit your website. Or, they can insert videos or images on your host, and publish them on another site. Saving them online space.
There are a lot of options here, but in most cases, your server will be carrying a heavier-than-normal load and it will become slow because someone else is using up its resources.
When a hacker gets access to your website or hosting panel, he can use it's IP to hide behind when performing other attacks. This can then be used to breach into the networks of other companies and set up ransomware attacks (for example). Because they're hiding behind multiple IP's (proxies), they are hard to trace. Worst case scenario: the authorities land on your doorstep because your IP was using in an illegal attack!
The above 3 points are already scary enough, but this one is the biggest threat to a business (especially if you have to abide by GDPR laws).
Another motivation for hackers to breach your website would be to steal sensitive data. This could be just your user details, but they might also be able to get data from your visitors, clients, people who contacted you through contact forms,...
If this happens, and you have to report the breach (as stated by GDPR law), this might get you a hefty fine. But even worse: damage to your reputation. If your damage as a business is tarnished, it might be hard to keep your current clients (as you've failed to protect their privacy) and might be even harder to get new clients.
With all of the above in mind, security should be on the top of your list when it comes to your website. If you spent hours upon hours crafting your website, you don't want other people to use it for their shady purposes.
So here are a few tips to protect your website:
This isn't a one-time fix-all. Security is an ongoing task and it's a necessity! So set aside some time from it on your agenda.
And if you don't have the time for it, you can always reach out to use to help you set up (and maintain) security on your website.