What if you woke up one morning to get a call from your boss or most important client telling you how disappointed in you she is for sending her pornographic and gambling emails?
Of course, you wouldn’t even imagine doing such!
How shocking would that sound? How embarrassed would you feel?
And to make matters worse, it had been like that for over a week or two without your knowledge.
That was the situation one of my clients was in when they contacted us in May 2018. It was like an SOS message.
Their website designer was nowhere to be found (I know some of you can relate).
When they eventually tracked him down after several days, the more he tried to contain the situation, the more the website was flooded with spam messages and comments on every page.
They had been HACKED!
6 months prior to that time, the company (a real estate company whose name I’m not allowed to mention here) had contacted us to redesign their website. So we made our presentation and the board was happy and excited about contracting us within a week.
But 2 weeks after we had signed the contract, we didn’t get any “alert”. Well, maybe they were tidying up a few things. It was going to be a major redesign so they needed to be fully ready – so we thought. So we waited another 2 weeks.
Then we followed up.
That was when I knew there was water under the bridge. I was given the classical “discharge” line;
“We are having issues with our bank. We will get back to you once we are ready”
The real issue was that one of the staff had compelled the CEO to give the contract to her brother who happened to be a “web designer”. And rumor had it that their relationship went beyond the office.
That was how our relationship with this company started.
Fast forward 6 months later, there was a major crisis in the company.
It first started as minor spam comments (which no one noticed because no one was managing the company’s online presence), followed by frequent downtimes and complains by site visitors. Then the spam flood started. To crown it all, several staff emails got hacked.
In less than a month, their brand reputation online was a mess!
Truth is, having a bad website is like having a bad mouth odour. Everybody knows but nobody tells you – until it’s too late.
When they eventually decided to hire us, their site was in a really bad shape. After concluding the audit, we discovered;
- Almost 20,000 nasty spam comments. And the site was on auto-approve. So every comment went straight to the website without being trapped pending in the backend for admin approval. See a screenshot sample of what I mean below.
- The disk space and RAM were constantly overloaded.
- All their corporate emails were going straight to SPAM BOX on Gmail with a warning that the email sender may likely want to steal your data if you opened. If you were in an email recipient’s shoes, would you open such an email?
- Their server was sending out almost 100,000 pornography and gambling emails using their company name. Can you even begin to imagine the embarrassment this was causing them? A woman actually had to call the CEO to complain about the kind of email he sent her.
- The site was down more times than it was up.
The company’s website at that point was like they built a house in a crime-prone area and forgot to put any doors or windows.
Wannabe hackers were having a field day.
Here is what we did to recover the site and secure it. You could also do the same if you are having the same kind of problem.
The whole process took us one full week. And if you find yourself in a similar situation (or even not exactly similar), just follow through the processes below and you will be able to improve your website’s security.
Also, you don’t have to wait for your website to come under attack before you take action or call your website designer to take action.
- We put the site in development mode (Under construction)
Of course, the first thing we did was to put the website in development mode and write a really nice message that said we were carrying out a routine maintenance on the website. We went on to assure the general public that the website would be up in 1 week.
To make people expectant and to put my team members on their toes, we even put a countdown on the page and set it to exactly 7 days.
- Installed CDN (Cloudflare – status Under attack)
Next, we registered the site on Cloudflare and increased the status to “Under Attack” to beef up security and repel any malicious attack like a DDoS attack on the website.
- We manually reviewed the site removing every single spam message!
At this point, we had to manually remove every spam comment, posts, user accounts etc. It was like house cleaning – A Thorough one at that.
- We scanned the website code for areas of compromise
A brief inspection and scanning of the website showed where and how the attackers penetrated the server. And it was like there were backdoors everywhere. Even wannabe hackers without much experience could hack the website like taking candy from a baby.
The thing is that the original web designer (remember the staff’s brother I talked about earlier) had used some free plugins that the hackers had designed and put out on the internet for free. After all, who doesn’t love free stuff?
Instead of trying to patch the codes, we simply just removed all the plugins and replaced them. At least, better safe than sorry.
- Installed SSL certificate
This was the surprising part for a site redesigned with a 6-figure budget – There was no SSL certificate installed on the site.
SSL certificate helps to encrypt data (i.e. to make it unreadable) sent over the internet from your computer to the web server and vice versa. To identify a site with SSL certificate, just check the URL in your browser; it starts with https:// and has a green locked key icon beside. See example in site image below
It’s important because any computer in between you and the server can see your credit card numbers, usernames and passwords, and other sensitive information if it is not encrypted with an SSL certificate.
So for any person who is serious about securing his/her online presence, SSL certificate is like “Web Security 101”
- Blocked malicious IP addresses
This was mostly done by the Cloudflare CDN which we had activated earlier. But we also went into the backend to manually review any unusual visit by any person to the site. For example, when you notice that a particular IP address has accessed a site like 100 times in one day, you know it’s a red flag because no normal human being can do that. Only a Robot can.
- Antispam and Bruteforce defender
This was essential to check the spam rate when we eventually open up the site to go live. Even if we had done all the above without installing an anti-spam on the website, chances are that the issue is likely to reoccur – even if not to the extent it happened before.
Unlike human beings, a brute-force robot can try thousands of different username/password combinations within minutes.
So, how brute force defender works is simple – If you try to login unsuccessfully more than 5 times, you will be banned from making further attempts for 30 minutes. So hacking via brute-force became nearly impossible.
- Nameserver (IP Address) whitelisting
Remember how I told you earlier that the company’s emails were landing in SPAM/JUNK Mail in Gmail and Yahoo. That was because their server’s IP address had been blacklisted and labeled as dangerous by every conceivable SPAM IP database on the internet.
So what we did was to start requesting one by one for a removal. This went on even beyond the 1-week project schedule. After 1 month the site’s IP address was completely whitelisted.
Apart from hardening the site, my team completely Redesigned the website layout, optimized conversion rate carried out extensive Search engine optimization to improve visibility.
Needless to say, in a month or two, their website was 100% better than anything it had ever been since it was first designed almost 10 years ago.
If you own a website, I would strongly advise that you carry out a routine audit of your website. You don’t have to wait to find yourself in an embarrassing situation before you act.
And if you already have a bad situation at hand, we can actually help you fix it and make your site even far better.
AUTHOR: Dr. Smart Okpi is the Creative Director at eBrand Promotion. He can be reached via 08105882416 or 09034244099 or just send an email to firstname.lastname@example.org – I normally reply within a few minutes or hours (on weekends).