We will start this article by recalling a phrase worth repeating over and over: you are never safe enough.
Cybercriminals are always one step ahead, and it is up to us users to tread carefully so we do not fall into their traps. In some cases there is nothing we can do, but the most serious problem is that in most cases we could have prevented it with stricter protection measures.
We live in a hyperconnected world: a vulnerability in your personal environment can be exploited by an attacker to reach your professional or business environment.
And when it comes to websites, the problem is bigger: through neglect or lack of knowledge we put at risk the security and privacy of the users registered on our website, which can even lead to legal trouble.
When an online store is hacked, the data of everyone who ever bought there is exposed. If the hack was possible because WordPress or Prestashop was not up to date, it could be considered gross negligence by the website owner.
This video (in Spanish) summarises the main tips to protect your online store:
Causes of a hack
Outdated CMS
The most common case, and the most serious. When projects like WordPress or Prestashop publish an update, they do not just add features: they also patch security flaws.
For example, in 2022 it was discovered that every Prestashop older than version 1.7.8.2 grants full access to any intruder. To this day there are still stores that have not updated and carry this vulnerability.
On these websites you can check whether the software you use has any known vulnerability:
Exposed passwords
Also very common and serious. When you sign up for a service (whether a small website or a giant like Adobe, LinkedIn or Facebook), if they get hacked, the attacker will know your password, sell it, and the buyers will try that password on other services. If you reuse it, you can imagine how easy hacking you becomes.
At haveibeenpwned.com you can check how exposed your email account is on the Internet and, consequently, the passwords of any services that were breached.
Many users insist on using the same password everywhere, so let us say it loud and clear: you do not need to know your own passwords. Every browser ships with a password manager: use it, or if you want something more advanced use 1Password. And remember:
- Never use the same password on two different sites.
- Use alphanumeric passwords with symbols.
- Use a password manager: you do not need to memorise anything.
Brute force
Did you know that a password of just 8 characters can be cracked in under 1 hour? It does not matter whether it is a website, an email account or any other service: without protection against this kind of attack, sooner or later the attacker will get in by trial and error.
Some measures (detailed below):
- Add a ReCaptcha.
- Limit failed attempts.
- Restrict access by IP or country of origin.
Screen capture and keyloggers
When an attacker compromises your PC or phone, they can monitor everything you see on screen and everything you type, and your antivirus may not even notice. We expand on this in the "Paid antivirus" section.
Protection measures
Keep your systems and software up to date
If you run a CMS such as WordPress, Prestashop, Magento or Drupal, it is critical to keep it fully updated, including plugins and themes. The same goes for all the software on your PC and mobile devices.
From experience, we see users who do not update their CMS because one plugin is incompatible. In that case there are three options to weigh:
- Contact the plugin developer and ask for a compatible version.
- Stop using the plugin.
- Keep running an obsolete version and accept that some day you will be hacked.
Paid antivirus
An exploit is not the same as a virus: broadly speaking, the exploit is what gives the attacker access to infect you with the virus.
Paid antivirus products offer real-time protection while you browse: if a website tries to exploit a vulnerability to inject a virus, the antivirus will likely block the injection because it knows the exploit. However, viruses can be modified to become undetectable, so once you are infected the antivirus may no longer help. Hence the importance of real-time protection that stops you from visiting the website that would infect you.
We recommend the paid version of Malwarebytes.
Two-factor authentication
With two-factor authentication (2FA), anyone trying to access your service will need a second factor: an SMS or a dedicated mobile app.
It is a bit of a hassle, yes, but highly recommended at least for critical services. We advise enabling it on your cPanel account and, if you have a VPS or a reseller plan, on WHM as well.
IP or country restriction
A very effective measure. For example, if you run WordPress you can block access to wp-admin and allow only one specific IP. For this you need a VPN with a dedicated IP (around €5/month): you browse the Internet with an IP that is exclusively yours and restrict your critical services so they are only reachable from it. Contact us if you want a VPN.
Alternatively, you can restrict access by country, so your website's backoffice can only be reached from specific countries.
ReCaptcha against brute force
Not a silver bullet, but it helps. Add a reCAPTCHA to your login screens: when an attacker uses a bot to try automated logins, the reCAPTCHA will block it (although it does not always work).
Measures to repair a hack
Antivirus scan
If you have already been hacked, contact our support team so we can run the antivirus on your website. By analysing the infected files we may get an idea of how they got in... or maybe not.
Reset the website
The best way to be sure you are clean is to reset the website from scratch:
- Take a backup of the database.
- Delete everything: remove the cPanel account completely and create a new one.
- Install the CMS from the official repository, a clean version with no content.
- Install the plugins and themes you need.
- Restore the database from the backup.
- Install a plugin that hardens the security of your CMS.
Reset passwords
Change all your passwords, everywhere:
- Client area
- cPanel and WHM
- SSH access
- Email accounts
- FTP accounts
- External services (Gmail, etc.)
And reinstall the operating system of your PC and your phone: if there is a keylogger, changing passwords is pointless.
Brute-force protection
Apply the corrective measures discussed earlier:
- Restrict access by IP (VPN) or by country.
- Enable ReCaptcha.
- Use plugins that automatically block after several failed attempts, for example Wordfence for WordPress.
Backdoors
Make sure the attacker has not left a backdoor to keep accessing your service. For example:
- They may have created a cron job that automatically downloads the virus from the Internet and re-injects it into your website.
- They may have created an email account or a forwarder that lets them keep reading your emails.