Help! My website's been hacked: 4 tips


By Laura Haight

I was reminded about consequences this week. Sometimes, no matter how hard you try to do the right things, bad things can still happen to you. So then what?

For the past couple of weeks, we’ve talked about securing your personal and business data - customer information, bank account information, company files and databases. But what about your website? What if it gets hacked?

There are two kinds of hacks:

  • One is where coders are trying to hijack your site and use it as a way to inject and distribute malicious code to your visitors. That is a destructive and dangerous kind of hacking because you likely will not know it has happened. One day, you might find some things on your website don’t work like they are supposed to. And like many of us, you will chalk it up to some glitch or gremlin.
  • Another type of hacker will simply take over your site, replacing your index or main page with his own - maybe a laughing pirate, a devil, or a big red X. These hacks may be just online vandalism or they might mask some hidden bombs that have been implanted in your website code, ready to activate once you launch again.

Most small businesses use a third-party hosting service so I’m going to make that assumption in these four steps to take if your website got hacked.

1. Contact your hosting company immediately and have them take the steps to quarantine your site. Yes, you may lose business while your site is down, particularly if your business relies on e-commerce, but it is a small loss compared to the damage you can do to your reputation by not protecting your customers on your website.

2. Working with the hosting company, ensure that you still have ownership of your domain. Immediately change any passwords associated with your account. Your web hosting company should investigate through logs and server data what happened to your site - how was someone able to get in and bring your site down. They should want to do this because chances are more than one site on their servers is affected. But it takes time, during which you likely will not be able to access your site, change any of your content, upload, change or delete files.

3. While the investigation is going on, work with your web developer to make sure you have backup copies of your web content - html pages, images, embedded code, etc. Your web host company may be doing backups, but do you necessarily want to trust a backup of a hacked site from the same server? You may be able to pull down a copy of your backup from your hoster and have your programmer comb the files looking for vulnerabilities or warning signs. It is important for your peace of mind, your customers’ security and your business reputation that you reuploaded site be clean.

4. To tell or not to tell. Most businesses will want to keep the incident quiet. Trite as it sounds, honesty is the best policy. If your site is an ecommerce site and your databases maintain account information including but not limited to user names, passwords and credit card information (even if encrypted), you must notify them that their information has been compromised. In most states it is illegal not to. This should not be the last thing you do - but the first - even while the site is down and recovery is underway.

Those who have come to your site should probably do some extra investigation of their own computers, running virus and malware scans  to be sure they didn’t “catch something” from you.

Some 30,000 sites per day get hacked ranging from giants like Adobe to small businesses like yours. You can do everything right, and still end up in this situation. Do this last thing right and be upfront.

Friends don’t let friends get hacked!