Passive Income Website Hacked - What I learnt

[SparksCW]

I'd noticed that sales were a bit down on one of my websites, it's my longest running site and it's a small niche which I command, it's direct sales and they are dispatched by my supplier, so it's kind of been a "leave it to do it's thing" type site, brings in some OK money with almost no effort since building it.

So I was a bit surprised that sales had dropped since middle of last month, and it wasn't until Google Adwords emailed me saying that there was "malicious software on your site" that I realised every page you go on set loads of pop ups and virus warnings etc!

All back ups were effected including the database, so each time we restore it, same problem!

It's resulted in me re-building the site on a different platform, something I've wanted to do for a while but not actually got round to doing.

This is what I learnt, if you have websites maybe you should have a quick read:

• Offline back ups - don't rely on your hostings daily back ups, I did, they failed.
• Check the site regularly - just have a browse, add something to cart, try the search out.
• Export your products regularly, if you do need to start again you'll be thankful of a clean export!
• When creating your product images, keep them well stored in easy to navigate files, then if you do need to start again you can get all the images up and running quickly rather than searching through folder after folder to find the right ones.
• If you notice something up, act fast to fix it else you risk your reputation both with the search engines and with your potential customers.
• Fixing an issue like this means you have to drop EVERYTHING you're doing until it's resolved. Not ideal when you're trying to get products launched to deadlines. So the quicker you can get a site back up and running the better.

So basically, passive doesn't mean PASSIVE.

Passive means, works 24/7 in the background but needs some on-going health checks and regular maintenance to prevent issues.

Don't forget that!

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[nocubicles]

I'd noticed that sales were a bit down on one of my websites, it's my longest running site and it's a small niche which I command, it's direct sales and they are dispatched by my supplier, so it's kind of been a "leave it to do it's thing" type site, brings in some OK money with almost no effort since building it.

So I was a bit surprised that sales had dropped since middle of last month, and it wasn't until Google Adwords emailed me saying that there was "malicious software on your site" that I realised every page you go on set loads of pop ups and virus warnings etc!

All back ups were effected including the database, so each time we restore it, same problem!

It's resulted in me re-building the site on a different platform, something I've wanted to do for a while but not actually got round to doing.

This is what I learnt, if you have websites maybe you should have a quick read:

• Offline back ups - don't rely on your hostings daily back ups, I did, they failed.
• Check the site regularly - just have a browse, add something to cart, try the search out.
• Export your products regularly, if you do need to start again you'll be thankful of a clean export!
• When creating your product images, keep them well stored in easy to navigate files, then if you do need to start again you can get all the images up and running quickly rather than searching through folder after folder to find the right ones.
• If you notice something up, act fast to fix it else you risk your reputation both with the search engines and with your potential customers.
• Fixing an issue like this means you have to drop EVERYTHING you're doing until it's resolved. Not ideal when you're trying to get products launched to deadlines. So the quicker you can get a site back up and running the better.

So basically, passive doesn't mean PASSIVE.

Passive means, works 24/7 in the background but needs some on-going health checks and regular maintenance to prevent issues.

Don't forget that!

Was it a Wordpress site? I recently had similar issue with my wordpress site. Site was hacked, links were injected etc.
Luckily I had snapshot from hosting which was clean.
I removed all plugins I didn't use and found the backdoor they had installed on my site aswell. I was able to do that by browsing the ftp directory and checking files changed recently and then reading the php to see where the backdoor was install. Be sure of it - when someone is able to penetrate your site they will install backdoor somewhere. Even if you are able to clean the site you need to get rid of the backdoor aswell.

 

[TonyStark]

I thought this was going to be some sort of sales pitch - I was pleasantly surprised.

This was full of great anecdotal information about the true nature of passive income businesses, and how not-passive they really are.

In other words, you're always tweaking, always staying up late, and always fixing problems.

 

[AndrewNC]

Same thing happened to me last year.

Even after fixing it, I had to fix the "This website may contain malware" message in the google search results multiple times because google fixed it, and then flagged it again.

Also there are other IP blacklisting companies I had to submit requests to after I removed the malware from my site.

After that, I separated all my sites into a different cpanel and different ftp.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[The-J]

Should be notable. Security is paramount. Things like this can happen to anybody. Rep+

 

[GoodluckChuck]

Did you figure out the weakness in your website that aloud this to happen?

What precautions did you take to make sure it doesn't happen again?

 

[TonyStark]

Did you figure out the weakness in your website that aloud this to happen?

What precautions did you take to make sure it doesn't happen again?

Asking the right questions.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Envision]

This is the only good thing about always forgetting my passwords. Constant changing due to my lack of memory.

 

[SparksCW]

Did you figure out the weakness in your website that aloud this to happen?

What precautions did you take to make sure it doesn't happen again?

From my limited knowledge and a bit of Googling, I think they have exploited a couple of extensions (search extension and some others) and have somehow uploaded images with malicious scripts attached.

There appears to be five files with base64 coding and it's all added to images.

It's been like it for long enough to affect every single back up file. Either it's sat there doing nothing for a while, or because I haven't noticed.

The script has added coding to every single product description and various other pages which initiates pop up ads.

MASSIVE TIP

When you browse your own site, DISABLE YOUR POP UP BLOCKER.

Otherwise you'll be blissfully unaware of anything that might be popping up for those that don't have a pop up blocker!! This is most likely why it's taken me so long to notice the issue.

With regard to a resolve....

I've actually moved the site from Opencart to Magento which is up-to date and has all security patches etc.

We've backed up the database, a product export and an FTP download before the site goes live.

This means if we do get hit again we can instantly get back up and running on a fresh install if required rather than starting again from scratch like I had to do this time.

This is the only good thing about always forgetting my passwords. Constant changing due to my lack of memory.

Unfortunately hackers don't need your password in fact they don't even need to log into your site to cause damage.

 

[The-J]

Unfortunately hackers don't need your password in fact they don't even need to log into your site to cause damage.

Exactly.

All that's needed is an unpatched security flaw in any of your plugins, code... or on the host's end.

Sites get hacked for reasons completely outside the owner's control. For example: many people use Cloudflare as a CDN and domain manager to speed up their site. Well, earlier this year, Cloudflare had a security breach that put thousands of websites in jeopardy. If your website was part of that breach: there's nothing you could have done. You just gotta be fast and change your security settings before anyone else can get to you.

In some cases, it's a weakness in a script that you use for, say, shopping cart software. (It could be ANY software you use on your site.)

Your best bet is to make sure you're keeping an eye on your security AT ALL TIMES. Monitor your site YOURSELF (or have someone do it for you). Back up your site regularly. Keep your passwords safe (I use a password manager which sets unique passwords for every single site I use). Use 2 factor authentication wherever possible.

Trust no company to keep you safe. They don't give a F*ck about you. That includes password manager and anti virus companies But so long as the password manager uses client side encryption and the anti virus company keeps up to date definitions, you should be fine.

When a hacker sees a website that makes money but has poor security, all they see is $$$. It's theirs for the taking. Protect your a$$.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[GoodluckChuck]

Wow thanks you guys for this information. I am new to web development but I am makin websites for businesses. This kind of info is uber relevant.

You are saying that these hackers are taking advantage of plugins. I assume these are WordPress plugins. If a website is developed through HTML rather than WordPress, do these same weaknesses exist?

 

[TonyStark]

Wow thanks you guys for this information. I am new to web development but I am makin websites for businesses. This kind of info is uber relevant.

You are saying that these hackers are taking advantage of plugins. I assume these are WordPress plugins. If a website is developed through HTML rather than WordPress, do these same weaknesses exist?

I too, would like to know the answer to this question....

 

[BigRomeDawg]

I too, would like to know the answer to this question....

A purely static HTML website is very safe. But that's not realistic, you need your website to be dynamic. As soon as you start adding PHP/whatever and having dynamic content and input forms you open yourself to attacks. In this case as long as Wordpress and all the plugins you use are up-to-date and vetted, Wordpress will probably be more secure than your home-baked PHP website

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[GuestUser4aMPs1]

Another great tool is the Securi Site Scan:

Sucuri Security

We will run through and scan our sites every once in a while;
Especially useful for Wordpress users in mitigating its security pitfalls.

 

[TonyStark]

Another great tool is the Securi Site Scan:

Sucuri Security

We will run through and scan our sites every once in a while;
Especially useful for Wordpress users in mitigating its security pitfalls.

Going to try this, thanks!

 

[Ninjakid]

I would recommend hiring a cyber security professional to keep watch over your site and test it for exploits.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[SparksCW]

Exactly.

All that's needed is an unpatched security flaw in any of your plugins, code... or on the host's end.

And this is one of the main things I've failed on.

As the site just brings in some money each month without much ongoing effort, I've kind of ignored it.. including all the updates to the platform and all of the modules.

Had I kept everything up to date then maybe this wouldn't have happened....

So moral of the story is, don't get complacent when it comes to passive income websites. Even though they may not make up all of your income they are still very important.

 

[AgainstAllOdds]

I would recommend hiring a cyber security professional to keep watch over your site and test it for exploits.

What's everyone using for ecommerce sites?

I'm currently using WooCommerce, but planning to switch to Shopify so that they can handle all the security vulnerabilities. What would you guys suggest?

 

[Chopwood]

What's everyone using for ecommerce sites?

I'm currently using WooCommerce, but planning to switch to Shopify so that they can handle all the security vulnerabilities. What would you guys suggest?

I am using Shopify as we have ever changing products and have a retail store component, so the feed comes from our point of sale program. Shopify has worked great for us.

Not security related, but do check on your site often. For example our instagram feed to our site got broken and took me a couple of days to realize it. Nothing malicious just a plugin that needed to be re-authenticated to instagram due to a password change. So it's good to continually use your site in ongoing testing.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[Tiger TT]

What's everyone using for ecommerce sites?

I'm currently using WooCommerce, but planning to switch to Shopify so that they can handle all the security vulnerabilities. What would you guys suggest?

WooCommerce here, but I have a Website Firewall (Cloud WAF) which patches any vulnerabilities virtually and prevents my site from getting hacked. I also have daily server side scan of the files and front end scans in order to add another layer of security.

And if I still get hacked in spite of all these layers of security, the company promises to clean the site in 6 hours after I open a ticket.

 

[SparksCW]

I use Magento now, the site in question that was hacked was on Opencart (of which I wasn't keeping up to date at all).

New site has now launched on Magento, all fixed and bug free with lots more features, all new product descriptions and much more new stuff going on.

Hopefully we'll see the sales start coming back

Every cloud has a silver lining as they say....

One other thing I've learnt from all of this, whilst it didn't actually affect me this time it's made me think.

With Magento you can easily create multi-stores, so a completely separate front end website with same or different products etc.

My two main sites are from one back end however if it got hacked I'd lose both sites!

We're working on another niche site, so this will now be on a separate Magento install as will all future sites.

Worth bearing it mind when you have multiple sites.

 

[ddzc]

@The-J and I had some lengthy discussions around this topic in the past. Many people avoid security, until shit hits the fan and you fall victim to a hack.

I notice a lot of vulnerabilities occur when you're on a shared hosting server. Hackers typically get in to one of these servers and upload files in to the root of every websites root directory and hack hundreds of sites in one shot. This actually happened to me and when I called hostgator they basically told me to f off and they obviously didn't admit to it. I investigated it on my end and they didn't get in through wordpress or any plugins. I had solid proof that the hosting server itself is where the vulnerability laid, but those pricks didn't admit to anything and told me to call a third party company to clean up the sites and restore them.

Basically, what was echo'd earlier, no one gives a crap about you, the hosting company, the platform, etc. What you can do it ensure that your passwords are all extremely complex, your software is updated, don't install third party/odd plugins and extensions and always host on a dedicated server, it's worth the extra money. I messed up by having all of my websites on a shared hosting server because I wasn't doing a ton of bandwidth and didn't need to upgrade. I had 7 websites hacked in one night. I wasted days backing everything up and moving them over to another server.

Everyone should read this thread and don't just shrug your shoulders and walk away because you've been safe up until this point. Eventually, you will be hit, and hit hard. I have a background in IT and Security so I was able to figure out what these guys did and cleaned everything up myself. If I didn't have the background, it would have costed me thousands of $ to hire a cyber/security professional to spend hours/days on reviving my sites and cleaning everything up. I believe every website would have costed 800-1k to fix up. If you're doing heavy sales, factor in revenue lost for that given time period.

Break your habits and improve your knowledge around this topic, I highly recommend it.

 

Dislike ads? Remove them and support the forum: Subscribe to Fastlane Insiders.

[samsara]

I think this should be tagged #Notable there is a couple nuggets.

@MJ DeMarco @Vigilante

 

[bringitnow28329]

I had this happen as well. I fixed it and then 6 months later it happened again. Since then i think Google no longer is allowing my site to get traffic even though the warning has been gone for a few months.