Despite all my years of working on websites, there are two areas I’m just not technical enough to completely understand and manage myself: speed and security.
I don’t worry a lot about speed because a) I’m really the one who’s going to suffer if someone gets frustrated and leaves due to slow page loading times, b) it’s a problem a lot of websites have these days, and c) I figure if I make the content useful enough, that’s something that visitors won’t mind waiting a few extra seconds for. In other words, for visitors the issue is usually one of frustration, not damage.
With security, though, if my site gets hacked and infected with some kind of malware, that can cause real problems not just for me but for the people coming to my site.
“Every day, cybercriminals compromise thousands of websites. Hacks are often invisible to users, yet remain harmful to anyone viewing the page — including the site owner. For example, unbeknownst to the site owner, the hacker may have infected their site with harmful code which in turn can record keystrokes on visitors’ computers, stealing login credentials for online banking or financial transactions.”
– Google Webmasters Help for Hacked Sites
So I do take it more seriously and take some standard precautions like always keeping my WordPress version up to date (along with theme and plugins), using strong passwords, and not linking to anything that looks even remotely suspicious.
Unfortunately, when hackers and spammers spend all day looking for new ways to exploit websites, it’s hard enough for the security experts to keep on top of it all, let alone me.
Why This Is Today’s Topic
Yesterday, a friend and writing colleague of mine posted on Facebook that her website, Landguppy Productions, was hacked. What was happening was that when visitors went to her site from a mobile device, they were getting redirected to porn sites. Not. Good.
Before she posted on Facebook, Lisa had already done a search and discovered this Sucuri blog post from a couple of weeks ago:
Malicious Redirections to Porn Websites (Sucuri Blog, 5/26/14)
In it, the author discusses how difficult this problem was to detect because it was conditional (i.e. randomly occurring) and only happening on mobile devices. Now, Sucuri is one of the most well-known malware monitoring and cleanup services out there so if even they think this is a tough one to figure out, there’s very little chance I would ever figure it out on my own, let alone how to fix it.
Note: If you want to check if your own website has been affected by this hack, Sucuri provides a free tool called SiteCheck that will run a scan for you. It’s not a 100% guaranteed to find the problem, but it’s still worth checking out. This is what will be displayed if it finds a problem.
After this happened to Lisa, I recommended she sign up for Sucuri’s monitoring/cleanup service and then I did the same thing myself.
A Bit of History
This isn’t my first experience with Sucuri. A few years ago, I was working for an organization that had a blog that got hacked multiple times. In that case we only discovered it because our site had stopped showing up in Google results altogether (after having highly ranked for particular keywords and phrases). While investigating the problem we learned about the “Pharma Hack,” which wasn’t visible to normal users but showed up for the Googlebot (the bot that scans the Internet and indexes website content).
Understanding and cleaning the Pharma hack on WordPress (Sucuri Blog, 7/13/10)
In a later blog post, Sucuri actually provided very detailed information about how to clean up your site.
Cleaning up an infected website – Part I: WordPress and the Pharma Hack (Sucuri Blog, 2/16/11)
But if you look at that post, you need a fair bit of technical knowledge and skills to do everything required. And even though I and my colleague that I managed the site with could have done most of it, it would have taken a lot of time. (Likewise, the post I linked to about the problem my friend ran into yesterday provided some guidance on fixing it yourself, but the same caveats apply.)
So we ended up buying the Sucuri service and they cleaned up our site within a few hours and we never had a problem with it again. (We also changed web hosts to one that did a better job of preventing hacks in the first place). And we got our Google ranking back!
So I’ve known about Sucuri for a while. However, I had never signed up for it for Tech for Luddites or any of the other websites that I’ve personally managed since them. There were two main reasons for that. One was that I had in my mind that Sucuri was a solution for big companies, not for small sites like mine. And second was that my web hosting provider offered its own monitoring service (through a partner) that was less expensive and more convenient because they were managed in one place.
I’ve been fortunate and have not had to deal with my site being hacked (knock, knock, knock on wood!) but I know it could happen any time. (UPDATE: My site was hacked in September 2014, and Sucuri cleaned it up within a couple of hours.) And while the service I had bought through my web host does provide monitoring services, you have to purchase a separate service to clean up your site if it does become infected.
So after reading up about Landguppy’s hack, I looked into the Sucuri service and discovered
it’s only $90/year for a single site and $190 for up to 5 sites. (UPDATE: At some point after I wrote this, they increased their prices. It’s now $199.99 per site per year for their basic service. You can add sites, but you need to contact them for pricing.) And those prices include cleaning up as many pages as necessary if your site does get attacked. Then you get to look forward to seeing THIS SiteCheck message.
Now, I could have continued with the cheaper monitoring service I had and just signed up with Sucuri if something showed up. But given how important my sites are to my business and brand, I decided to go ahead and make the investment now.
That’s the thing about security issues. There’s always more you can do (and more you can pay) and you have to weigh the risks/benefits for your own situation. So while I think Sucuri is a great service and one that will provide real value to me, each site publisher has to make that decision for themselves. But I thought I would share this info just so people could learn about this option if they think it would be worthwhile for their own sites.
I’ve linked in this blog post to various pages on the website including the home page, Site Check tool, and signup page. I am an affiliate for Sucuri, which means I will get a referral commission from them if anyone purchases one of their services after clicking on one of those links.