I had a client call me last week in a panic. Their credit card processed, Authorize.net, sent them an email informing them of a declined charge for a $10 product. The card, posting from a California address, was invalid, and kept trying to clear. Authorize told her the site is sending the information, so it must be compromised. She was mortified, as we had just done a massive rebuild on the site, and the thought of having to lose all that data in a memory wipe was very scary indeed.
Well, Authorize didn’t have a clue what they were talking about.
As it turns out, there was a scammer involved, but they were testing stolen credit cards on a small, local site, hoping it wouldn’t be noticed. They picked an innocuous, inexpensive item to test the card/code combination. If it went through they could then move up to using the card for bigger and better things, like iPhones on Amazon. That’s all it was. A scammer was testing a card using the client online store. Nothing whatsoever was compromised in her security setup. Still, to give us all a sense of comfort, our online store had captured the IP address of the scammer, and we immediately blocked it from having any access to the website whatsoever. It’s a small comfort, as it was probably just a VPN address anyway, but it let the scammer know we were on to them.
And it worked. After that, they stopped trying.
A similar situation arose about three months ago, where a client was experiencing extremely slow loading times. Naturally, the first thought was malware and a data leak. Upon closer inspection, though, my server specialist and I identified the problem: someone was trying to hack the site by logging in to the admin panel. This isn’t an uncommon occurrence (which is why it is SO important that you NEVER use the name “Admin” as your login ID. It’s the first one they ALWAYS try, and it’s half the puzzle in one shot!) What was extraordinary was the volume of attempts. Somebody had put a pretty decent computer on this brute force attack, because they really wanted access to the information. This is a pretty big online retailer, doing tens of thousands of dollars of online sales every month. A quick change in the back end and they can get all that money funneling to THEIR bank accounts instead of the real owner’s.
Which is why the site was moving so slowly. It was having to process 2,500 login attempts… per hour. That’s one login attempt every 15 seconds, or 60,000 attempts per day. I’d be a little tired of answering the door that many times as well.
The solution was simple: we just changed the name of the login page. Some security software, like Cerber, make that change very easy. Making this simple change, however, can act like a third level of security, beyond your login ID and password. And you can even set your security to automatically block anyone who tries to use “Admin” as a login ID.
But the bottom line is, this site had not been hacked, either. It was under attack, and our security forces held the line. We just needed to move the target to a place where the brute force hackers couldn’t find it.
Now, this doesn’t mean your site probably hasn’t been hacked. If you aren’t diligent in keeping your themes and plugins up to date, or you have super simple ID/password combinations, you are just a train wreck waiting to happen. Here are a few ways of identifying malware on your site:
- Your site is moving very slowly, despite no reported increase in traffic
- You see odd, random text appearing on various pages, especially the home page
- You notice your home page is redirecting people to another site
- Google sends you a Blacklist email (but they are sometimes wrong, so don’t panic)
- You can’t log in to your admin dashboard, even though your site looks fine from the front
- You see a new Admin profile has been created without your knowledge.
These are the classic signs of a malware infection. They need to be dealt with immediately and dramatically. There is no response to big when this kind of thing happens.
The following are things that generally do NOT mean you’ve been hacked:
- You receive a returned email from your website address that you never sent. (Hackers can use any email address they want in the “From” field. You just got picked today)
- You have a white screen and “Critical Error” warning. (This is usually a plugin conflict and can be fixed relatively easily by an experienced web designer like WeCraftSites.com)
- You see a thousand spam comments on your posts or pages. (This is just you leaving the door open without any screening software. Easy to fix, but doesn’t mean you’ve been hacked)
So if you think you have been hacked, take a close look. We can help you dig deeper if you would like a second opinion, though. Just drop us an email at Info@wecraftsites.com