Your site is not too small to be hacked

April 12, 2018
A brilliant WordPress security article by Wordfence reinforces something I have said for a long time: every digital services provider should offer (or at least advise on) ongoing maintenance contracts. Mash certainly offers it. Why?

Because this era, when it’s so easy for DIYers to get online using a few popular digital tools, means there are more websites than ever built with the same sorts of vulnerabilities. This means big opportunities for small-time hackers.

There’s now something like 74 million sites out there built on WordPress. A good chunk of them are business sites. Your business site is probably built on WordPress. Even if you are a tiny operation, to think you are too small for a hacker to bother with is misguided.

Hackers like small, because your average hacker doesn’t want to be noticed. Hiding in the backend of a small-time site for a legitimate and unwitting business is a perfect place. These hackers are interested in your site not for what it’s doing, but for what they can make it do. While you just see your website, the Wordfence article points out that a hacker sees a server they can use for their own purposes.

Forget what you think a hacker is

First, when you think of hackers, forget Julian Assange and his political ideals, forget The Matrix and its vision of reality control, forget, indeed, the movie Hackers itself, which is just edgy teens doing industrial espionage. Most hackers are desk-bound hustlers. Petty criminals who use their limited technical skills to parasite off vulnerable websites for a quick buck. They’re fleas, not tigers.

But these hackers don’t have to be technical geniuses anway. They’re interested in easy money, not being masters of the digital universe. If they were really skilled, there is much more cash to be had doing legitimate things. An estimated 1,000 Google staff became millionaires in 2004 when the then-small company went public (among them was the inhouse massage therapist). No, the true genius of your average hacker is finding ways to make a few quick dollars.

An example, as mentioned on Wordfence:  It takes a lot of computing power to generate a cryptocurrency balance, and that much power is not cheap to get. In response, some hackers have started using spare computing capacity in unwitting websites to crunch the necessary numbers. Not quite supervillain stuff, but definitely annoying to the owners of those websites.

What do hackers want with SME websites?

Chiefly, what hackers want with your site is to hijack your email database and email sending capabilities. Ever wondered where all those spam emails you get come from? Mostly, it’s from legitimate business websites that have been hacked.

The high-profile cases where a hacker compromises a system and steals millions of customer records or holds a business’s data to ransom are pretty uncommon and pretty difficult to pull off. Hijacking a site for a phishing or spam scam is actually fairly simple and often done by ‘script kiddies’.

They’re not usually kids (though some are), the term instead means they don’t know much about hands-on hacking. What they do is just scan websites for vulnerabilities using a suite of small automatic programs called scripts. They probably come snooping around your site every day.

They love WordPress sites because there are commonalities in the backend, so the script kiddies already know what the vulnerabilities are and where to find them.

A classic case of site hacking

One instance I have seen recently is completely typical of this. A friend of mine is a developer too. A small business client of his got hacked and I was asked to have a look. I found out the customer’s site had a very outdated version of Revolution Slider – a common WordPress plugin.

A hacker somewhere had figured out that in that version of Revolution Slider you could upload a file to a certain directory using a certain filename. Doing that would give you access to the folder, and folder access would then start a domino effect of more and more access until the hacker could act with full admin privileges for the whole site.

With that level of access, a hacker can upload their own site pages which are masked as real pages. The victim site still functions just like it was designed to, but it’s also now doing a lot of other things as well – and the legitimate admin probably won’t even notice.

The first they may find out about their hack is getting blacklisted by their ISP as the unwitting source of a stream of email spam. The hacker in this case is probably using one site to send all those spam emails and another to host the landing pages those emails link to. You know all those “Hot Singles Near You” pages? They’re all hosted by innocent small business sites like, say,

Prevention is better than the cure

If the process of getting un-blacklisted by your ISP is horrible (and it is), it’s even harder to get rid of a hacker who has compromised your website. If they choose to, once they have admin-level access they can infect every single website file. Anything short of replacing your entire site leaves the door ajar for them. If their access remains in even a single place, you can be hacked all over again more or less straight away.

This is definitely one of those cases when prevention is the best cure – and prevention is a relentless task. This is the ongoing maintenance contract we talked about at the start. You need it. Think of it like your car. Even if there’s nothing in it worth stealing, you still lock it. The script kiddies are those dodgy types you occasionally see roaming car parks trying every door handle in case one isn’t secure.

At Mash, we install Wordfence on every single one of our client sites to monitor anything that is even a little bit suspicious and be able to take action. If we detect something, we’re quick. We change passwords, revert to previous back-up versions of your site and change accounts. And your site slips out of the hacker’s net, and your digital reputation is safe for another day.


Basic WordPress security advice:

Never use ‘admin’ as your username. As the default, it is the most common username of all. Using it makes being hacked that much easier.

Never use a simple password. The good news is that length is more important that complexity. So, a password “I like my pet dog ralf because he is a good boy” is far stronger than something like k$%7#P.


Through many years of a changing internet landscape and states of the economy Mash Media constantly deliver what I believe is as good as you can get! We receive responsive personalised service that I have not experienced with any other provider, large or small. Forget the rest, you won’t be disappointed, Mash media delivers hands down the best return on investment in the online marketing world. Whilst there is never a guarantee that things remain the same (especially when technology is involved), you can be assured that the team at Mash Media will be one of the first to adapt and take advantage of on your behalf. This has been my experience to date and I have no reason to expect this to change.
John Travelli - Ceramo.
I have the honour ​of​ writ​ing​ a testimonial for Mash Media and in particular its owner Sharney Ryan. I have been with them for now over 5 years​! And wouldnt consider going anywhere else again.​ The​y are a great team who have a​ genuine interest in helping my practice succeed with Marketing, Adwords and Website​ & SEO has been superb.Prior to them advising me i had spent significant sums with large organizations, only to find that much of the budget was spent on their overheads and profit before being applied to my business.This company ​truly ​delivers.
Dr Ron Binetter - AIES.
I have been dealing with Sharney for many years and followed her from her last posting in a Corporation as Sharney displays skills and knowledge in this minefield of an industry. I am very pleased to be part of Mash Media’s growth from a one-man band to where they are today with employees and offices all over. We are treated well and never pushed to increase our spend like the big guys do. Sharney and her team make our digital life clearer and easier.
Richard Wilson - Richard's Tyre Power.
If there is a better Digital Agency going around than Mash Media, then I haven't found them. And I have been looking for a long time!! We had an urgent need to get a site up and Sharney and Ben turned it around in 72 hours. Took a brief, clarified the brief, made the brief better than I thought possible. A great overall experience and just goes to show, botique is better!
Vincent Kelly - Viridor.
Sharney and Michael made sure they understand our business and Mash Media have an excellent campaign manager in Michael. His attention to detail and his hands-on approach to optimising our adwords campaign is what brought us back to Mash Media. We tried another campaign manager during the economic downturn, but came back to Mash Media when it became clear they could convert more enquiries, in spite of the economy.
Andrew Langdon - Sentinel Self Storage.
4 years and counting with the awesome Mash Media Team. They have been doing a great job of looking after our Adwords. More recently they have created a couple of different tailored websites that proved to save our adword cost by over 40%.......these websites paid for themselves in 6mths over the old clunkers. Superb results. Lovin’ their work.
Alex Brown - The URECO group of companies.