(Shutterstock illustration)

How Not to Get Hacked

Back Article Sep 9, 2021 By Lila Wallrich

For many businesses and organizations, the past 18 months have dealt a surreal combination of remote connection and reliance on digital resources. Some of us, unsure of what the future holds, have been cautious about spending — possibly trimming marketing activities to protect other budget priorities. But as prospective clients, partners and employees emerge blinking from pandemic caves, this is a smart time to make sure the assets we need to keep us accessible online are not exposed to opportunistic, inconvenient and expensive attacks.

You’re probably familiar with network security. My focus is narrower: The website or blog that serves as your company’s online face, supporting awareness and attracting leads 24/7, is also vulnerable to hacking. 

Put simply, the internet can be a rather sketchy neighborhood. When my firm began developing websites more than 20 years ago, we created custom content, design and code, uploaded it to a reputable host, and celebrated another successful project. Websites we created in the 1990s were still going strong with no security issues (though perhaps a few aesthetic ones) a decade or more later.

But the use of blogging platforms such as WordPress to streamline site development, with the advent of commercial plug-ins to support interactive site features, introduced new vectors of vulnerability. Without proactive security oversight, these tools create opportunities for the internet’s bad guys to gain site access. Once there, they deploy malware and other spam content for their own nefarious purposes. When a hosting company detects such mischief, they typically shut down the compromised site. While having your website go dark is never convenient, it can be much worse if you’re heading into a major pitch, launch or conference with no recovery plan in place.

After many years without incident, my firm entered this new digital era seeing a handful of our sites hacked without warning. While tending to their recovery, we mobilized to establish a program of prevention and recovery measures to reduce most threats from major loss to minor inconvenience. These are not trade secrets — and they are not completely foolproof — but a sensible checklist any manager can implement to reduce site vulnerability.


Your first step is to make sure your online assets are readily recoverable in the event of a breach. This includes making a complete backup of your site and any underlying data files. New backups should be made regularly and after any significant content update and thoroughly tested to ensure the site can be rapidly restored if needed. Keeping multiple backups dating back several months provides a hedge against malicious “sleeper” malware, a destructive code on a computer drive waiting to be triggered and infect current files.


There are several opportunities for hackers to find a foothold. One of these is software versions. If WordPress or any associated plug-in that powers your site becomes outdated — and these updates happen continuously — it opens a way in. Secure server certification and a reputable firewall are also important. Wordfence and Sucuri are two popular firewalls for WordPress sites. Finally, access to site files should be limited and tracked, with a password update protocol. 


Installing a remote monitoring and notification solution, such as Pingdom, gives you immediate notice if a site goes offline for any reason so you can investigate, recover from backup if needed and carry on without major disruption.

Depending on the scale and features of your website, these security measures need not be a major investment. Most in-house IT staff can carry them out with communication and economic benefits. Another option is to engage a web development firm to oversee the measures on a defined schedule. For most of the sites we maintain, these activities take 1-3 hours per month, including quarterly reports on the site’s uptime (the time the site is functioning), security status and any issues since last checkup. The advantages of using an outside resource tend to include proactive attention, accountability and ready access to development resources if a fix is needed, especially if there are other updates on your to-do list, such as Americans with Disabilities Act accessibility, mobile performance or search engine optimization that might be bundled in for better value.

As a small-business owner, I know it’s discouraging to invest in a shiny new website only to find that you’re now on the hook for ongoing maintenance. But like the maintenance we devote to buildings and vehicles, it’s far less costly to invest in maintenance than to recover from a major technical failure. Telling a web client who opted out of such support that their site is now unrecoverable and must be rebuilt from scratch is awful. Telling them that their site sustained several hundred hacking attempts which were blocked in a matter of seconds is much more rewarding. 

Stay up to date on business in the Capital Region: Subscribe to the Comstock’s newsletter today.

Recommended For You