Keeping your website up-to-date — by installing updates and replacing deprecated plugins with supported ones — is a crucial aspect in overall web security. Installing WordPress updates is usually a simple task, but when you’re running a business, there are a lot of other things that seem to take precedence. Far too often, we see critical website updates pushed back or forgotten entirely.
Having a security team to monitor your website and configure updates as soon as they’re available can save you a lot of time and energy. It can also protect your website from the consequences of neglect. Unfortunately, if you let your website fall into disrepair, the results can be disastrous.
A Tale of an Unmonitored Website
This is a story about a client who neglected their WordPress website and unfortunately paid a high price for that negligence. This client was referred to us by an IT company that we had a prior relationship with. The IT company received a bunch of alerts in their system that this client’s domain had been blacklisted.
Having your domain blacklisted by Google is a quick ticket to the bottom of search engine rankings. Additionally, since Google is treated as the authority on whether or not a website is safe, many other providers will likely follow suit either by referencing Google’s report or by running scans of their own and finding the same deficiencies. If no action is taken, this blacklist domino effect can strangle many other necessary communication routes — for example, if a domain gets blacklisted by Google and Microsoft because of an issue with the website, then that can also affect email delivery. The email servers run by Google, Microsoft and other providers could reject emails coming from that same domain whose website has been hacked.
Knowing that their client’s blacklisted status represented a ticking time bomb, the IT company took quick action to ensure the business could still communicate with clients and stakeholders. Once this was done, the IT company realized that the website had been hacked, and referred the company to us.
This company had a WordPress website, and it came to our attention that this website had not been updated or maintained in about eight years. It was likely that a threat actor had gotten into the website through a vulnerability in one of the site’s numerous out-of-date plugins. Once there, the threat actor was able to inject bits of malicious code into the website and set up phishing lures — extra forms or fields that would try to harvest the information of users navigating to the site.
By the time they were referred to us, the site had been completely delisted from Google — not only had its rankings dropped, it no longer showed up in Google results for any query. Obviously, this was a major blow to the company’s ability to generate business and inquiries.
This website had also been marked suspicious by Chrome, Firefox, and most other reputable browsers. If users who already knew of the business tried to navigate directly to the site, they would be presented with a large warning about a possible phishing scam as soon as they arrived on the homepage. This damaged the trust and reputation of the business with its existing loyal customers.
Any time that a website is hacked, the remediation challenge is compounded by the fact that you have to move quickly. The longer a website remains in a compromised state, the more people and service providers find out about it. The trust of an existing client base erodes by the hour, and the domain may be blacklisted by an increasing number of services and software providers. The faster that you deal with an issue like this, the better your chances of recouping your losses in the long term.
As it happened, we had to wait a week to define the scope of work and negotiate with the client. During the week that we waited for this client to give us the go ahead, several virus scanners caught wind of the site’s hacked status. Norton, McAfee, and a number of other security services marked the site as malicious in their own databases. This further complicated the situation, as it meant that not only did we need to resubmit the cleaned-up site to Google — we also had to communicate directly with these virus scanners to get the website removed from their blacklists. To this day, we still haven’t heard back from one of these service providers, meaning that users who are running a particular antivirus software on their computers still might not be able to visit the website, even though its name has been cleared with Google.
Since the website had not been updated for the better part of a decade, it was dependent on a large number of plugins that were no longer supported by their original developers. These plugins were full of holes and vulnerabilities, and since they had been abandoned, there were no available patches. We had to essentially rebuild a large portion of the website’s original functionality, by determining which plugins were deprecated and what function they had been serving on the website. We then had to find, verify, install, and test a whole suite of new plugins to replace them. As you can imagine, this process took up quite a large chunk of labour and time.
The Moral of the Story
The total cost to the client for our remediation efforts ended up being thousands of dollars. The website is back online, but the long-term damage is an opportunity cost that could ripple through the business for months or even years. Though the company is once again listed on Google, they may never recover their original search engine rankings. Even with a robust digital marketing campaign (which itself would cost thousands of dollars), trust is a hard thing to win back.
The thing we really want to drive home here is that the one-time cost to recover the website far and away exceeded any costs that this client would have incurred for regular security upkeep and maintenance over the past eight years. An ounce of prevention really is worth a pound of cure.