I was asked to put together a ten-minute presentation about my business for a local business networking group. But, despite that I could have made those minutes into an ad for myself, I decided to talk about the importance of checking for malware. Why? I was talking to the exact crowd that I’ve seen a huge uptick recently of a major problem for. I was talking to a bunch of small to medium sized businesses that all had websites.
The issue I’m seeing a big uptick in is problems that don’t seem like they’re caused by hacking, but the bug turns out to be some kind of malware. Basically, they’re hacked but don’t know it. There have probably been ten or so clients recently with heavily damaged websites that don’t “seem” damaged from the outside except the forms don’t work quickly anymore or the site is suddenly slowed way down or one software is acting glitchy.
When I lived in the woods, there was a kind of tiny bug that lived in the ground in colonies. So small you could barely see them. They looked like aphids. When they found a larger bug climbing by, they’d hollow it out. The bug still looked like it was climbing on the branch, but it was never moving again because its innards were gone.
A hacked website is usually like that. Looks like it’s there, but not really on closer inspection. The hollowed out husk of what used to be a good site has started:
Running slowly because that website became a triple x redirect spot for some spammer somewhere who wants a clean URL to put into email links so they don’t end up caught in the spam filter.
Or maybe the website doesn’t know it’s covering up a secret directory using up all their bandwidth so that some criminal enterprise isn’t responsible for the images they’re showing, but instead those images are sitting on YOUR site.
Or sending all the new leads to two places instead of just where they should go.
Or or or or or or.
All of these are kinds of malware or hack that I see on websites owned by small to medium sized businesses without their ever knowing. And I’m seeing an uptick in the number of smaller websites this is happening to. The big boys don’t often actually need me to fix things. It’s the guy who built a website fifteen years ago and hasn’t kept it updated who ends up hacked. No, there is almost never a huge “You’ve been hacked!” warning. No, there’s almost never a big laughing skull. Your site just sits there seeming okay, but totally not.
When you leave a big flaw like out-of-date software or no security software, malware eventually finds that flaw and eats its way in. You need to check for it.
How do I recommend that you check for Malware if you’re a small business? Well, search for your website in the “Safe browsing” tool for starters. And then make sure you’re the owner of your website in “Search Console” – previously the webmaster zone at Google. But then, someone needs to pay attention to the notification emails you get from your search console. No amount of software and tools can replace actually noticing that your software is out of date, your site is having glaring issues, or even that you’ve gotten notified that your site is hacked but did nothing because you just filed away the emails. Someone who understands what they say needs to be acting on them.
The above two actions only accomplish one thing: They will let you know if malware on your site is affecting your search rankings. They won’t get find all malware. And they won’t fix any of it but they often advise. It’s a place to start.
Make sure you’ve got a decent security software in place at the server and in any software you’ve installed, and don’t leave sites on old software or allow the server’s core software to stay on old versions. It’s almost always the software that’s the problem when I find malware. Keep it up to date and keep protections on every level.
Yes, this requires putting someone in charge of maintenance. If that’s your webmaster, ask them to keep the software up to date. It’s not something your hosting provider will automatically do.
Aside from issues with software, another weakness is poor passwording. Make your users jump through security hoops. This means, even though some people won’t like it, that you need to require strong passwords, and that you use two-factor authentication (2FA) on any site that collects sensitive information. This is webspeak for “double check”. Those two factors are:
1. You have a username and password, those checked out. So then,
2. the computer goes to double check that you’re okay. It does this by sending an email to your email address, or it texts your phone, or there’s an authentication notice that pops up on your phone from within an app.
If you collect any contact information, you owe your users the kind of security that 2FA provides.
Some of you are saying: I have a full service host, I don’t need this.
You might. There are full-service hosting houses that provide everything about your site from the design to the shopping experience to the hosting space, etc, but those sites can be hacked, too. I’ve seen it. And sometimes it’s on a huge scale and your site just ended up part of a pile of hacked sites on their service. Sometimes you just chose a seemingly good add-on that has a big security hole.
If you’re going for one of those full-service hosts but you collect any user, customer or subscriber details, you have an obligation to your users to upgrade to whatever level includes the best security. Additionally, I’m almost always going to recommend that you leave that all-in-one website service completely if you see signs of any kind of security breach. Rebuild smarter in a different environment. All-in-one hosts are not for complex uses and trying to do that usually results in strangely built, hackable builds.
Anyway, the entire reason I talked to these non-techie business owners of car repair shops and hair salons, bookkeepers and SAHMs with small at-home businesses is that these are exactly the folks most at risk. People without a dedicated on-staff techie watching their website. People most likely to actually have malware sitting on their sites, driving away all the SEO and marketing work they’ve done in the past.
So, if you’re the one man in a one-man shop, it’s a good idea just to follow those two links in this blog post and see if your business is being hurt by having malware on your website.
If you think you have malware and are over your head, you can contact me over at MWM.