If you are anything like me, you might have found yourself ardently watching the news recently and in particular, the Paradise Papers. It reminds me of a brilliant story about a recent similar leak, the Panama Papers. When the Panama Papers were released a theory was floated that raised the hairs of web developers throughout the internet. You see the company at the center or the controversy, Mossack Fonseca, had a WordPress website. And on that WordPress website, they were running an old, vulnerable version of the well-known plugin Revolution Slider.
This is what is thought to have happened: an external script or ‘bot’ found that the version of Revolution Slider on the Mossack Fonseca website was vulnerable to uploading any file type. The hackers exploited this to upload a shell to the server, giving them full route access. At this point, Mossack Fonseca would nonetheless have been relatively unscathed, except they also kept their Exchange 2010 (mail server) within the same network system, giving the hackers access to all e-mail communication in and out of the company.
Now there are a raft of emotions that come as a result of such a hack, but for people that work in related industries, it serves as a beacon as to how easy it might be for a hacker to compromise everything you and your clients have. And while you can imagine the conversations behind keeping the website working ‘as-it-is’ at Mossack Fonseca, what if it wasn’t down to management? What if they employed someone just like you and me, and tasked us with maintaining the website?
The point I’m making is that your client would likely hold you responsible should their site get hacked, regardless of whether that is a reasonable thing to do, and the consequences can be far reaching.
The Awkward “Sorry, you’ve been hacked” Conversation
Getting hacked is relatively inevitable. In fact, the things you are advised to do, such as updating your software, can end up being the cause of the malware itself (see the recent CCleaner update scandal). But that doesn’t make the conversation with your client any less awkward when you utter the words “I’m sorry, you’ve been hacked.” Particularly if you can’t point to everything you have done in your power to keep them informed and protected.
A nicer client might recognize that it almost certainly isn’t your fault, but ask what could you have done to make it less likely? You need to make sure you have a strong answer to that question should it arise.
A year and a half ago, three of my clients’ websites were hacked. It could have been the host, it could have been an old plugin, they each shared a WordPress theme that might have been the cause. Regardless, it meant three awkward conversations and a lot of unpaid work repairing the damage. That didn’t need to be the case if I had just taken some steps early to give the client a heads-up and thus avoided the awkward exchange of emails entirely.
What You Can Do
Naturally, the first thing you must do in such a situation is to secure the sites as much as you can. There are a wealth of options out there to make your site more secure but I would advice you to install Wordfence, register for Acunetix Online and install 2 factor authentication across the board as a low time spent starting point. Acunetix will scan your site for all known vulnerabilities and also performs free scans of your network while Wordfence provides reports as to the number of weekly hack attempts (both will blow your mind if you haven’t seen them before).
Imperatively, you must also inform the client they need to regularly update their site themselves. Having that conversation at the beginning of your relationship with the client is easy, so if you haven’t already got yourself covered on this front, my advice would be to send out an e-mail to all clients in the next few days.
If you want some more information, here is the checklist for preventing WordPress hacks that I now use.
The Professional Angle
Since the hacks, I give all clients the opportunity to acquire instructions to perform WordPress updates themselves at no cost, and also offer to provide the updating service myself for a fee depending on their needs. Not only does this make the client aware of their responsibilities in regards updates right from the get-go, but it also gives a paid option for the many people who just don’t want the hassle, or who are scared of breaking something unintentionally.
By completing the above you can increase the level of service you offer while keeping your client aware of the pitfalls of using a platform such as WordPress. Chances are, you may also be able to sell your services at the same time and perhaps most importantly, you will be able to rightfully say that you’ve done everything you can to keep your client’s site as safe as it can be.