My Website Got Hacked! Who Is Responsible?

Hacked word imageThe words “My website got hacked!” send shivers down people’s spines, even more so, web developers’. Why? Because the question often comes down to who is responsible. Simply put, the hacker is responsible. No one asked for this.

The real question is this: Who is responsible for cleaning things up? It is a good question. Much of the answer depends upon how your website is built. If it is an all HTML site, this is going to place a greater burden upon the developer. If this a CMS, content managed system site, such as WordPress, Drupal or Joomla, then the answer is: It depends.

WordPress is free, open source software, and its terms of service states that the software is licensed under the GNU General Public License. The GNU General Public License (GNU GPL or simply GPL) is a widely used, free software license which guarantees end users the freedom to run, study, share and modify the software. There is no guarantee for performance or anything else. Unfortunately, it is also the system hackers like to target because the software is free for them to view as well.

Over 74,000,000 or 25% of the web is powered by WordPress. This makes WordPress a popular target for hackers to look at as well, because a single virus has many places to check out. Good website developers do their best to have a website built properly to make it more difficult to have hackers break in.
However, that still does not answer the question of who’s responsible for fixing the website once it’s hacked.

Here are a few items to consider.

• Whose website is it?- Do you own your website?- Do you lease your website (essentially renting a website versus purchasing)?
• How did the hack occur?- Was it password compromised? If so, through whose password?- Was the virus or hack accidentally or uploaded and by whom?- Was it a vulnerability that snuck in between updates? (If you ever wonder why there are so many updates, it is usually because of added features or fixed bugs including those that hackers have exploited.)
• Is there a security agreement in place?- Security is different than hosting, different than maintenance and different than management- Are there disclaimers or limits within the security agreement?

Essentially, without some type of security agreement in place, the burden of fixing the website will land on the owner of the website, unless the owner can show negligence by the hosting service or developer.

A hacked website is similar to a flat tire on a car. Without some type of roadside warranty on your tire, you need to show negligence in order to prove someone else is at fault. Otherwise, the owner of the car is stuck taking care of a flat tire, even if it is a brand new set of tires.

We certainly would not want to leave this on such a dismal note, so here are some suggestions to consider.

• Have a regular maintenance schedule- Although this is no guarantee against hacking, it offers a huge layer of protection. Many updates are put in place AFTER hacks and vulnerabilities are discovered.- Auto updates are a tool to consider as well
• Secure passwords- This is one of your No. 1 defenses and helps to ensure your site is protected.
• Limited access to users- Editor hacks would be less severe than an admin hack
• Good hosting, which allows for regular backups- If the hack is discovered early enough, sometimes it can be fixed simply by rolling the site back to some point in the last thirty days. Note, a review of all systems, plugins, software and theme updates should be done as part of the rollback process.
• Monitor plugins
• Site-wide backup of source files
• SSL Certificate, which are files that allow secure connections between a web server and browser
• Consider third party solutions when collecting sensitive information like credit card data or personal information.
• Site Lock Plans- Daily malware scanning and removal (manual removal may cost extra)
• Have a security agreement in place- This does not guarantee your website won’t be hacked. It is more like insurance. If your site is hacked, you have insurance to help take care of the problem.

Even with all the above efforts, hackers are still trying to get in. If Target and Home Depot websites can get hacked with the security these corporations have in place, there is no 100% guarantee you can prevent it from happening to you. Unfortunately, there is not one perfect cure-all.

How does a security agreement work? Essentially, the people supplying the plan are most likely taking many, if not all, of the suggestions above and putting them into use. On top of that, they are factoring in time to take care of the hacks that still get through, because they know that a percentage of websites, even with protections, still have the possibility of issues.

Unless the hackers themselves are nabbed, the question is not so much who is responsible, but what allowed the hack to occur and how is it going to be fixed? Hopefully, if you do not have a security agreement, you were fortunate to choose a web developer willing to work with you to remedy the problem.