AP 0410: What Did I Learn When My Website Got Hacked?

AskPat 410 Episode Transcript

Pat: Hey, what's up everybody! Welcome to AskPat Episode 410. Thank you for joining me today. As always, I'm here to answer you online business questions, five days a week. We have a great question today from Gaynete.

But before we get to that, I do want to thank today's first sponsor, which is Lynda.com. If you go to Lynda.com/AskPat, you can actually get a 10-day free trial to this amazing platform with over 3,000 on demand video courses. Everything from helping you with new software that comes out, to helping you with business fundamentals, and everything. I've actually used it quite a bit for learning how to use my DSLR camera. Which is great. I know Mindy, my assistant, uses it for a lot of things. So again, you can try it out, 10 days for free. Completely all access to all videos, by going to Lynda.com/AskPat.

All right, here is Gaynete’s question.

Gaynete: Hello, how are you Pat? I'm Gaynete from Gaynete.com. And I have a question for you. You speak often about your site getting hacked, and how you ran a recorder video and all of that. But my question is what have you learned since getting hacked? Because I know I have a fear of, and I know other around the world do as well. So what did you learn from it? What do you think would have prevented it? And what do you do now, just to make sure it doesn't happen again? Let me know, I would love hearing from you, and I'm sure everyone else will as well. Have a great one.

Pat: Hey Gaynete. Thank you so much for the question. And actually it's funny, because I'm actually recording this on Periscope right now as we speak. You're not here, you're always on my Periscope, so I'm sorry that you're not hear to catch this live, unless you came in late. But I hope this answer helps you, and it's going to help a lot of other people too.

So, just a quick background story. March 2013 I was hacked. Meaning I had a DDOS attack, which I don't even know what that means. It just means hackers were trying to do stuff through my site, and my site went down for a week. And when you're making money online, or even if you're trying to build a business and you have yet to make money online, it really set you back. I calculated that I lost between $10-15,000 during that time. Because I wasn't able to make any sales. Now there's a lot of things that I did learn about that experience. It's probably just made worse because of the timing. I had just left to go to San Francisco to film some stuff, and then this thing happened, and I was on the call with the servers and the hosting company and just everything went bad. And no, it was not Bluehost, it was another hosting company. I'll tell you about that in a second, and they just failed to help me out.

Here's what I learned. I wrote down 11 things to help you when thinking about your website getting hacked. I mean, yes it's like one of the worst things that can happen, and you think, just kind of like invasive, like somebody's touching your. . . I don't even want to talk about it, it just feels gross, right? Like when somebody does that to you, why do people do that? I have no idea. They're just bored and have nothing else better to do. It's just kind of sad. Here's the number one thing I learned. I learned that it is possible. It happens. I never thought it would happen to me and I know a lot of you feel like that about things like this too, but it could happen. There's a lot of people out there doing bad things. So you definitely don't want it to happen. So that's the number one thing that I learned. It is actually possible and it could happen to you. I thought I was invincible and invisible, and I was not.

The number two thing I learned was that I also could prevent it as well. There were things I could have done to prevent it, which I learned later on. It is a preventable thing, or you can at least make it harder for people, especially those kind of silly hackers that just try to make and wreak havoc, and they are not like. . . we are at a point now that if they were a super hacker they could probably get through anything, right? There's those blackhat conference that happens in Vegas, I think, it's just insane what they're able to do. But you could make it harder, and the harder you make it, the more of these types of people you're going to weed out when it comes to your website. Its a little scary. I’ll talk more about what's possible too.

Number three, I also learned about the importance of an email list. Now, when my site went down, I am so thankful that I had an email list, because I was still able to keep in constant contact with my audience and keep up to date and not lose them, and still provide value to them as well. It was so important for me to email my audience and tell them what was up. Also, what I did was shot a video with Caleb, because we were in San Francisco and I said, “Hey I'm going to shoot a video, put it on YouTube,” and I had a youtube channel as well, so that was great. So my be everywhere strategy was helping me in this situation. Because I was on multiple platforms.

I did a YouTube video, I sent it to my email list, and everybody was very supportive, and just like “Hey, hang in there Pat, we're here for you.” And that was very comfortable to know as well. So, the email list is great, because even if my site were to have died and were to have gone away forever, I at least have an email list and I can set up shop somewhere else. So the email list is definitely one of the number one things that you should have. I'll be talking a lot more about email in the upcoming months here on SPI.

Number four, there are people out there who specialize in website security. I hired somebody after, and I wish I had gotten in contact with this person before, obviously. But, my guy Brian, he is amazing and he just helps make sure. . . he's web security genius, and he just makes sure that things are safe, he puts in a lot of high level stuff, and I know that I'm quite open and honest and very out there and very exposed, so he puts in a lot of things that I don't even know what happens in order to stop hackers from coming. There's one specific thing he did that worked really well. I mean, he installed a couple plug-ins, like the limit log in attempts plug-in, which is a WordPress plug-in, and that is a way for you to limit people when they try to log into your website. It's scary, because it keeps track of how many people actually try to log into your website, and everyday there are at least 100 people that try to log in to Smart Passive Income. They don't get through, but isn't that scary? 100 people around the world every single day, who's like, “I'm going to try to get on Pat's site.” That's really scary.

A couple of people on Periscope also saying WordFence. WordFence, I know, is another great plug-in, that you can use as well. There are 100 people that are all trying to log in with different things like my name, and other things. They don't know what my login is and that's good. The other thing is that most people are logging in through “admin” as the username. Which is the default one when you set up a WordPress site, so if your website username, or your WordPress username is “admin,” you better change that, because that is really scary, because that's the most common one, and people who are hacking know to use that one because a lot of people don't take the time to create these unique usernames.

In addition to that, you should also create unique passwords. Very long passwords. I use a tool called 1 Password, or there's Last Pass as well, but I love 1 Password because I have hundreds of different websites that I have to log into and each other them have these twenty-five character passwords with numbers and letters and symbols, things I could never possibly remember. I don't want to have them written down of course, it would just take forever to log in, so I just use 1 Password to help me log in, and that has helped a lot.

Another thing is, you should work with your server or your hosting company to make sure that things are secure as well, even before things happen. If things happen afterwards, you've got to get on them. Get on that chat, call their phone number, the phone number is the best way to go because not a lot of people actually use the phone. A lot of people go through live chat, a lot of people go through email, for some of the mild to medium situations that are going on. If you have a hot situation where someone is hacking your site, call them. Hopefully if they're a good hosting company they're going to help you out as well. Unfortunately, the one that I had, which was ServInt, Servint.net, for whatever reason they were not being helpful at all, and I dropped them and have since moved onto Linode.

Now, I started on BlueHost, I moved to Servint because I had just upgraded my server. Still recommend BlueHost of course, obviously for those of you. Still use it on a number of my sites as well. Servint was a good middle company. I used the VPS server, or virtual private server. That worked okay until this hacking situation, and I just was not happy with their customer service, so I dumped them and went to Linode.com, and that's been working out great too.

Safe passwords. Make sure you get in contact with the hosting company. Use the phone number if you have to and really push them hard if your site is down. Make sure that they know that this is serious. I mean, I lost $10-15,000, so you can lose a lot of money and time as a result of this as well.

Another thing that I like to do, not just with your website, a lot of sites that you might have access to, like banking sites and PayPal, DropBox, and all these other sites. As much as you can, especially email, try to engage or incorporate two step verification. Now, it is definitely an inconvenience to have to do that. Where you have to kind of give it a text message with some digits in it, and then put that into the second step, but, again, this is your stuff, your private stuff, your business, your livelihood that is there, so you want to protect that as much as possible, so these two step verifications. So what happens is when I sign into Gmail for example to access my Smart Passive Income email, it then asks me to put in my pin number, but it sends me that pin number over my phone. That way hackers, even if they get past that first barrier, they can't get past that second one, unless they have access to my phone. Which is still scary to think about, but its definitely less likely to do that.

The two step verifications are very important, and that's probably the only thing the apple watch has actually been very helpful for, because I don't have to go into my phone to check, I just check my wrist when I get those verifications. Its been very helpful, and of course, just the peace of mind that comes with being secure like that. Taking that extra step goes a long way as well. I know there's a lot of people out there that are getting hacked, and these two step verifications can really help stop that.

Theres's also another company that I want to give a shout out to, and that's Sucuri. I don't know know exactly how to pronounce this, but it's S-u-c-u-r-i. Sucuri, like “security”, but Sucuri, S-u-c-u-r-i, and I think it's Sucuri.net. I have them too, to keep track of anything. What happens is, if somethings happens on your site, they will automatically email you, and take control. Not take control, but they will help you out through the situation as well. They have really good website cleanup and they can find malicious code and alert you for those types of things. So sucuri.com is a great company. I use it as well.

Then, heres the final tip, and this if for those of you who have a business that is making money, I would definitely look into business insurance as well. I was lucky enough to have insurance during this time. I haven't really talked about this that much, but I did get a little bit of money back, as a result. There was this really long process that happened after I got hacked, after I got back online, where I had to share all the email correspondences with the people that were helping me come back on, all the correspondences in form, messages with Servint.net and then the other people that were helping me. But I had business insurance, and after a while they checked out the case, and they said that they be able to reimburse me for about $3,500 of the $10-15,000 that I lost.

Now, obviously, its a little bit tougher because with affiliate sales, which is the bulk of my income, a lot of it comes as a result of promotions, blog posts that go out, and emails and that sort of thing. Now, was I going to run promotions and emails during that time? I don't know? It's hard to gauge, so they had to put this algorithm together, and it was just kind of crazy how long that process took. But I did get a little bit of money back, which was great. So I would definitely look into business insurance as well.

There is also another tool that my guy has used, and I believe its called CloudFlare. Now I am not technically knowledgeable to help you through what that necessarily does or what it means, but I know that if you have a guy he can help you through that. But CloudFlare helps with the speed of the website and also with security as well, because I think if it goes down it has sort of these duplicate locations working and continued to serve the website, even if it was down in one particular area. It would always continue to serve. It is a CVN, a content delivery network, so I believe it is more used for the speed of your website and things like that. I believe it also is there to help me with security as well. It blocks logins and all that stuff. A lot of people here in the Periscope use it as well.

So, Gaynete, that's a lot of sort of basic information, but a lot of really helpful stuff I think, I mean, we could probably have. . . I actually asked Brian, my security guy, to come on the podcast, because I think that would be a great episode if he came back on and talked about this.

When it comes to insurance, someone here said, “Check with your state, and make sure to check different prices and stuff.” There's a lot of options online as well, to check , and I would recommend starting with your network, and people in this community. So, yeah, at least, the limit login attempts plugin is a good one. At least get something like Sucuri, or WordFence up, and having your good, longer thought about usernames and passwords. That is, at the least, what you should do. Of course like I said, we could probably talk about this topic in way more depth, and likely in the future I'll have some ultimate resources to help you through this as well. Things are always changing, viruses are always changing, right? And all these bacteria that learns how to be immune to the whatever is trying to fight them, and they kind of morph and turn into this other super bacteria. It's going to be in constant battle, and that's the hardest thing.

Keep pushing forward, there are always ways around, and I wish you all the best. So, Gaynete, I hope that answers your question. For everybody out there, best of luck to you as well.

Gaynete, we're going to send you an AskPat t-shirt for having your question featured here on the show. Anybody else out there who has a question that you'd like to have featured on the show, just head on over to AskPat.com. You can ask right there on that page, and thanks to the Speakpipe widget.

Again, thank you guys so much, I appreciate you. As always, I like to end with a quote, and today's quote is from Albert Einstein. He said “I am thankful for all of those that said no to me. It's because of them, I'm doing it myself.”

Cheers, take care, and thank you, and I'll see you in the next episode of AskPat tomorrow. Bye.