Your Web site is under attack, this is not a drill.
Now that the holidays are over I can finally finish this post that has been written and rewritten several times. It was first written as a cautionary tale about updating your Web site software when WordPress-based Web sites were having a particularly high level of attacks back in April of 2013. (I wrote about some of this in this blog post.) It was so bad that it was even reported in the non-technology media like Forbes. I wanted to make the point that site owners with sites built on popular CMS systems like WordPress, Drupal, Joomla and many others need to budget time or money to make sure the base software is up to date from a security standpoint. Once a vulnerability is found evey bad guy knows it and your site is at risk.
Then I realized that was just sounding like Casandra, so I wanted to explain why site owners need to keep their Web site secure. Many small businesses think that since their Web site does not handle money or keep user IDs that no one would want to break in to their site. They don't realize that it is not about them, it is not like someone wanting to steal your car. Or is it? After years of watching this battle rage on, I finally realized that they do want to steal your car—sort of. Most of the time what they want is access to your hosting so they can operate a variety of harmful schemes such as DDoS attacks or code injection. My comparison to stealing a car is almost perfect, except that they can steal your Web site and you may never know if someone is not checking on the site. Unlike when the car theif drives off with your care never to be seen again.
Malicious software robots roam the Web looking for locks that are open.
Once again, I realized that so much of this invisible to regular people and they really don't care about the details of this war on the Web. It was when I saw the results of a study of Web traffic that I finally had the thing that everyone who has a Web site must realize: as much as 5% of traffic on the Web is malicious hacking robot software. This is something I inherently knew after watching traffic to sites we manage over the last 10 years. Everyday every Web site is tested by bad Internet bots—it never stops. I have seen servers hacked this way and I have seen Web sites hijacked this way. It ends up costing you and me time and money and makes the Internet worse. Of course preventing costs time and money, but once hopes than an ounce of prevention is worth a pound of cure.