Do not get taken to the cleaners by web hosting companies with insufficient security controls that upsell you to expensive website protection services. They have a financial incentive not to protect your websites.
I host my WordPress websites with a big hosting company. One of my sites was attacked. My hosting company was quick to refer me to a “partner” that provides website security solutions. The security service and cleanup cost more than double my annual hosting cost!
Fast forward to several weeks later. My hosting company suspended my account after finding more than 500 infected files across a dozen websites. That expensive security service only covered one website. I obviously could not afford to pay for security services for them all; forcing me to take a closer look.
- WordPress websites are under constant attack.
- Hosting companies may not provide any backend security protection. In fact they appear to have a financial interest in providing security services through partner solutions. I learned that my hosting company owns a majority stake in the “partner” security solution. These website protection services tend to be site-specific; meaning if you host multiple websites it can get very expensive. With limited isolation your “unprotected” websites can take down your “protected” sites.
- Security best practices and FREE solutions can be used to prevent and recover from malware and hackers.
What does an infected or hacked WordPress website look like? How do you know if you are infected?
- You get a “White screen of Death” which can be an indication that your hosting company has suspended your website or that you have exceeded the allocated server resources.
- You get notified by your hosting provider that you are infected. This likely includes an account suspension that takes down all of your websites; even those you may have paid extra to protect.
- You are alerted by visitors that content, links, or emails from your website appear to be malicious.
- You get locked out of your admin accounts or you are notified of unexpected account changes.
- You are notified by a malware service that you purchased or installed.
How does this happen? Failure to follow security best practices. Attackers gain access through a variety of predictable methods:
- Your WordPress user and admin accounts are compromised. You have weak passwords or the attacker is somehow able to discover your passwords.
- Your hosting account credentials. The attacker compromises your hosting account; gaining access to all websites.
- You FTP accounts. Your FTP accounts are easily overlooked and grant file-level access to your website.
- Poorly scoped FTP accounts. These accounts often have access to all hosted filed and folders.
- Database accounts. All databases have accounts that grant access to the backend database. This can be used to change configurations, gather user data, and potentially to gather admin credentials.
- Using bad and outdated code. Failing to update WordPress, themes, and plugins is the more commonly sited cause of site compromise.
- Your hosting company gets hacked. It is possible that your hosting company could be compromised, granting access to multiple accounts.
Why are they doing this?
- To prove that they can.
- To host malicious code.
- To deface or cause embarrassment.
- To redirect users to malicious websites.
- To aid in ransomware, DOS, and other larger attacks.
- If you are into conspiracy theories; to encourage people to by security products…
What does an actual infection look like and how do you identify issues?
- First look for any visual signs of infection by browsing your website and testing web forms.
- Access your files and sort by the last modified date. Look for files that have changed unexpectedly.
- Look for unusual file names. You will see a bunch of misspelled and out of place files.
- Review malware scan results. Your hosting provider may provide a scan log if you are suspended.
- If you open an infected file, the malicious code is usually quite obvious. Look for obvious blocks of code that looks odd or out of place.
How do you recover?
- You can pay a site protection service for a cleanup. They make it sound like a professional service but it is little more than an overrated virus cleanup (similar to what you have running on your home computer).
- You can clean up the website(s) manually.
How to perform a manual cleanup?
Start by working from a clean and protected computer. Make sure you have running antivirus software on your computer with the latest updates. Opening infected web-centric files like PHP had HTML cannot infect your home computer. Do not open or download unexpected executable, PDF, or ZIP files. Avoid working on infected websites from your work computer unless this is a site you support professionally.
First you need to make sure the attacker cannot re-infect your website. Start by changing ALL of your passwords. Make sure to use complex passwords with 15 or more characters. This includes your hosting account, FTP accounts, and website admin accounts. If your sites are down or suspended; reset your site admin accounts immediately after restoration. You should also wait to reset database accounts until your sites can be tested.
Note: There are more advanced isolation methods including firewalls and Htacesss exclusions but resetting all accounts with strong passwords is effective; assuming you find and reset all of the accounts.
Second, identify the oldest modified date of all infected files. If you were notified by your hosting company; they will likely provide a report or list of all infected files. This helps to identify when the site was first infected.
The infection may have taken hold slowly over time; going back several weeks or months. These infections may have gone unnoticed by you and your hosting company for a long time. Your hosting company likely has some sort of threshold. Once the threat from your account reaches a certain level they notify you and potentially suspend your entire account.
Third, if possible you should restore all of the files (your entire hosting account) back to the last clean backup. You may only be able to restore specific websites or a backup that only partially resolves the issue. If you have no backup, restoration is failing, FTP uploads are too slow, or you cannot rollback for some reason then you need to do a full cleanup.
Automate the cleanup if possible. WordPress plugins like Wordfence can identify and cleanup most infected files. Research premium options if needed. Run plugin-based scans if possible on a site-by-site basis.
For your non-WordPress websites and directories you may need to cleanup these files manually. If your account is suspended you won’t be able to run Wordfence either. Get a list of infected files from your hosting provider. Find and delete or cleanup all of the malicious files. They will rescan and reinstate your services.
Once your account and sites are available; make sure to re-run plugin-based scans like Wordfence. Then update all WordPress installs, themes, and plugins. If you were unable to earlier; make sure to change all admin and database account passwords.
How do you stop them?
- Build from a secure platform. Use strong (15+ character) passwords from the start on all accounts (hosting account, FTP, database, and WordPress admin).
- Rename default administrative account names.
- Set a schedule to change your hosting, FTP, and site admin account passwords regularly.
- You need a monitoring solution on every website. A malware service will identify issues and may provide cleanup tools. Wordfence is my recommended solution. They have an excellent free solution with a good premium offering.
- Avoid using your hosting directories for file sharing and file storage. Use secure solutions like OneDrive and Google Drive.
- Only use trusted providers for themes and plugins.
- Remove unused themes and plugins (reduce the overall amount of related code).
- Avoid making any changes to themes or plugins that would prevent you from installing updates.
- Keep WordPress, themes, and plugins up to date.
- Implement good account hygiene. For example, limit the number of database and FTP accounts. The total number of accounts can easily grow over time making them difficult to manage and making it easier to hide malicious accounts.
- Remove legacy websites that you are no longer able to maintain or update. These expose all of your websites.
- Automate a backup of your website and verify that you can recover from the backup.
- If your backup/recovery involved large file transfers make sure to verify that uploads do not time out or take several hours to complete.