Having Us Clean Up Your Hacked WordPress Website Can Save You Money and Downtime

Getting your WordPress website hacked is bad, what makes that worse is how many security companies are then there to take advantage of you when you try to deal with that hack. Yesterday we published a post about how a web host, HostGator, and web security provider, SiteLock, had gotten someone dealing with a hacked WordPress website to pay $300 dollars for an unnecessary security service. That was after it was decided to restart the website from scratch because of the hacking. So at that point this person had payed more than it costs to hire us to properly clean up a hacked WordPress website and they didn’t have a functioning website.

If they had hired us, we would have gotten the website cleaned and back running already, as we can usually have the cleanup done within a few hours of being brought in. It could get worse, as we noted recently, starting from scratch can in sometimes actually result in you getting back to square one, having a hacked WordPress website.

HostGator and SiteLock Use a Raft of Falsehoods to Sell Unnecessary Security Service

When it comes to the selling of web security services, it is common for those to be sold using with clear falsehoods. We recently highlighted an example of that with a service called Malcare. But the breadth of the falsehoods that were used recently to get $300 out of a customer of the web host HostGator for a SiteLock service stands out.

The customer contacted HostGator support about dealing with the website not showing up as being secure despite a SSL certificate being purchased. They weren’t sure if they were then dealing with someone from SiteLock or HostGator, which sounds a bit odd, since you wouldn’t think that you would contact your web host and be transferred to another company, but that has at least in the past been the case of web hosts, like HostGator, who are partnered with SiteLock. The conversation they then had was described to us and it sounds in line with what have heard in the past and seen when provided transcripts of the conversions.

They were told that the website contained malware, when they responded that was the old website at different web host (they replacing everything because of the website being hacked), they were told that the malware was tied to the domain name and redeployed to the new website to find vulnerabilities. They were told that a firewall needed to be put on the website, for $300, to stop the website from being infected the way the old one was and that the Google search results would be cleaned. As to evidence of the claim of malware, they were pointed the search results for the website, which showed pharmaceutical spam.

There are a lot of falsehood packed in there, which include:

Google’s search results are not real time, so spam pages showing up there doesn’t necessarily mean there is anything at issue with current state of a website, unless they are from a crawl just done. Spam pages are also different than malware.

Even if there were spam pages, they wouldn’t cause the website to not be listed as secure, since that isn’t impacted by that. Potentially a hack could cause pages to not be secure, if say, they added code to existing pages that accesses a website over HTTP instead of HTTPS.

SiteLock couldn’t clean up Google’s results. If the website is still hacked, then cleaning that up would eventually lead to Google’s results no longer showing the spam pages. If it is clean now, then they would just need to wait for Google to refresh them.

Malware isn’t tied to a domain name. If someone is flagging the website as containing malware, that could be tied to the domain name, but that isn’t tied to it being listed as secure as far as we are aware, as that relates to something else.

If there are vulnerabilities, you would want to fix them, not put a firewall around the website, since among other things, there isn’t evidence that firewalls like SiteLock’s would actually effectively protect against those vulnerabilities and plenty that they wouldn’t. Also, hackers are always trying to exploit vulnerabilities on websites, that has nothing do with a domain name being tied to malware.

So almost nothing they said was true and none of it actually addressed the issue that support was being contacted about in the first place. You might think that conduct like this would have some repercussions, but right now neither journalists nor government regulators have shown an interest in it.

Cyber Ninjas, Colonial Pipeline, and Your Website’s Security

What does an election audit in Arizona and a pipeline operator have to do with the security of your website? It turns out a lot.

Cyber Ninjas

Recently an audit of the US presidential election votes in Maricopa county in the state of Arizona started. The audit has noted for being poorly run, violating rules to ensure integrity of the process, and involving strange things, like trying to check for the presence of bamboo in ballots.

That doesn’t sound like it should relate to the security of your website and it shouldn’t, but it does. The reason for that is that the company in charge of the audit, Cyber Ninjas, is a cybersecurity company. They have no experience in doing an election audit, which is good reason for them not to be doing an election audit, but also is probably a good reason they shouldn’t be doing security either.

What seems like it should be a basic element of being a professional would be to stick to what you have expertise in. An architect wouldn’t agree to take on demolishing a building just because they know how to build them. When it comes to the security industry, we frequently see people involved in things they clearly shouldn’t be. In fact, very few people in the industry seem like they should be anywhere near it. Looking at Cyber Ninjas website, they are claiming to offer a very wide range of services, which might be a sign they are offering services without the needed expertise to properly handle them.

The other thing that stands out for us about Cyber Ninjas website is how it looks so obviously untrustworthy. A lot of it is the same stuff you see repeatedly on security companies’ websites, for example, there is the obligatory stock photo of some dressed like they are going to break in to a building at a computer:

We have a hard time understanding how anyone would look at something like that and not avoid that company, but people don’t seem to feel that way. Even the name seems like it would ward people away from the company, but it doesn’t seem to.

Part of that text next to that image reads (the weird characters are in the original):

The headlines are increasingly filled with articles about hackers compromising systems and stealing data. While it often seems like they must be utilizing some dark ninja magic to accomplish their amazing feats; the reality is that most security breaches are conducted utilizing types of security vulnerabilities we’ve known how to prevent for over 10 years.

While that is mostly true, curiously if you head over to the website’s services page, the company doesn’t seem to be focused on actually addressing that. But instead on selling people on services that don’t directly address the issue and indirectly address it an ineffective way. One of the three things they highlight, and the one they provide the most specificity, is ethical hacking:

From what we can tell, ethical hacking is mostly a rip-off. You end up paying a lot of money to inefficiently review things and the issues found are not resolved.

Cyber Ninjas has gotten a fair amount of coverage because of their involvement with the audit, but there has been very little of it from security journalism outlets. What little there has been has been devoid of any discussion of what this says about the legitimacy of the security industry. There is probably a good reason for that, as companies like Cyber Ninjas are frequently the only sources for security journalists stories, despite being companies, that like Cyber Ninjas, seem like a serious journalist should be warning about, not relying on. In line with that, security journalism is quite bad, which brings in the next part of this, a pipeline company, and gets back to a claim Cyber Ninjas made.

Colonial Pipeline

A ransomware situation involving a US pipeline operator, Colonial Pipeline, has received a lot of news coverage. There was a claimed detail that seems rather important from a wider security perspective. Colonial Pipeline wasn’t keeping their software up to date:

It is important to note that the claim about one piece of software being the “most likely culprit” is just speculation. What is important about that is that keeping software up to date is one of the most important security steps and one that often isn’t done.

While usage of outdated software that is known to be insecure is often the source of hacks we deal with and the source of high-profile hackings, both security companies and security journalists seem rather uninterested in that be better dealt with. For security companies, that could be explained by it being bad for business. Right now they can charge a lot of money for security services that require little work and don’t actually have to work (you might have noticed despite all the money being spent on security, security doesn’t seem to get better). The reason that security journalist do this is harder to explain.

Improving Your Website’s Security

Improving the security of websites, and security in general, is more difficult than it should as long as the security industry and security journalists are taking actions counter to actually improving security. But to improve security, your focus should be addressing real threats with proven solutions. Keeping software up to date is a proven solution since it will avoid systems getting hacked because of vulnerabilities that have been fixed. By comparison, while security services frequently make extraordinary claims about the results they deliver, those are almost never backed up with evidence of their effectiveness. Based on plenty of experiencing looking at them in different ways, that is in part because they don’t deliver the results claimed, in many cases, if you just look at how they are advertised that becomes clear.

So when looking to improve security, you should ask what is the evidence that something will improve security versus looking at unsupported claims of amazing results.

Also, if claims sound extraordinary, they probably are not true.

What is Magecart? It Isn’t a Thing.

When it comes to the security of websites, and security in general, there is a lot of focus on catchy names for things, not a lot on actual security. A great example of that is Magecart. What is Magecart? Well, it really isn’t anything. Instead, it is a term used for a whole host of different things, which makes it useful selling security services and creating press coverage, but not for actually resolving the underlying issues.

Here is one description of Magecart from security news outlet, CSO Online:

Magecart is a consortium of malicious hacker groups who target online shopping cart systems, usually the Magento system, to steal customer payment card information.

Elsewhere, a security news outlet described it as being competing groups:

here’s no clearer indicator that the Magecart scene is getting crowded than discovering that some groups are now sabotaging each other’s code

Elsewhere it is described not as an entity, but as a type of attack:

Every day we hear about some new threat or vulnerability in technology, and the data harvesting attack known as “Magecart” is the latest threat.

Elsewhere, in a security news outlet that is part of a security company, you will find it claimed that only impacts Magento websites:

So-called Magecart attacks utilize web injections to deploy JavaScript code on Magento websites that skims and steals payment card information from retail website customers.

But the very next paragraph mentions “high-profile targets”, which didn’t run on Magento:

Once believed to be the work of a single cybercrime gang hitting high-profile targets including Ticketmaster and British Airways, Magecart-style attacks have now evolved and have been adopted by numerous threat groups.

We could go on, but you get the point.

What You Can’t See is Ignored

To the extent that these disparate descriptions of Magecart have any common feature, it is that involves JavaScript code that captures information, like payment details, during the checkout process on a website. That isn’t the only way that hackers can capture that information, as they could capture on the system that it submitted, which is often the same system serving the website where the checkout is occurring. That wouldn’t be possible to directly detect from the outside, generally, which seems to explain why there is so much focus on only part of the issue.

Even what you can detect is only the end result of a hack, so while you will find lots of stories about Magecart, there is very little on how the hack occurred. If you don’t focus on how they occurred, they you are not likely to address those issues. Not surprisingly, the hacks keep occurring. That is bad for just about everybody except the people pushing the Magecart narrative, since security companies can sell more products and services this way (which don’t resolve the issue seeing as the hacks continue) and journalists get easy stories.

Indirect Protection at Best

For this type of attack to work, a hacker has to somehow get malicious JavaScript code to run on the checkout page. That would either occur by placing it directly on the website handling the checkout or some other websites that serves up JavaScript on the checkout page. In either case, a hacker has to gain access to systems to do that. To put that another way, the way to prevent this would be to focus on the server-side, but here was the start of a recent article in a security news outlet written by an employee of a security company:

With e-commerce displaying no signs of slowing down since the start of the COVID-19 pandemic, the Magecart cyber-criminal syndicate is thriving. By evolving their web skimmers to become harder to detect and avoid, they have been successful in breaching several high-profile businesses.

After years of discovery and research by the cybersecurity industry, we are at a stage now where companies have started looking for effective protection against this serious threat. Typically, when security teams understand how web skimming attacks operate and how they take advantage of the huge security blindspot that is the client-side, they first turn to CSP (Content Security Policy).

Focusing on the client-side would be, at best, an indirect way to handle this and wouldn’t handle the situation at all if hacker collects the data when it is submitted to the website. There is simple reason why that person might present that as the focus, the company they work for provides client-side solutions.

Need Help Securing a Magento Website?

If you have a Magento website that is hacked, we can help you to actually get it cleaned and secured. If need someone to handle keeping Magento up to date, which goes a long way to keeping it secure, we can take care of that for you.

You Don’t Need to Start From Scratch if Your WordPress Website is Infected with Malware

When it comes to dealing with a WordPress website that has been infected with malware, sometimes the idea of dealing with it by starting over is suggested. Not only is that not usually necessary, it can sometimes lead you back to where you started, an infected website.

In almost all instances an infected WordPress websites can be cleaned up, so unless you are very unlucky and have a website that can’t be cleaned because it so damaged, the only reason to start over would be that you can’t handle cleaning it yourself or afford to hire someone to properly clean it up (which is not the same hiring someone to clean it up, based on all the websites we are hired to re-clean after things haven’t been done properly).

A problem with going the route of staring over is that the websites don’t just get hacked, something had to have gone wrong security wise. Starting over isn’t always going to directly deal with that. So if, say, your website was hacked because of an unfixed security vulnerability in a WordPress plugin and you start over and install the plugin on a new WordPress install, then the vulnerability can be exploited again. There are plenty of other issues like that, which wouldn’t be resolved by starting over.

MalCare Review: It’s Obvious They Are Taking Advantage of Their Customers

If you deal with security, as we do, it often isn’t hard to tell that companies are taking advantage of their customers, but most of them at least try to hide it to some degree. That isn’t the case with a provider named MalCare. Here, for example, is the interstitial we got shown on their homepage when we recently visited it:

Is your website safe? Are you sure? Get your FREE Malware scan now No Credit Card Required | No Upfront Charges Yes, Scan My Website Now No Thanks, I will let my site be hacked :(

In small text at the bottom it says, “No Thanks, I will let my site be hacked :(“. That makes no sense. A malware scan would show if a website is already hacked, it won’t actually do anything to stop a website from being hacked. Either they don’t understand what they are doing at all, or they have no problem lying to their potential customers.

Getting past that, the first message shown on their homepage was this:

 The Only WordPress Security Plugin with Instant WordPress Malware Removal Our Auto-Clean Feature Cleans Your Website Without Waiting for Hours or Days!

Scrolling down a bit, you get more of the same:

 Fix a Hacked Website Instantly in <60 Seconds. MalCare’s fully automated malware removal lets you get rid of all virus and backdoor forever. The Best part? Do it instantly without waiting for hours or days.

That all sounds great, but it again makes no sense if you have a basic understanding of security. Before we explain why, it’s worth noting that not only doesn’t this make any sense, but MalCare contradicts the claims being made there, right on their website. For example, while the above claims “MalCare’s fully automated malware removal lets you get rid of all virus and backdoor forever”, the pricing page touts one of the features being “Unlimited Automatic Malware Removal”:

If they are removed forever, then you wouldn’t need “unlimited” malware removals.

Also, there is a big contradiction in that at the top of their website they highlight an “Emergency Hack Cleanup” service, where they claim the website is cleaned up within 12 hours:

If their instant cleaning service actually properly cleaned up hacked websites, why would anyone need another service that takes up to 12 hours?

That page also includes this incredible customer testimonial, which ties back to the claims MalCare makes not making sense:

I scanned a client site using MalCare and found 35 hacked files. Cleaned it up within just 2 minutes! Saves me many hours each month.

If you are spending hours each month cleaning up malware on your clients’ websites, that means those website are being hacked repeatedly and are still not being properly secured. Who would publicly admit to that? Cleaning up those files doesn’t address the security issue that is leading to them being hacked, so it isn’t surprising that there would continue to be issues.

To properly deal with a hacked website, there are three key components:

  • Clean up the hack.
  • Get the website secured as possible (which usually involves getting Drupal, contributed modules, and themes on the website up to date).
  • Try to determine how the website was hacked and fix that.

The MalCare service doesn’t even claim to address latter two of those, which means that the websites using the service can get hacked over and over. Hence the “unlimited” malware removals.

Based on years of real world experience, things are likely worse than that. What we have found is that automated tools for cleaning up malware, which are actually used by many providers (contrary to how multiple providers claim to be the only ones), don’t produce great results. They both miss plenty of malicious files, but also produce plenty of false positives. That MalCare provides a manual service would indicate that they know this to be the case, while also claiming otherwise. What we have also found repeatedly, is that security companies that don’t try to determine how websites have been hacked miss malicious files that they would have otherwise found. So automated malware removal is quick, but it isn’t good, hence again, why MalCare itself provides a manual cleanup service.

MalCare Thinks Cleaning a Website Doesn’t Involve Making Sure it Works

In looking around more about MalCare we found this odd situation where the reviews of their WordPress plugins are mostly unrelated to the plugin. One of them seems rather informative as to how little you get when you pay for their manual service.

The reviewer wrote this:

I purchased the expensive pro version of this and it did not solve the issue and broke my site.

I bought with confidence because it says on their site :
“Guaranteed 100% WordPress Malware Removal. Without breaking your website.”
and
“Get 3X your money back if we cannot remove your malware.”

I have contacted them many times and they refuse to refund my money. It says get 3x your money back but you will not even get it back 1x time
I also asked them to close my account and delete my credit card informations which the also refuse to do.

The substantive part of the response from MalCare is this:

The website was broken because of the changes that you had done to the website via FTP. This detail was mentioned & conveyed by you on the email thread. You had also mentioned that because we were not able to recover the data & make the website look like before, you’re requesting a refund.

But unfortunately, we have no control over plugin & theme data that is on the website which was lost because of the malware attack. At best, we can assist you with cleaning the site which our team has.

We cannot process a refund because our refund policy clearly states that a refund can be processed only if we are unable to clean the website. But in this case, we did clean all the malware from the site.

As a company that has been doing cleanups of hacked WordPress websites for over a decade, we have never left a website broken after a cleanup. We wouldn’t even consider doing that. If data was truly gone, then we couldn’t restore it, obviously, but we would have determined that before starting the process instead of making a promise, we couldn’t keep. We also charge after the work is done, not before, which we have always felt is better a guarantee.

Numbers Never Lie

When looking at the websites of services like this one, one thing that is easy to check to see if they look legitimate is the stats they show. Not surprisingly, like the others, they don’t point to any independent testing of their services effectiveness, but they do claim to be compatible with 5,000+ web hosts:

 MalCare in Numbers 200,000+ Sites Scanned and counting 330GB Largest site Scanned 5000+ Webhosts Compatibility 70+ Incredible NPS Score

We can safely say they couldn’t even name 5,000 web hosts, much less have they determined if they were compatible with that many.

A Good Reason Not to Advertise on Reddit

With the amount of problems with major platforms for advertising online, looking for better alternatives makes sense. Recently we have been trying out advertising on Reddit again, to see if running ads on there is a good idea now. When setting up ads with their system, one thing that seems rather significant is that by default commenting on ads is disabled. Considering that discussion is a major part of Reddit, you might wonder why that is.

While we haven’t enabled commenting to see what happens, we got somewhat of an idea of what might happen, based on a contact form submission we received. The subject of the message was “You Dumb?” and the body read:

You Dumb? Seems like it. WTF you doing advertising Magento websites on Reddit and get a drop-off link a MS FrontPage 98 website?

Bitch, please.

Beyond the childish tone of the message (though likely from someone well into adulthood, considering the reference to MS FrontPage 98), the criticism leveled doesn’t make much sense. If you want to criticize the look of our website, fine, but we were not “advertising Magento websites”, but upgrading them. That is both clear in the ad and the landing page. The look of our website shouldn’t be all that relevant, since an upgrade shouldn’t change the look of a website. We would have pointed this out to whoever sent this, but they provided a bogus email address. Are there a lot of advertisers looking to reach people that are spending time doing something like that at 10pm on a weeknight? Probably not.

We have also received multiple messages from people clicking through our advertising on Reddit looking for services that were only tangentially related to what was being advertised and not related to anything we offer. Some of these messages were also not totally coherent.

If you are running advertising looking to take advantage of people, based on this, then Reddit might be a good option, but for legitimate advertisers it looks like a lot of who you could reach, wouldn’t be who you are interested in reaching.

Upgrading OpenCart Doesn’t Require Migrating Products or Other Data To a New Install

A question that comes up from time to time in relation to us potentially doing upgrades of software on websites and recently came up in relation to doing an upgrade of OpenCart, is does the data, in this situation product data, need to be migrated or moved into the upgraded version? The answer is no.

It wouldn’t make much sense to do an upgrade if you need to restore all the data, why not just do a new install in that situation? There are some situations where moving to a new version of web software, you need to do just that, but those are referred to as migrations, not upgrades.

 

Dealing With a Hacked WordPress Website Without a Backup

One question that comes up from time to time when we are brought in to deal with hacked WordPress websites is can the website be cleaned up if there isn’t a backup. In almost all situations, the answer is yes, and in fact a backup usually isn’t all that useful for cleaning up the website.

One suggested solution for cleaning up a hacked WordPress website, or websites using other software for that matter, is to revert to a clean backup. The big problem with that is that the backup has to be clean, reverting to a backup that from when the website was already hacked, won’t solve the problem. Since hacks can have started well before it becomes noticed, simply reverting to a backup from before you were aware the website was hacked isn’t always going to do the trick. Assuming it can be figured out when the website was originally hacked, most of the work needed to clean up the website without a backup has likely already been done.

The work needed to clean up the website without a backup can also be important for determining how the website was hacked. If you don’t figure out how the website was hacked, then you can’t insure it won’t get hacked again because of the same issue. (Surprisingly, a lot hack clean up providers that claim to have expertise in dealing with hacked websites, don’t even try to figure how websites have been hacked, leading to far too many of their customers’ websites getting hacked again.)

Another issue with reverting to a backup is that you need to do the reversion correctly. Done incorrectly files that were part of the hack could still be on the website or the website could be broken (sometimes in a way that is only realized later).

The exception to the ability to do a cleanup without a backup would be if the files or data has been deleted or is damaged beyond repair, which in almost all instances isn’t the case.

Microsoft Advertising’s Dynamic Search Ads Fail to Deliver on Claim of Reaching Relevant Searches

Yesterday, we wrote about Microsoft poorly auto-generating ad copy for customers of their search advertising system. While it appears they haven’t done basic testing, as many of the ads generated for us are incoherent, among other issues, they have started auto-apply these ads. That is part of a larger initiative by Microsoft to automate the advertising process, where even what seems like it should be a lot easier to handle than generating ad copy, isn’t even close to being where it should be before being widely available.

Another piece of that involves dynamic search ads. Microsoft describes those with the following:

Dynamic search ads provide a streamlined, low-touch way to make sure customers searching on the Microsoft Search Network find your products or services.

In marketing these, Microsoft also claims they allow you to “[a]utomatically target relevant search queries based on the content of your website” and that they “can help you find customers searching for precisely what you offer”. At least in our case, based on the ten “search queries that could trigger your ad” they show right now, that isn’t true at all.

Four of the queries shown are hosting related, despite us not being in the hosting business:

  • wordpress vimeo hosting sixt
  • web hosting wordpress plans
  • best wordpress hosting sites
  • wordpress hosting

With one of those, “wordpress vimeo hosting sixt”, we couldn’t find what that would refer to.

Another could probably be classified similarly:

  • wordpress com

Another is website builder related, despite us also not being in the website builder business:

  • best website builder

Three queries involve software that we provide services for, but someone searching for just the name is not “searching for precisely what you offer”:

  • wordpress
  • magento
  • woocommerce

Since the services we offer involve things for people already using the software, it seems unlikely someone searching just on the name of it would be looking for that.

Finally, there is a query that doesn’t seem like it would be related to something for sale:

  • wordpress login

Overall, it looks like they have combined, for the most part, common searches that are very loosely related to what we offer. Having us advertise on those things seems like it makes sense for Microsoft, since they can make more money that way, but not for us, since it would target searches that have nothing to do with our business.

The saving grace with these two automated features is that they can be disabled, that isn’t true of other parts of the search advertising that overrule what advertisers want.