Just Because a WordPress Plugin You Use Has a Vulnerability It Doesn’t Mean It Got Your Website Hacked

As we have talked about recently, there is often confusion over how websites have been hacked. One issue that comes up from time to time is the claim that a WordPress plugin that contains an unfixed minor vulnerability is the source of a hack. Here is one recent claim of that:

i would strongly urge you to remove it now. My site was hacked several times before I realized it was because of this plug in. It sucks because I was unable to find a replacement and have to do it by hand.

The vulnerability that is known to exist in that plugin would allow someone logged in to WordPress with the Contributor or Author role to cause malicious JavaScript code to be included on frontend pages on the website. (Higher level-users already have the capability to do the equivalent of that.)

Unless you have an untrusted individual with access to WordPress with the Contributor or Author role, either intentionally or because someone with that level of access had their account breached, you don’t have to worry about that. So the chances of that being exploited are slim.

It’s possible that the quoted individual had that situation, but almost no websites will, so the chances of the plugin being the cause of hacks on websites is very small.

Trying to figure out how a hacked WordPress website was really hacked is a standard part of our hack cleanup process for WordPress websites. Our hack cleanups include a free lifetime subscription to our Plugin Vulnerabilities service, which includes providing fixes for unfixed plugin vulnerabilities.

How to Change the Email Address that WPForms Lite Sends Contact Form Submissions To

As part of helping to deal with a problem where a contact form done through the WordPress plugin WPForms Lite wasn’t getting sent to the intended email address, we had to figure out how to change the email address the submissions get sent to. It isn’t the most clear process, so for those that have more trouble than us, here are the steps to take to change that:

  1. Log in to WordPress
  2. Go to the plugin’s All Forms page
  3. Click the Edit link for the relevant form
  4. Click on the Setting menu
  5. Click on the Notifications submenu
  6. Change the Send To Email Address setting to the desired email address.

Getting Help

If you need help with this type of problem or another problem with your WordPress website, we offer a support service to help.

Why a WordPress Contact Page Isn’t Emailing the Submissions

We were recently helping someone deal with an issue where they were not receiving emails for submissions to the contact page of their WordPress website. There are a multitude of different ways contact form submissions are handled and different ways that could go wrong, but there are three principal problems that lie at the heart of that to sort through if you have that problem. Let’s go through those.

The Contact Form Isn’t Working

The first problem is that the contact form isn’t working. So first make sure that when making a submission, it returns a response that the submission has been successful.

Depending on what plugin you are using to handle contact form submissions, the plugin may store a copy of the submissions. Or there may be an additional plugin you can add that will store submissions. If that is an option, that will allow you to make sure the submissions are really getting through and being processed.

Emails Are Not Being Sent

If the contact form is working, the next possible problem is that emails are not being sent. If you are receiving other emails from the website, you can rule that out. If you are not sure about that, you can use a plugin to test if emails are being sent. You can also use a plugin that logs emails being sent to confirm if emails are being sent.

Emails Are not Being Received

If you know that emails are being sent, then the problem that could be that they are not being received at the intended email address.

One way to test this is to try having the emails sent to another email address at a different email provider. That gives a good chance of seeing if there is a problem related to the email account. It could be that it trips a spam filter.

In the situation we were helping with, it turned out that the email account wasn’t receiving the submissions, but when switching to another account, the emails went through.

Getting Help

If you need help with this type of problem or another problem with your WordPress website, we offer a support service to help.

The Difference Between a Backdoor and a Vulnerability on Your Repeatedly Hacked Website

If you have a reoccurring problem with a hack of your website, there are multiple causes that could underly it. Two of those, a backdoor and a vulnerability, are sometimes confused. Understanding the difference is important to dealing with the problem.

A backdoor is some method for the hacker to continuing access to the website, which they place on the website. That often is a file that the hacker can send commands to on the website and those commands will run. Those backdoor files can sometimes be rather complex, but other times are really simple.

A vulnerability is an existing security issue on the website that gives a hacker some access they shouldn’t have.

A key difference between these two issues is how you deal with them. If you were to restore the website back to its state before the hacking, a backdoor couldn’t exist on the website. A vulnerability will still exist if you do that.

Another key difference is who has access in each situation. With a backdoor, only one hacker would have access, unless some other hacker figures out about their backdoor. A vulnerability, by comparison, could be exploited by many hackers.

We recently had someone come to us that thought there was a backdoor on their website, but the change being made with what they thought was a backdoor allowed any hacker access. What they actually had was a vulnerability they hadn’t addressed.

If you need help with a hacked website, we can help you.

Bluehost’s New Account Management Interface Seems Rather Broken

We were recently dealing with what should be a fairly standard piece of work for us, transferring a website to a new VPS. That turned out to be a lot more complicated by a change made recently at the web host Bluehost. They replaced their long used account management interface. This causes a couple of problems we wanted to share in case others run in to problems as well and are wondering if they are alone in that.

First, we found that some of their support documents still are written for the old interface. One of those has instructions for something that isn’t even possible with the new interface. Our client contacted their support team about that and was told that it was no longer relevant, but the document is still up over a week later.

Second, we found that the interface seems rather broken. We found features that only worked some of the time. When we were trying to make a simple change, we found that the interface wasn’t showing information that it should have been showing. It isn’t a good situation.

How to Autopost From WordPress to Bluesky

Last week, the Twitter alternative Bluesky became publicly joinable after having previously required an invite code to join. Alongside that, there has been increased interest in automatically posting new WordPress post to Bluesky. There is a plugin to do that, though the name wouldn’t exactly suggest that. The plugin is named Neznam Atproto Share. The AT Protocol is networking technology that underlies Bluesky.

Setup is easy. On the Writing admin page in WordPress, you enter server information, including an App Password, which can be generated on the Bluesky website.

The plugin does have a major restriction we should note. It requires at least PHP version 8.0 to install it. A lot of websites are not using that version of PHP. You can get around that by manually adding the plugin in to WordPress and at least in our testing, it still seemed to work with an older version of PHP.

We have seen some complaints about problems with posting when it shouldn’t, so you should test out to make sure it works appropriately for your use case.

Moving to Squarespace Isn’t Like Migrating a Website to a New Host

We recently had someone contact us looking to move their website to Squarespace. They believed that doing that is like migrating a website to a new web host, but it is very different.

Squarespace is not a web host, but a website builder. With a web host, you would create a website based on software you install in the hosting account. You can then move that to another web host as long as their hosting system is compatible with the software. With Squarespace, your website is created in their own software. So you can’t transfer an existing website to them and you can’t transfer a Squarespace built website to another web host.

When moving your website to Squarespace, you are largely starting over. Depending on what you are moving from, you can automatically move some content over to it, but otherwise everything needs to be redone.

Malware Didn’t Get on Your Website Through a WordPress Update

When it comes to figuring out how websites have been infected with malware or otherwise hacked, people often assume something that happened around the same time as they became aware of the hack caused it. There are a couple of big problems with that. First, as the saying goes, correlation isn’t causation. Second, the start of the hacking can have been well before it is noticed.

Another problem that comes up is that people can come up with fairly improbable possible causes. We recently interacted with someone suggesting that an update to WordPress introduced malware on to their website. If that were something that was occurring, it would be big news. In their case, there wasn’t even a correlation, as they knew about the malware and were having cleaned six days before the update.

A post we wrote recently explains the basics of trying to determine how a website was actually hacked.

WordPress Themes Can be Updated to Be Compatible With Newer Versions of PHP

We recently ran across someone who was remaining on an unsupported version of PHP because their WordPress theme wasn’t compatible with a newer version of PHP. They didn’t have to do that. WordPress themes can be updated to support newer versions of PHP. If the theme is still supported by the developer, they should be releasing updates to address that. If you are using a theme that isn’t supported by the developer anymore, someone else should be able to handle addressing incompatibilities with newer versions of PHP.

How easy or difficult it is to make the theme compatible will depend on if the theme is extensively using PHP functionality that has been removed in a newer version of PHP. You usually have plenty of warning of that situation, as the functionality will be depreciated before it is removed, so addressing any depreciation warnings will avoid having the theme break later on.

If you are unable to handle making a WordPress theme compatible with newer versions of PHP yourself,  we can help you with that.

You Can’t Migrate Your WordPress Website to Squarespace, Only Move Some of the Content

We were recently contacted by someone looking to migrate a WordPress website to Squarespace. Based on that interaction, it seems that not everyone is familiar with the implications of trying to make such a move. Put simply, those two systems are not compatible. You are largely starting over if you make that move. You can move various content, but everything else has to be done again.

Here is Squarespace’s own information on what content can be imported:

You can import the following content from WordPress:

  • Attachments
  • Blog pages, blog posts, and authors
  • Categories
  • Comments
  • Individual images
  • Site pages
  • Tags

You can’t import:

  • Content from plugins
  • Gallery images
  • Image captions
  • Images saved in your Media Library, but not attached to any posts or pages, won’t import. We recommend downloading all images in your Media Library so you have them as a backup.
  • Style or CSS. To customize your Squarespace site’s design, use the Site styles panel.

The last item mentioned that you can’t import, is really important to note. All the styling will need to be redone. Depending on how advanced the design of the website is, that might not matter much (if you, say, only have text pages), but it also might dramatically undo the look of the content.

How you manage the website can also be dramatically different.

If you are simply having some trouble with your WordPress website, as the person we were contacted by was, it would be better to see if that can be addressed instead of making a huge change, like switching to Squarespace. We can help you with that.