Of the people that hire us to clean up their hacked website maybe close to half of them bring up the fact that they previously hired someone else to clean up the website and then it got hacked again. While that is not always the previous cleaner’s fault, it appears that a lot of it can be explained by the fact that most companies doing hack cleanups either don’t know what they even should be doing or they are intentionally cutting corners.
The first thing we always ask after the client mentions that someone had previous cleaned things up, is whether they determined how the website was hacked. The answer is almost universally that trying to do that never even came up. That is despite that being one of the three main components of a proper hack cleanup. If you don’t do that then it is entirely possible that the vulnerability may still exist on the website, leaving the website open to being hacked again. If you are lucky after getting a subpar cleanup, the vulnerability might have been fixed without it being determined first or no one tries to exploit the vulnerability again on the website and you don’t get hacked again. If you are less lucky then you quickly end up with a hacked website again.
If you don’t want to have hire multiple companies to finally get your website cleaned you should make the sure company you are hiring in the first place actually does try to determine how the website was hacked and does the other component of a proper cleanup that we see frequently is not done, securing the website, which usually mainly involves getting the software on the website up to date.
Beyond doing that there are plenty of other red flags that a company is probably one you should avoid. To give an example of that, let’s take a look at one company we ran across recently that has service promoted with a lot of red flags. WP Fix It’s WordPress Infection Malware Virus Removal service (http://wpfixit.com/product/malware-virus-removal/). Below we look at a number of those, first quoting from their marketing materials and then discussing why it should be a red flag.
A Security Plugin Won’t Safe Guard Your Website Against Future Attack
It is critical that you have security in place at all times. Our Infection Specialist will complete the highest level of protection by installing a tried and trusted security plugin which will safe guard your site against future attacks.
While you can find a multitude of review and recommendations when it comes to WordPress security plugins what you won’t find almost any of is actually testing of these plugins to see if they can actual protect against vulnerabilities. In fact other than the testing we have been doing through our Plugin Vulnerabilities service, we only have found one other instance of someone doing that type of testing. The lack of that is a reminder of the lack of seriousness when it comes to most people claiming to be interested in the security of WordPress.
What isn’t an explanation for the lack of testing is that the plugins provide such great protection that testing to see if they don’t provide protection isn’t needed. Take for example a vulnerability we just tested them against last week. Recently the security NinTechNet discovered that the plugin Delete All Comments had an arbitrary file upload vulnerability, which allows hackers to upload malicious files to website and then do almost anything they want on the website. They discovered that while doing a hack cleanup. Since the vulnerability exists in the current version of the plugin, if they hadn’t determined that, then that website would have remained vulnerable even if the software on the website was brought up to date and would have been open to being hacked again. The plugin recently had 30,000+ active installs according to wordpress.org, so there are lot of websites that are currently vulnerable and this is where a security plugin could be useful. Unfortunately in our testing none of the 15 plugins we tested stop the vulnerability from being exploited.
Through the four tests we have done so far, most of the plugins we have tested have provided no protection whatsoever. Of the few instances where there was some protection, in all but one of them we found that the protection could be easily bypassed. The one time that we didn’t find a bypass there was a major tradeoff to get the protection, only Administrators level users were allowed to upload files. On a lot of websites where there is a single WordPress account that isn’t an issue, but for other websites lower level users are blocked from uploading media files would be an unacceptable limitation.
While WP Fix Its claim doesn’t specify what the plugin they install “will safe guard your site against future attacks” is, one review of their service from September indicates that it is Sucuri Security. In our testing that plugins has not provided any protection, which isn’t really surprising since it doesn’t even look to have any features that would prevent the vast majority of hacks. So you either have a situation where WP Fix It doesn’t have any clue as to whether the plugin can do what they claim or they are lying about what it can do, neither of which seems like something that you would want in someone doing a hack cleanup.
Brute Force Attacks Are Not Happening
Brute Force Attack Prevention
A common attack point on WordPress is to hammer the wp-login.php file over and over until they get in or the server dies. Each tried attempt is a request to the server which slows things down. Our Infection Specialist will guard your site against this.
When it comes to glaringly bad information about WordPress security the false claim that there are a lot of attempts to brute force WordPress admin passwords is probably the most widespread. As we discussed back in August, the evidence provided by security companies actual shows that these attacks are not happening. If you see someone claiming that they are they are, the either don’t understand security or they are lying to you. What does occur in some instances our dictionary attacks, which involve an attacker trying to log in using common passwords. As long as you are using a strong password these are not a threat to you. Unless you are an overloaded server they also shouldn’t cause the server to die or cause a noticeable slowdown.
Security Companies Can’t Speed Up Getting Security Warnings Removed
Some infections may trigger a blacklist of your website online. This means that when people try to visit your site they are warned that the content in harmful and urges them not to proceed. We will take the needed steps to remove all these warnings right away and allow visitors to surf your site without issues.
Getting Google or someone else’s malware or hack warning removed for your website is usually a fully automated process, which is easy to request and which a security company has no control over how long it takes. Where a security company can probably best help out, if they handle a lot of these, is with understanding why the review is taking so long or the odd information being returned during that, as we have found with Google’s warning that “This site may be hacked”. Of course if they mentioned that, they would also be disclosing that the warning doesn’t always get removed “right away” as this company claims and they don’t have any ability to control that timing.
Unrelated Work Isn’t A Sign of Competency
Database Optimization & Cleanup
Your database is the sweet spot of all your saved website content and data. Over time databases can become very bloated storing tons of information that you site does not need anymore. Our Infection Specialist will optimize your entire database.
Optimizing a database has nothing to do with a hack cleanup, even if the small percentage of hacks that involve the hacker making some change to the database, so it is really odd that they would doing that during hack cleanup.
A Low Quality Cleanup
Based on all that it doesn’t look these guys have much security knowledge, so you might wonder how they can actually handle doing a cleanup. The answer it seems is that they are not actually doing much themselves, in one of their blog posts (http://wpfixit.com/remove-a-wordpress-infection/) they include steps to do a cleanup, which at the end they state “We also can do all this for you”, and they state that the actual detection of malicious code is done by the plugin Anti-Malware Security and Brute-Force Firewall. Our experience is that automated detection like this is able to spot some malicious code, but won’t get better hidden stuff, so relying on something like that isn’t going to provide the best cleanup.