You Don’t Need to Start From Scratch if Your WordPress Website is Infected with Malware

When it comes to dealing with a WordPress website that has been infected with malware, sometimes the idea of dealing with it by starting over is suggested. Not only is that not usually necessary, it can sometimes lead you back to where you started, an infected website.

In almost all instances an infected WordPress websites can be cleaned up, so unless you are very unlucky and have a website that can’t be cleaned because it so damaged, the only reason to start over would be that you can’t handle cleaning it yourself or afford to hire someone to properly clean it up (which is not the same hiring someone to clean it up, based on all the websites we are hired to re-clean after things haven’t been done properly).

A problem with going the route of staring over is that the websites don’t just get hacked, something had to have gone wrong security wise. Starting over isn’t always going to directly deal with that. So if, say, your website was hacked because of an unfixed security vulnerability in a WordPress plugin and you start over and install the plugin on a new WordPress install, then the vulnerability can be exploited again. There are plenty of other issues like that, which wouldn’t be resolved by starting over.

MalCare Review: It’s Obvious They Are Taking Advantage of Their Customers

If you deal with security, as we do, it often isn’t hard to tell that companies are taking advantage of their customers, but most of them at least try to hide it to some degree. That isn’t the case with a provider named MalCare. Here, for example, is the interstitial we got shown on their homepage when we recently visited it:

Is your website safe? Are you sure? Get your FREE Malware scan now No Credit Card Required | No Upfront Charges Yes, Scan My Website Now No Thanks, I will let my site be hacked :(

In small text at the bottom it says, “No Thanks, I will let my site be hacked :(“. That makes no sense. A malware scan would show if a website is already hacked, it won’t actually do anything to stop a website from being hacked. Either they don’t understand what they are doing at all, or they have no problem lying to their potential customers.

Getting past that, the first message shown on their homepage was this:

 The Only WordPress Security Plugin with Instant WordPress Malware Removal Our Auto-Clean Feature Cleans Your Website Without Waiting for Hours or Days!

Scrolling down a bit, you get more of the same:

 Fix a Hacked Website Instantly in <60 Seconds. MalCare’s fully automated malware removal lets you get rid of all virus and backdoor forever. The Best part? Do it instantly without waiting for hours or days.

That all sounds great, but it again makes no sense if you have a basic understanding of security. Before we explain why, it’s worth noting that not only doesn’t this make any sense, but MalCare contradicts the claims being made there, right on their website. For example, while the above claims “MalCare’s fully automated malware removal lets you get rid of all virus and backdoor forever”, the pricing page touts one of the features being “Unlimited Automatic Malware Removal”:

If they are removed forever, then you wouldn’t need “unlimited” malware removals.

Also, there is a big contradiction in that at the top of their website they highlight an “Emergency Hack Cleanup” service, where they claim the website is cleaned up within 12 hours:

If their instant cleaning service actually properly cleaned up hacked websites, why would anyone need another service that takes up to 12 hours?

That page also includes this incredible customer testimonial, which ties back to the claims MalCare makes not making sense:

I scanned a client site using MalCare and found 35 hacked files. Cleaned it up within just 2 minutes! Saves me many hours each month.

If you are spending hours each month cleaning up malware on your clients’ websites, that means those website are being hacked repeatedly and are still not being properly secured. Who would publicly admit to that? Cleaning up those files doesn’t address the security issue that is leading to them being hacked, so it isn’t surprising that there would continue to be issues.

To properly deal with a hacked website, there are three key components:

  • Clean up the hack.
  • Get the website secured as possible (which usually involves getting Drupal, contributed modules, and themes on the website up to date).
  • Try to determine how the website was hacked and fix that.

The MalCare service doesn’t even claim to address latter two of those, which means that the websites using the service can get hacked over and over. Hence the “unlimited” malware removals.

Based on years of real world experience, things are likely worse than that. What we have found is that automated tools for cleaning up malware, which are actually used by many providers (contrary to how multiple providers claim to be the only ones), don’t produce great results. They both miss plenty of malicious files, but also produce plenty of false positives. That MalCare provides a manual service would indicate that they know this to be the case, while also claiming otherwise. What we have also found repeatedly, is that security companies that don’t try to determine how websites have been hacked miss malicious files that they would have otherwise found. So automated malware removal is quick, but it isn’t good, hence again, why MalCare itself provides a manual cleanup service.

MalCare Thinks Cleaning a Website Doesn’t Involve Making Sure it Works

In looking around more about MalCare we found this odd situation where the reviews of their WordPress plugins are mostly unrelated to the plugin. One of them seems rather informative as to how little you get when you pay for their manual service.

The reviewer wrote this:

I purchased the expensive pro version of this and it did not solve the issue and broke my site.

I bought with confidence because it says on their site :
“Guaranteed 100% WordPress Malware Removal. Without breaking your website.”
“Get 3X your money back if we cannot remove your malware.”

I have contacted them many times and they refuse to refund my money. It says get 3x your money back but you will not even get it back 1x time
I also asked them to close my account and delete my credit card informations which the also refuse to do.

The substantive part of the response from MalCare is this:

The website was broken because of the changes that you had done to the website via FTP. This detail was mentioned & conveyed by you on the email thread. You had also mentioned that because we were not able to recover the data & make the website look like before, you’re requesting a refund.

But unfortunately, we have no control over plugin & theme data that is on the website which was lost because of the malware attack. At best, we can assist you with cleaning the site which our team has.

We cannot process a refund because our refund policy clearly states that a refund can be processed only if we are unable to clean the website. But in this case, we did clean all the malware from the site.

As a company that has been doing cleanups of hacked WordPress websites for over a decade, we have never left a website broken after a cleanup. We wouldn’t even consider doing that. If data was truly gone, then we couldn’t restore it, obviously, but we would have determined that before starting the process instead of making a promise, we couldn’t keep. We also charge after the work is done, not before, which we have always felt is better a guarantee.

Numbers Never Lie

When looking at the websites of services like this one, one thing that is easy to check to see if they look legitimate is the stats they show. Not surprisingly, like the others, they don’t point to any independent testing of their services effectiveness, but they do claim to be compatible with 5,000+ web hosts:

 MalCare in Numbers 200,000+ Sites Scanned and counting 330GB Largest site Scanned 5000+ Webhosts Compatibility 70+ Incredible NPS Score

We can safely say they couldn’t even name 5,000 web hosts, much less have they determined if they were compatible with that many.

A Good Reason Not to Advertise on Reddit

With the amount of problems with major platforms for advertising online, looking for better alternatives makes sense. Recently we have been trying out advertising on Reddit again, to see if running ads on there is a good idea now. When setting up ads with their system, one thing that seems rather significant is that by default commenting on ads is disabled. Considering that discussion is a major part of Reddit, you might wonder why that is.

While we haven’t enabled commenting to see what happens, we got somewhat of an idea of what might happen, based on a contact form submission we received. The subject of the message was “You Dumb?” and the body read:

You Dumb? Seems like it. WTF you doing advertising Magento websites on Reddit and get a drop-off link a MS FrontPage 98 website?

Bitch, please.

Beyond the childish tone of the message (though likely from someone well into adulthood, considering the reference to MS FrontPage 98), the criticism leveled doesn’t make much sense. If you want to criticize the look of our website, fine, but we were not “advertising Magento websites”, but upgrading them. That is both clear in the ad and the landing page. The look of our website shouldn’t be all that relevant, since an upgrade shouldn’t change the look of a website. We would have pointed this out to whoever sent this, but they provided a bogus email address. Are there a lot of advertisers looking to reach people that are spending time doing something like that at 10pm on a weeknight? Probably not.

We have also received multiple messages from people clicking through our advertising on Reddit looking for services that were only tangentially related to what was being advertised and not related to anything we offer. Some of these messages were also not totally coherent.

If you are running advertising looking to take advantage of people, based on this, then Reddit might be a good option, but for legitimate advertisers it looks like a lot of who you could reach, wouldn’t be who you are interested in reaching.

Upgrading OpenCart Doesn’t Require Migrating Products or Other Data To a New Install

A question that comes up from time to time in relation to us potentially doing upgrades of software on websites and recently came up in relation to doing an upgrade of OpenCart, is does the data, in this situation product data, need to be migrated or moved into the upgraded version? The answer is no.

It wouldn’t make much sense to do an upgrade if you need to restore all the data, why not just do a new install in that situation? There are some situations where moving to a new version of web software, you need to do just that, but those are referred to as migrations, not upgrades.


Dealing With a Hacked WordPress Website Without a Backup

One question that comes up from time to time when we are brought in to deal with hacked WordPress websites is can the website be cleaned up if there isn’t a backup. In almost all situations, the answer is yes, and in fact a backup usually isn’t all that useful for cleaning up the website.

One suggested solution for cleaning up a hacked WordPress website, or websites using other software for that matter, is to revert to a clean backup. The big problem with that is that the backup has to be clean, reverting to a backup that from when the website was already hacked, won’t solve the problem. Since hacks can have started well before it becomes noticed, simply reverting to a backup from before you were aware the website was hacked isn’t always going to do the trick. Assuming it can be figured out when the website was originally hacked, most of the work needed to clean up the website without a backup has likely already been done.

The work needed to clean up the website without a backup can also be important for determining how the website was hacked. If you don’t figure out how the website was hacked, then you can’t insure it won’t get hacked again because of the same issue. (Surprisingly, a lot hack clean up providers that claim to have expertise in dealing with hacked websites, don’t even try to figure how websites have been hacked, leading to far too many of their customers’ websites getting hacked again.)

Another issue with reverting to a backup is that you need to do the reversion correctly. Done incorrectly files that were part of the hack could still be on the website or the website could be broken (sometimes in a way that is only realized later).

The exception to the ability to do a cleanup without a backup would be if the files or data has been deleted or is damaged beyond repair, which in almost all instances isn’t the case.

Microsoft Advertising’s Dynamic Search Ads Fail to Deliver on Claim of Reaching Relevant Searches

Yesterday, we wrote about Microsoft poorly auto-generating ad copy for customers of their search advertising system. While it appears they haven’t done basic testing, as many of the ads generated for us are incoherent, among other issues, they have started auto-apply these ads. That is part of a larger initiative by Microsoft to automate the advertising process, where even what seems like it should be a lot easier to handle than generating ad copy, isn’t even close to being where it should be before being widely available.

Another piece of that involves dynamic search ads. Microsoft describes those with the following:

Dynamic search ads provide a streamlined, low-touch way to make sure customers searching on the Microsoft Search Network find your products or services.

In marketing these, Microsoft also claims they allow you to “[a]utomatically target relevant search queries based on the content of your website” and that they “can help you find customers searching for precisely what you offer”. At least in our case, based on the ten “search queries that could trigger your ad” they show right now, that isn’t true at all.

Four of the queries shown are hosting related, despite us not being in the hosting business:

  • wordpress vimeo hosting sixt
  • web hosting wordpress plans
  • best wordpress hosting sites
  • wordpress hosting

With one of those, “wordpress vimeo hosting sixt”, we couldn’t find what that would refer to.

Another could probably be classified similarly:

  • wordpress com

Another is website builder related, despite us also not being in the website builder business:

  • best website builder

Three queries involve software that we provide services for, but someone searching for just the name is not “searching for precisely what you offer”:

  • wordpress
  • magento
  • woocommerce

Since the services we offer involve things for people already using the software, it seems unlikely someone searching just on the name of it would be looking for that.

Finally, there is a query that doesn’t seem like it would be related to something for sale:

  • wordpress login

Overall, it looks like they have combined, for the most part, common searches that are very loosely related to what we offer. Having us advertise on those things seems like it makes sense for Microsoft, since they can make more money that way, but not for us, since it would target searches that have nothing to do with our business.

The saving grace with these two automated features is that they can be disabled, that isn’t true of other parts of the search advertising that overrule what advertisers want.

Microsoft Advertising Now Generating and Automatically Running Incoherent Ads for Customers

The quality of Microsoft’s search advertising system has gone down over time, as has Google’s, as they have taken more and more control away from advertisers. At best, they greatly overestimate the ability of their system to produce good results. At worst, they are intentionally doing things to increase their revenue, knowing that they are increasing costs for their customers while producing worse results for them.

About a month ago Microsoft announced they would start automatically running ads for customers generated by Microsoft, without the approval of customers. That seems rather ill-conceived idea, as they are putting words into the mouths of their customers. But much worse, looking at ads that have been generated for us, the implementation is even more ill-conceived, as the ads are often not even coherent.

When customers go to the Microsoft Ads web interface, they might now notice a somewhat vague message about this:

We’ve created recommended ad(s) which could improve your performance. Please review these recommendations as they may be eligible to automatically apply at a later date.

From there you can see up to 50 ad suggestions. While a few of the ones currently suggested to us are decent, most are not close to that. Here is one where the ad text looks like it mixed up the words install and upgrade:

Let Us Help You Install Your PrestaShop Installation to the Latest Version.As written, it doesn’t make sense.

In another example of this, this text seems like it should refer to second best instead of second chance:

Don't Settle for Second Chance. Call Us Today to Learn More!Somehow they are messing up phrases like that.

This ad text combines an incoherent message with this odd capitalization of a word with an apostrophe in it:

If You Can't Find a Better Price, We’Ll Give You the Best Price.It would appear their system isn’t advanced enough to understand not to add capitalization there.

Sometimes the headlines and ad text don’t go together, this headline makes no sense in the context of the service being advertised or the ad text:

Don't Trust Your Mediawiki | Until You Read Our Reviews - If You’Re Looking to Upgrade Your Mediawiki Installation, We Do the Rest.The ad text of this one claims we provide an alternative to something that isn’t a thing as far as we are aware:

Our Moodle Upgrade Service Is the Most Affordable Alternative to Existing Plugins.Others advertise services we don’t offer, like this one offering to install PrestaShop:

Let Us Take the Guesswork Out of Installing Your Prestashop. Call Today!Here is the ad text for another one, which, among other issues, emphatically claims we do something, which we don’t do:

If You Can't Find a Better Price on Concrete5 Installation, We Do It!Probably the worst ad though suggests we get websites hacked:
Don't Go Scammed | We Get Them HackedIt doesn’t look like Microsoft did basic testing before rolling out these generated ads.

Despite them creating this content, they have a notice in the documenation for that says that it is the customer’s content:

Any ads or content created by Microsoft Advertising as part of this program are subject to editorial review, and will remain your “Content” as defined by your Microsoft Advertising Agreement.

The Likely Reason Malware Keeps Returning to Your WordPress Website

One question that comes up from time to time when dealing with malware infected WordPress websites is why does malware keep returning to the website. While there are multiple reasons that can occur, what we find most often with websites that keep getting infected, WordPress or otherwise, is that they haven’t actually been infected more than once. Instead, the original issue was never fully resolved.

While some malware can be difficult to fully remove, in most cases what we find is that corners were cut during the cleanup process. That isn’t just an issue with hiring someone who doesn’t have much experience with malware infected websites, as we have often been brought in to re-remove malware form websites when that is the case with supposedly reputable providers. That includes companies who are frequently promoted by journalists, despite what they are covering being itself a pretty big warning that something is a miss with the company.

To properly clean up malware on a website, there are three key components:

  • Removing the malware.
  • Getting the website secured as possible (which usually involves getting any software on the website up to date).
  • Trying to determine how the website was infected and fix that.

If a company’s marketing material doesn’t focus on those, then there is a good chance they are cutting corners. You might get lucky and not experience the downside of that, but if you are like lots of people hire us after having hired someone else, you end paying more and dealing with more problems than if just hired us to remove it in the first place.

It Is Hard to Believe How Poor SiteGround’s Support Documentation Is

From our experience people trust their web host to provide good advice on dealing with problems with their websites, but also from our experience, unfortunately, the advice is often useless and sometimes even harmful. Since most of that is coming from one-off exchanges with support personnel, it is hard to attribute that to a general issue with the web host. But with a recent instance involving SiteGround, the public advice they provide in their support documentation is so bad it is hard to understand how it exists in that form.

With a website we have been brought in to do some work, a problem needing to be dealt with was at least part caused by an ill-conceived action taken by the SiteGround, but in trying to resolve that our customer had tried to resolve another issue, a mixed content error. Mixed content refers to having content on a page being served over HTTP when the page itself is served over HTTPS. SiteGround provides instructions on dealing with that, on a page titled What Is Mixed Website Content Error and How to Fix It?. Under the heading “How to fix the mixed content error” they write this:

The fastest way to solve this issue is by using the functionality ‘Force HTTPS’ in the SG Optimizer plugin. It will redirect all the traffic for your website to HTTPS which should help avoid mixed content, except in some cases of remote resources still being pulled over HTTP.

Then the first step to do that is:

  1. Install the plugin by logging into the WordPress Admin > Plugins > Add New.

You can only log in to the WordPress Admin if your website is using the WordPress software, so these instructions are only relevant for WordPress websites, but that isn’t clearly noted. The first mention of WordPress is in step 1. After getting through all the instructions, they write this:

If you are not using WordPress or even after using SG Optimizer there is still mixed content on the website pages, then you can use this online tool to find which content is being served via HTTP. You would have to attempt to correct all of them to load over HTTPS manually, based on the specific elements.

Wouldn’t you want to note that the instructions are not relevant to websites not using WordPress before providing them, and not after?

It isn’t like that is something that you can only come across from their website with notice that it applies to WordPress. At the bottom of that page a related article, How to enable padlock on my site?, is listed. The totality of the information provided on that is, with a link to this page at the end:

  • Your SSL certificate is installed and valid.
  • The website is working over HTTPS.
  • There are no elements loaded over an HTTP connection (mixed content).


SiteGround Doesn’t Even Warn Their SuperCacher Caching System Can Break Website Functionality

Less than a month ago we wrote a post that mentioned a recent situation where a Zen Cart based ecommerce website was not allowing products to be added to the shopping cart in some instances, which is a big problem. The source of the problem was caching done by a web host we didn’t mention in the post. The same exact issue has come up with another website and this time we had access to the web host’s control panel, so we could better see what is going on with the web host, SiteGround, and things don’t look good.

When you go the settings page for their SuperCacher caching system, you are provided with this information about it:

SuperCacher services are developed by our server optimization experts to increase the number of hits a site can handle seamlessly and dramatically boost your website’s loading speed. There are 3 different caching options for maximum optimization of your websites. Our tests show that a website using simultaneously NGINX Direct Delivery & Dynamic caching along with Memcached can handle 100 times more hits than a regular website without any caching.

There is no warning that the feature can cause problems, like the one we have now run across twice in less than a month. Perhaps they don’t understand the implications of what they are doing, which is quite problematic considering the caching causing the problem with those websites is enabled by default.

Disabling Dynamic Caching

If that were not bad enough, while two of three types of caching provided, NGINX Direct Delivery and Memcached, can easily be disabled on the feature’s settings page, the one that is at issue here, Dynamic Caching, can’t. The tutorial for the feature, which is linked from that page, also doesn’t currently provide any information on disabling that. If you use the search function accessible on that tutorial, you also won’t find the information. There is a page on a separate part of their website, for some reason they have two different support sections, explains how to disable that using code added to the website’s .htaccess file.

Update – 4/16/2021 – SiteGround doesn’t provide a way to contact them through their website unless you are a customer (which is odd), but we tried notifying them through Twitter about the problem they are causing here. They responded, but the response wasn’t good, starting with them stating that performance is apparently more important to them than not breaking websites:

One of our primary goals is to ensure the best possible performance of all sites hosted on our servers and our caching setup plays a major role in the process.

The rest of it involved them ignoring the reality of the situation, so it doesn’t seem like they are a great option for a web host.