If you have a reoccurring problem with a hack of your website, there are multiple causes that could underly it. Two of those, a backdoor and a vulnerability, are sometimes confused. Understanding the difference is important to dealing with the problem.
A backdoor is some method for the hacker to continuing access to the website, which they place on the website. That often is a file that the hacker can send commands to on the website and those commands will run. Those backdoor files can sometimes be rather complex, but other times are really simple.
A vulnerability is an existing security issue on the website that gives a hacker some access they shouldn’t have.
A key difference between these two issues is how you deal with them. If you were to restore the website back to its state before the hacking, a backdoor couldn’t exist on the website. A vulnerability will still exist if you do that.
Another key difference is who has access in each situation. With a backdoor, only one hacker would have access, unless some other hacker figures out about their backdoor. A vulnerability, by comparison, could be exploited by many hackers.
We recently had someone come to us that thought there was a backdoor on their website, but the change being made with what they thought was a backdoor allowed any hacker access. What they actually had was a vulnerability they hadn’t addressed.
We were recently dealing with what should be a fairly standard piece of work for us, transferring a website to a new VPS. That turned out to be a lot more complicated by a change made recently at the web host Bluehost. They replaced their long used account management interface. This causes a couple of problems we wanted to share in case others run in to problems as well and are wondering if they are alone in that.
First, we found that some of their support documents still are written for the old interface. One of those has instructions for something that isn’t even possible with the new interface. Our client contacted their support team about that and was told that it was no longer relevant, but the document is still up over a week later.
Second, we found that the interface seems rather broken. We found features that only worked some of the time. When we were trying to make a simple change, we found that the interface wasn’t showing information that it should have been showing. It isn’t a good situation.
Update 9/3/24: Over at our Plugin Vulnerabilities service we did a security review of Neznam Atproto Share and found multiple security issues with the plugin. The developer so far has not addressed those.
Last week, the Twitter alternative Bluesky became publicly joinable after having previously required an invite code to join. Alongside that, there has been increased interest in automatically posting new WordPress post to Bluesky. There is a plugin to do that, though the name wouldn’t exactly suggest that. The plugin is named Neznam Atproto Share. The AT Protocol is networking technology that underlies Bluesky.
Setup is easy. On the Writing admin page in WordPress, you enter server information, including an App Password, which can be generated on the Bluesky website.
The plugin does have a major restriction we should note. It requires at least PHP version 8.0 to install it. A lot of websites are not using that version of PHP. You can get around that by manually adding the plugin in to WordPress and at least in our testing, it still seemed to work with an older version of PHP.
We have seen some complaints about problems with posting when it shouldn’t, so you should test out to make sure it works appropriately for your use case.
We recently had someone contact us looking to move their website to Squarespace. They believed that doing that is like migrating a website to a new web host, but it is very different.
Squarespace is not a web host, but a website builder. With a web host, you would create a website based on software you install in the hosting account. You can then move that to another web host as long as their hosting system is compatible with the software. With Squarespace, your website is created in their own software. So you can’t transfer an existing website to them and you can’t transfer a Squarespace built website to another web host.
When moving your website to Squarespace, you are largely starting over. Depending on what you are moving from, you can automatically move some content over to it, but otherwise everything needs to be redone.
When it comes to figuring out how websites have been infected with malware or otherwise hacked, people often assume something that happened around the same time as they became aware of the hack caused it. There are a couple of big problems with that. First, as the saying goes, correlation isn’t causation. Second, the start of the hacking can have been well before it is noticed.
Another problem that comes up is that people can come up with fairly improbable possible causes. We recently interacted with someone suggesting that an update to WordPress introduced malware on to their website. If that were something that was occurring, it would be big news. In their case, there wasn’t even a correlation, as they knew about the malware and were having cleaned six days before the update.
We recently ran across someone who was remaining on an unsupported version of PHP because their WordPress theme wasn’t compatible with a newer version of PHP. They didn’t have to do that. WordPress themes can be updated to support newer versions of PHP. If the theme is still supported by the developer, they should be releasing updates to address that. If you are using a theme that isn’t supported by the developer anymore, someone else should be able to handle addressing incompatibilities with newer versions of PHP.
How easy or difficult it is to make the theme compatible will depend on if the theme is extensively using PHP functionality that has been removed in a newer version of PHP. You usually have plenty of warning of that situation, as the functionality will be depreciated before it is removed, so addressing any depreciation warnings will avoid having the theme break later on.
If you are unable to handle making a WordPress theme compatible with newer versions of PHP yourself, we can help you with that.
We were recently contacted by someone looking to migrate a WordPress website to Squarespace. Based on that interaction, it seems that not everyone is familiar with the implications of trying to make such a move. Put simply, those two systems are not compatible. You are largely starting over if you make that move. You can move various content, but everything else has to be done again.
You can import the following content from WordPress:
Attachments
Blog pages, blog posts, and authors
Categories
Comments
Individual images
Site pages
Tags
You can’t import:
Content from plugins
Gallery images
Image captions
Images saved in your Media Library, but not attached to any posts or pages, won’t import. We recommend downloading all images in your Media Library so you have them as a backup.
Style or CSS. To customize your Squarespace site’s design, use the Site styles panel.
The last item mentioned that you can’t import, is really important to note. All the styling will need to be redone. Depending on how advanced the design of the website is, that might not matter much (if you, say, only have text pages), but it also might dramatically undo the look of the content.
How you manage the website can also be dramatically different.
If you are simply having some trouble with your WordPress website, as the person we were contacted by was, it would be better to see if that can be addressed instead of making a huge change, like switching to Squarespace. We can help you with that.
We were recently contacted by someone looking to move their website off of WordPress because of downtime the website was experiencing. WordPress websites shouldn’t have problems with downtime unless something is going wrong with the website or the web hosting it is on. The solution to that wouldn’t be to move off of WordPress, but to address the problem. So what was going on?
When we went to view the website, we found that either it was slowly loading or not loading at all. Pulling up a cached copy of the website’s homepage through the Bing search engine, we were redirected to a malicious website. Viewing the source code of the cached copy of the homepage, we found that it contained obfuscated malicious code (the same code existed on the live website). So the problem here was that the website had been hacked. The solution to that is to clean up the hack, not switch to other software that could also be hacked.
If you are having a problem with your website, get in touch with someone who can assess what is going wrong. We can help you with that. If you need a hacked WordPress website cleaned up, we can also help with that.
Earlier in the week, we were mentioning that many hack cleanup providers don’t do the essential work of trying to figure out how websites were hacked. If you hire one of them, you might get lucky, and that doesn’t matter because the hacker hit the website once and moved on, but with more persistent hackers, that isn’t going to work out. Here is a fresh example of that involving two of those providers, Sucuri and MalCare:
A WordPress site I work for hosted on WPEngine has suffered from a malware attack. The attack was noticed when a consent management pop up started appearing on the home page. WPEngine’s security team from Sucuri hasn’t been much help as they’ve scanned and “removed” the problem 5 times now. I’ve also used a premium service from MalCare which did basically what Sucuri did, scanned said “it’s fixed” and then it came back.
That person tried a lot of things to deal with this:
I have enabled a number of security features including disabling enumeration, 2FA, custom wp login url, automatic password lockout after 2 tries, changing file permissions on certain files, enabled automatic alerts on file changing or file addition, deleted non essential users, changed passwords to all current users multiple times…
What they really need is to bring someone in who will work through trying to figure out how the hacking is continuing, addressing that, and trying to figure out how it started.
If you are in need of someone who will actually do that work, we do that for WordPress websites and other types of website.
We recently tested advertising on the question-and-answer website Quora to try to show ads on relevant content there. We wanted to share our results for anyone considering whether they should give it a try.
Who Knows What is Going on With Targeting
If you want to show ads on certain content on Quora, they have several options for that. Though, their own data suggests something is very amiss. Let’s look at an example of that.
One option is to target keywords, which “Show ads near questions containing or excluding keywords.” If you set it so that ads would show up for the keyword “drupal” in the United States, their system told us that there were 1,000–2,000 p:
So a decent number of potential times to show ads.
Another option is topics, which “Show ads relevant to specific Quora topics.” When searching for topics related to Drupal, the first one listed is “Drupal (Operating System)”. Drupal is a content management system, not an operating system:
Selecting to show for that in the United States, their system told us there were <100 p
If you instead select “Drupal 8 CMS,” the number increases to 20,000–25,000 p
That doesn’t seem to make any sense, as that shouldn’t be significantly higher than when showing ads with the “drupal” keyword, as anything relevant to that topic should use that keyword.
If you instead select “Drupal 7” the number increases to 30,000–35,000 p
Again, that doesn’t make any sense.
Quora doesn’t provide any addtional information on what these topics entail to try to better understand what is going on there.
Poor Results for Keyword Targeting
We decided to go with keyword targeting, because that seems less likely to show up for a lot of irrelevant content. We started with low bids. We didn’t see many impressions or any clicks. We started raising bids. The number of impressions didn’t increase much, but we started getting a lot of recorded clicks for the limited amount of impressions.
We didn’t have many of those clicks show up in our analytics. Most of them that were showing were coming from VPN services. These VPN visitors frequently clicked on ads multiple times in short periods of time. In one case, there were five clicks from one VPN user in less than a minute and a half. Considering that we were only targeting certain geographic areas, we would want to exclude VPN users because we have no idea if they are in an area we could reasonably serve customers. Considering the likelihood of fraudulent clicks through those, we would want to exclude them anyway, but Quora doesn’t have an option for that.
There is also a lack of visibility as to what you are even showing up on. The number of impressions we got with different keywords made it seem like they might be showing up on a lot of things they shouldn’t, but we have no way of knowing.
Overall, we didn’t get even close to getting any business.
Almost No Impressions With Question Targeting
Another option we are trying is targeting specific questions relevant to what we were advertising. The interface for selecting those isn’t great. But the larger problem is that with this option, we found we had only single digit impressions in a month. So ther was very little chance of that drawing in business.
Your Result May Be Different
It might be that what we are targeting is an area where Quora produces bad results and other areas produce better results. It also might be that other options they have for targeting their audience produce better results for you.
But we would say that if you do decide to try it you should go in to it knowing that results might be bad and might be wasting your time/money.
If anyone else has experience with advertising with them, good or bad, leave a comment on your results below.
