{"id":4940,"date":"2023-09-27T09:00:39","date_gmt":"2023-09-27T15:00:39","guid":{"rendered":"https:\/\/www.whitefirdesign.com\/blog\/?p=4940"},"modified":"2023-09-26T13:34:23","modified_gmt":"2023-09-26T19:34:23","slug":"wordpress-security-plugins-wont-fully-disinfect-a-hacked-wordpress-website","status":"publish","type":"post","link":"https:\/\/www.whitefirdesign.com\/blog\/2023\/09\/27\/wordpress-security-plugins-wont-fully-disinfect-a-hacked-wordpress-website\/","title":{"rendered":"WordPress Security Plugins Won&#8217;t Fully Disinfect a Hacked WordPress Website"},"content":{"rendered":"<p>When it comes to cleaning up hacked WordPress websites, there is a lot of advice suggesting solutions that are easy, but don&#8217;t properly address the situation. That leads to continuing issues that could have been addressed quickly if <a href=\"https:\/\/www.whitefirdesign.com\/services\/hacked-wordpress-website-cleanup.html\">handled by a professional like us<\/a>.<\/p>\n<p>As an example of what not to do, take a recent <a href=\"https:\/\/wordpress.org\/support\/topic\/malicious-function-not-detected-in-scans\/\">post<\/a> from the WordPress Support Forum, where someone claimed to have done a full disinfection of a website, which hadn&#8217;t worked:<\/p>\n<blockquote><p>Despite the fact that we did full disinfections, restored backup files several times, and added strong security systems plus CDNs, <strong>Google Search Console<\/strong> and <strong>McAfee<\/strong> blocked us from the site, for being malicious, for a long time.<\/p><\/blockquote>\n<p>One thing missing there is trying to figure out how the website was hacked. That is important for multiple reasons. One of them being that if you don&#8217;t know how the website was hacked, then you can&#8217;t be sure the issue has been addressed and won&#8217;t happen again. Another reason is that if you don&#8217;t know how the website was hacked, then you also likely don&#8217;t know when it was hacked. Restoring a backup file won&#8217;t clear out malicious code, if the malicious code is in the backup as well.<\/p>\n<p>Another issue is that they were trying to find malicious code using several WordPress security plugins, which didn&#8217;t find it:<\/p>\n<blockquote><p>This code is invisible to the user and to monitoring systems such as <strong>Wordfence<\/strong>, <strong>iThemes S[ecurity]<\/strong>, All-In-One Security (AIOS), and <strong>Anti-Malware Security and Brute-Force Firewall<\/strong>. None have detected it.<\/p><\/blockquote>\n<p>While they are claiming the code was invisible, their description of it tells a different story:<\/p>\n<blockquote><p>A function added to the head of a theme\u2019s <strong>.js file<\/strong>, which uses a \u201c<strong>Get<\/strong>\u201d call and links to an <strong>encrypted external link<\/strong>.<\/p>\n<p>It is only shown when loading certain pages in the browser code inside (it is not always shown\u2026)<\/p><\/blockquote>\n<p>During a proper cleanup, theme files would be checked and before even starting on a hack cleanup, a professional should have noticed the code was being loaded on the website (even though the subsequent code loaded would only occur in some instances). A professional would have been looking for the code before starting, as often people think that some other issue with a website is a hack. So they want to make sure a hack cleanup is needed before starting.<\/p>\n<p>Automated malware detection doesn&#8217;t work well, as it both fails to detect plenty of malicious code (as occurred here) and also flags legitimate code as being malicious.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>When it comes to cleaning up hacked WordPress websites, there is a lot of advice suggesting solutions that are easy, but don&#8217;t properly address the situation. That leads to continuing issues that could have been addressed quickly if handled by a professional like us. As an example of what not to do, take a recent &hellip; <a href=\"https:\/\/www.whitefirdesign.com\/blog\/2023\/09\/27\/wordpress-security-plugins-wont-fully-disinfect-a-hacked-wordpress-website\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;WordPress Security Plugins Won&#8217;t Fully Disinfect a Hacked WordPress Website&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14,3],"tags":[],"class_list":["post-4940","post","type-post","status-publish","format-standard","hentry","category-website-malware","category-wordpress"],"_links":{"self":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/4940","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/comments?post=4940"}],"version-history":[{"count":1,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/4940\/revisions"}],"predecessor-version":[{"id":4941,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/4940\/revisions\/4941"}],"wp:attachment":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/media?parent=4940"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/categories?post=4940"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/tags?post=4940"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}