Why a WordPress Contact Page Isn’t Emailing the Submissions

We were recently helping someone deal with an issue where they were not receiving emails for submissions to the contact page of their WordPress website. There are a multitude of different ways contact form submissions are handled and different ways that could go wrong, but there are three principal problems that lie at the heart of that to sort through if you have that problem. Let’s go through those.

The Contact Form Isn’t Working

The first problem is that the contact form isn’t working. So first make sure that when making a submission, it returns a response that the submission has been successful.

Depending on what plugin you are using to handle contact form submissions, the plugin may store a copy of the submissions. Or there may be an additional plugin you can add that will store submissions. If that is an option, that will allow you to make sure the submissions are really getting through and being processed.

Emails Are Not Being Sent

If the contact form is working, the next possible problem is that emails are not being sent. If you are receiving other emails from the website, you can rule that out. If you are not sure about that, you can use a plugin to test if emails are being sent. You can also use a plugin that logs emails being sent to confirm if emails are being sent.

Emails Are not Being Received

If you know that emails are being sent, then the problem that could be that they are not being received at the intended email address.

One way to test this is to try having the emails sent to another email address at a different email provider. That gives a good chance of seeing if there is a problem related to the email account. It could be that it trips a spam filter.

In the situation we were helping with, it turned out that the email account wasn’t receiving the submissions, but when switching to another account, the emails went through.

Getting Help

If you need help with this type of problem or another problem with your WordPress website, we offer a support service to help.

How to Autopost From WordPress to Bluesky

Update 9/3/24: Over at our Plugin Vulnerabilities service we did a security review of Neznam Atproto Share and found multiple security issues with the plugin. The developer so far has not addressed those.

Last week, the Twitter alternative Bluesky became publicly joinable after having previously required an invite code to join. Alongside that, there has been increased interest in automatically posting new WordPress post to Bluesky. There is a plugin to do that, though the name wouldn’t exactly suggest that. The plugin is named Neznam Atproto Share. The AT Protocol is networking technology that underlies Bluesky.

Setup is easy. On the Writing admin page in WordPress, you enter server information, including an App Password, which can be generated on the Bluesky website.

The plugin does have a major restriction we should note. It requires at least PHP version 8.0 to install it. A lot of websites are not using that version of PHP. You can get around that by manually adding the plugin in to WordPress and at least in our testing, it still seemed to work with an older version of PHP.

We have seen some complaints about problems with posting when it shouldn’t, so you should test out to make sure it works appropriately for your use case.

Malware Didn’t Get on Your Website Through a WordPress Update

When it comes to figuring out how websites have been infected with malware or otherwise hacked, people often assume something that happened around the same time as they became aware of the hack caused it. There are a couple of big problems with that. First, as the saying goes, correlation isn’t causation. Second, the start of the hacking can have been well before it is noticed.

Another problem that comes up is that people can come up with fairly improbable possible causes. We recently interacted with someone suggesting that an update to WordPress introduced malware on to their website. If that were something that was occurring, it would be big news. In their case, there wasn’t even a correlation, as they knew about the malware and were having cleaned six days before the update.

A post we wrote recently explains the basics of trying to determine how a website was actually hacked.

WordPress Themes Can be Updated to Be Compatible With Newer Versions of PHP

We recently ran across someone who was remaining on an unsupported version of PHP because their WordPress theme wasn’t compatible with a newer version of PHP. They didn’t have to do that. WordPress themes can be updated to support newer versions of PHP. If the theme is still supported by the developer, they should be releasing updates to address that. If you are using a theme that isn’t supported by the developer anymore, someone else should be able to handle addressing incompatibilities with newer versions of PHP.

How easy or difficult it is to make the theme compatible will depend on if the theme is extensively using PHP functionality that has been removed in a newer version of PHP. You usually have plenty of warning of that situation, as the functionality will be depreciated before it is removed, so addressing any depreciation warnings will avoid having the theme break later on.

If you are unable to handle making a WordPress theme compatible with newer versions of PHP yourself,  we can help you with that.

You Can’t Migrate Your WordPress Website to Squarespace, Only Move Some of the Content

We were recently contacted by someone looking to migrate a WordPress website to Squarespace. Based on that interaction, it seems that not everyone is familiar with the implications of trying to make such a move. Put simply, those two systems are not compatible. You are largely starting over if you make that move. You can move various content, but everything else has to be done again.

Here is Squarespace’s own information on what content can be imported:

You can import the following content from WordPress:

  • Attachments
  • Blog pages, blog posts, and authors
  • Categories
  • Comments
  • Individual images
  • Site pages
  • Tags

You can’t import:

  • Content from plugins
  • Gallery images
  • Image captions
  • Images saved in your Media Library, but not attached to any posts or pages, won’t import. We recommend downloading all images in your Media Library so you have them as a backup.
  • Style or CSS. To customize your Squarespace site’s design, use the Site styles panel.

The last item mentioned that you can’t import, is really important to note. All the styling will need to be redone. Depending on how advanced the design of the website is, that might not matter much (if you, say, only have text pages), but it also might dramatically undo the look of the content.

How you manage the website can also be dramatically different.

If you are simply having some trouble with your WordPress website, as the person we were contacted by was, it would be better to see if that can be addressed instead of making a huge change, like switching to Squarespace. We can help you with that.

Your WordPress Website Might Be Hacked if It Is Loading Very Slowly or Not Loading at All

We were recently contacted by someone looking to move their website off of WordPress because of downtime the website was experiencing. WordPress websites shouldn’t have problems with downtime unless something is going wrong with the website or the web hosting it is on. The solution to that wouldn’t be to move off of WordPress, but to address the problem. So what was going on?

When we went to view the website, we found that either it was slowly loading or not loading at all. Pulling up a cached copy of the website’s homepage through the Bing search engine, we were redirected to a malicious website. Viewing the source code of the cached copy of the homepage, we found that it contained obfuscated malicious code (the same code existed on the live website). So the problem here was that the website had been hacked. The solution to that is to clean up the hack, not switch to other software that could also be hacked.

If you are having a problem with your website, get in touch with someone who can assess what is going wrong. We can help you with that. If you need a hacked WordPress website cleaned up, we can also help with that.

It Shouldn’t Take SiteLock Days to Remove Malware From a Hacked WordPress Website

In dealing with hacked websites, a company that we used to have come up a lot in conversations with clients was SiteLock. There have been many problems we have run across with them in past years. We were contacted this week by someone dealing with them after malware was detected on their website by Bluehost. Bluehost gets paid by SiteLock if you hire SiteLock to clean up the website, which is why they promote hiring them to clean it up. It isn’t because SiteLock does a good job of it.

That was on display with what this person was dealing with this week. They were now on the fifth day of SiteLock working on removing the malware from their hacked WordPress website (or at least they were supposed to be working on it). It shouldn’t take that long. It usually should take a few hours to do that clean up. At least when we are cleaning up a hacked WordPress website, that is how long it takes. That is with us doing a proper cleanup, whereas lots of providers, including SiteLock in our past experience, don’t do, so it should take less time than that.

We don’t have good advice to give to those who have already hired SiteLock. But for those that haven’t, the best advice is to avoid them.

If someone else has good advice for those who have hired them and are experiencing problems, leave a comment below.

Wordfence Security Daily Malware Scans Are Not the Way to Clean Up a Malware Infection of a WordPress Website

If your WordPress website has been hacked and contains malware, a common suggestion for cleaning it up is to use the Wordfence Security plugin. There are a number of problems with that. One being that it won’t necessarily catch all the malware, as someone looking for help with the plugin recently noted:

Hello, I’m using the free version and I’m doing daily scans because my site has a malware. At some point the scan did not detect some new folders that have been created in the root folder.

The folders has some random characters as an name and it contains an index file and a cache folder.

The larger problem with what they were bringing up there is that if you had cleaned up the malware, there wouldn’t even be more malware to possibly detect day after day. So something has gone wrong there.

If there is malware on a WordPress website, the focus shouldn’t be on removing the malware, though it does need to be removed. It should be how it got there, which is something that Wordfence Security can’t determine. When the plugin removes the files without determining that, it makes it harder to figure out.

Another important reason for trying to figure out how the website was infected, which have seen over and over in years of being brought in to re-clean hacked WordPress websites, is that in doing the work to try to figure out how the website was hacked, you often find malware or other malicious code that otherwise would have been missed.

Figuring out how the malware got there in the first place or at least stopping it from getting back in basic part of a proper hack cleanup, but something that many security providers, including the developer of Wordfence Security, either don’t do or fail to accomplish.

WordPress Security Plugins Won’t Fully Disinfect a Hacked WordPress Website

When it comes to cleaning up hacked WordPress websites, there is a lot of advice suggesting solutions that are easy, but don’t properly address the situation. That leads to continuing issues that could have been addressed quickly if handled by a professional like us.

As an example of what not to do, take a recent post from the WordPress Support Forum, where someone claimed to have done a full disinfection of a website, which hadn’t worked:

Despite the fact that we did full disinfections, restored backup files several times, and added strong security systems plus CDNs, Google Search Console and McAfee blocked us from the site, for being malicious, for a long time.

One thing missing there is trying to figure out how the website was hacked. That is important for multiple reasons. One of them being that if you don’t know how the website was hacked, then you can’t be sure the issue has been addressed and won’t happen again. Another reason is that if you don’t know how the website was hacked, then you also likely don’t know when it was hacked. Restoring a backup file won’t clear out malicious code, if the malicious code is in the backup as well.

Another issue is that they were trying to find malicious code using several WordPress security plugins, which didn’t find it:

This code is invisible to the user and to monitoring systems such as Wordfence, iThemes S[ecurity], All-In-One Security (AIOS), and Anti-Malware Security and Brute-Force Firewall. None have detected it.

While they are claiming the code was invisible, their description of it tells a different story:

A function added to the head of a theme’s .js file, which uses a “Get” call and links to an encrypted external link.

It is only shown when loading certain pages in the browser code inside (it is not always shown…)

During a proper cleanup, theme files would be checked and before even starting on a hack cleanup, a professional should have noticed the code was being loaded on the website (even though the subsequent code loaded would only occur in some instances). A professional would have been looking for the code before starting, as often people think that some other issue with a website is a hack. So they want to make sure a hack cleanup is needed before starting.

Automated malware detection doesn’t work well, as it both fails to detect plenty of malicious code (as occurred here) and also flags legitimate code as being malicious.

The Cause of a WordPress Website Having User Registration Suddenly Enabled and the Default Role Being Set to Administrator

Oftentimes, when it comes to how WordPress websites have been hacked, it is hard to say without doing a proper cleanup what was the original source of the hack. But in some cases it is easy to say what was likely the cause. Take this description of what happened with a recently hacked WordPress website:

Yesterday at 23:08 I received an email from my wordpress “Admin Email Changed”: “[…]The new admin email address is ad@example.com.[…]”

Right after that, a new user registered, cryptic username “wpnew_kmyjzvfyoflv” This username had admin role!

Today in the morning when I realized, I checked, in the settings was “Anyone can register” checked and standard userrole is Administrator.

What you have there is a hacker being able to change three WordPress settings. The admin email address for the website, whether anyone can register for an account, and the default user role for new accounts. How could they do that? Either they would need the ability to directly change the content of the database used for the website or they would need to be able to change arbitrary WordPress settings.

You can rule out the first as the likely cause, as a hacker could, among other things, create a new Administrator account without going through additional steps if they have direct access to the database.

That leaves the second option. The cause of that is almost certainly going to be what is usually referred to as an option update vulnerability. That is a type of vulnerability that hackers are guaranteed to try to exploit if they know about them.

In addition to cleaning up whatever the hacker does once they have changed the WordPress settings, you need to make sure the vulnerability has been fixed to address this. That might be as simple as updating a plugin, if it has had that type of vulnerability and it has been fixed. If you don’t know what the source is and you don’t have the capability to figure that out, then it is time to bring in someone who has the capability to both review the log files for the website and review the plugins being used on the website.