These Security Rules Are Not an Indication Your WordPress Website is Hacked

Recently we mentioned the importance of security companies checking to make sure that websites they are being contacted about cleaning are in fact hacked. The reason for that is often problems unrelated to a hack are believed to beloved to be caused one, leading to people looking for unnecessary cleanups.

In one reason situation the person who contacted us was sure that their WordPress website was hacked due to rules (or code) in the web.config, which is a configuration for websites being hosted on IIS web servers, for the website that actually were there to protect the website.

As an example of what was at issue, the following rule would restrict accessing .php files in the WordPress uploads directory, which would prevent a hacker from running code if they could upload .php files through some vulnerability:

<rule name="Deny scripts from wp-content/uploads for WordPress instance #6" enabled="true" stopProcessing="true">
	<match url="^wp-content/uploads/.+\.php" />
	<conditions />
	<serverVariables />
	<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>

The rules may have been generated by the Plesk control panel.

Here are all the rules in question in case someone else is searching for information on this:

<rule name="Block wp-config.php for WordPress instances" enabled="true" stopProcessing="true">
	<match url="wp-config.php" />
	<conditions />
	<serverVariables />
	<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="Deny scripts from wp-includes for WordPress instance #6" enabled="true" stopProcessing="true">
	<match url="^wp-includes/.+\.php" />
	<conditions>
		<add input="{REQUEST_URI}" pattern="^/wp-includes/js/tinymce/wp-tinymce\.php$" ignoreCase="false" negate="true" />
	</conditions>
	<serverVariables />
	<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>
<rule name="Deny scripts from wp-content/uploads for WordPress instance #6" enabled="true" stopProcessing="true">
	<match url="^wp-content/uploads/.+\.php" />
	<conditions />
	<serverVariables />
	<action type="CustomResponse" statusCode="403" statusReason="Forbidden" statusDescription="Forbidden" />
</rule>

Make Sure to Upgrade Zen Cart Before Your Web Host Changes the PHP Versions They Support

We recently have had a significant number of people coming to us for Zen Cart upgrades needed due to web hosts changing the minimum PHP version they support. Unfortunately a lot them have been at the point that the website is broken due to that PHP change happening, so now would be good time to assess whether you are in need of an upgrade before you run in to problems.

The lowest version of PHP still supported is 7.1 and version 1.5.5 of Zen Cart and above are designed to support that. Support for PHP 7.1 will end on December 1.

If you upgrade to the latest version of Zen Cart, 1.5.6, you have years of support built in as that is designed for PHP versions up to PHP 7.3, which is supported until December of 2021.

While the lowest supported version of PHP is currently 7.1, one of the recent situations where we were brought in involved the web host raising the minimum PHP version to 5.6, which Zen Cart 1.5.3 and above were designed for.

Making the upgrade process more difficult in some instances is that one change made with Zen Cart 1.5.6 is that it will not run with versions of PHP lower than 5.5 (previous Zen Cart versions would run on older versions of PHP enough to test things out before switching to a newer version).

SiteLock is Now Trying to Scam People Out of $70 to $100 a Month Due to Non-Malicious Files Created by cPanel

From our years of experience dealing with the cleanup of hacked websites the first thing legitimate providers would want to do when contacted is to make sure that the website that they are being contacted about is in fact hacked, as we have found that people experiencing just about any problem with a website can jump to the conclusion that it was caused by the website being infected with malware or otherwise hacked. Much of the security industry isn’t what we would call legitimate and the company that seems to be the farthest from legitimate is SiteLock, which has a well earned reputation for scamming people. Part of how they can stay in business despite that reputation is that they have “partnerships” with web hosts where the web host pushes their services and SiteLock in term provides them a large commission for services they can sell through that. That type of relationship is often to the disadvantage of customers of the web hosts, as a situation we were just consulted on shows.

Recently one of SiteLock’s partners, HostMonster, deactivated one of their customer’s websites due to claimed malware on the website. When the customer contacted the support department they were transferred to SiteLock and told the only way to get the website back up was to pay to pay them $70 to $100 a month (charged annually). In reality the web host only requires that the website be cleaned for them to reactivate it. In this case though the situation is much worse since there wasn’t any malware on it.

All of the files that were claimed to be malicious had names similar to .wysiwygPro_preview_edcf331f0ffc35r4b482f1d15a887w3b.php and had contents similar to this:

<?php
if ($_GET['randomId'] != "Qd8f8yQpZe0JyipHkqUDWIwUrHqUixgfdQfEvwy1fU29Q0V_3kf_mw01oJmeF_g6") {
    echo "Access Denied";
    exit();
}
 
// display the HTML code:
echo stripslashes($_POST['wproPreviewHTML']);
 
?>

Those are legitimate files created by an HTML editor that has come with the cPanel control panel offered by the web host. They are not malicious. The code in them is potentially susceptible to reflected cross-site scripting (XSS) due to outputting user input without escaping it, but someone would have to know both the apparently randomized name of the file and the apparently randomized additional value checked for that to even come in to play.

Based on the identifier given for them, “SL-PHP-JSINCLUDE-cu.UNOFFICIAL FOUND”, it appears that SiteLock is causing them to be falsely flagged as malicious.

Based on our years of seeing what SiteLock is up to, it seem possible that the incorrect flagging here is caused by SiteLock’s incompetence instead of actual malice, but in either case this is scam, since if they can’t correctly handle identifying malicious files then they shouldn’t be offering the services they are.

When we were contacted about the situation the first thing we did was to ask about the evidence provided by the web host to support the shutting down of the website and once we saw that, we were able to explain what was going on and help get this resolved for free instead of scamming money out of someone who was already attempted to be scammed.

Get a Free Consultation From Us

If you are have been contacted by SiteLock or a SiteLock partnered web host claiming your website is hacked, feel free to contact us to get a second opinion as to whether the website is really hacked and if it is we will provide you with a free consultation on how you can best deal with the issue. To provide that second opinion please provide us with the evidence SiteLock or the web host is providing to back up their claim.

If your web host is pushing you to use SiteLock you should be aware of a number of items before making any decisions and you should know that we can provide you with a better alternative for cleaning up the website for less money.

123 Reg’s Idea of Security Also Involves Leaving Websites to Get Hacked

Earlier this week we noted that GoDaddy’s idea of security involved leaving websites insecure and dealing with the after effects of that. They are not alone, as here is how another web host, 123 Reg, promotes a security service provided by their security partner SiteLock:

Malware is malicious code that can attack your website and cause security or performance issues.

Google has discovered that approximately 30,000 sites are affected by this malicious code every day and just 14% are protected, leaving 86% of websites vulnerable to attack. It sounds scary, but there is a way to protect your website.

SiteLock® from 123 Reg provides your website with a credible, state-of-the-art diagnostic system that scans for threats and identifies known malicious code, removing it from your website automatically. Giving you peace of mind in knowing that your site is malware free.

There are 110 million variants of malware in existence today. You can’t check your website every day in case you’ve been attacked. Let us do it for you.

Of course if SiteLock is detecting malicious code on your website then it has been affected by malicious code. Real protection would stop the malicious code from getting there in the first place.

What seems like it should also raise questions there is if the really were “110 million variants of malware in existence today”, what are the chances that SiteLock might miss some. The answer from an earlier post of ours is that in reality SiteLock misses malicious code that 123 Reg is able to spot themselves.

Even if they were good at spotting malware, if code is able to get on the website then its malicious impact could already have happened by the time it gets removed. For example if the malicious code copies all of an online store’s customer details, removing the malicious code isn’t going to undo it.

If you are looking to protect your website we recommend doing the security basics since those will actually stop the possibility of many attacks, while services that claim to protect websites present no evidence they are effective at all and we frequently had people coming to us looking for one of those that works after having used a service that didn’t prevent their website from being hacked. If your website has already been hacked, then the solution is to have it properly cleaned instead of security service.

SiteLock Falsely Claims That Website Hosted By Their Partner 123 Reg Is Malware Free

Over two years ago we noted the that then recently started partnership between the web host 123 Reg and the security company SiteLock was already producing the bad results expected that should have been expected based on SiteLock’s well earned reputation as being scammers. If the website we were contacted about earlier this week is any indication, things haven’t changed.

One of the more annoying aspects of the scam that is so much of the security industry is that after people get scammed by security companies like SiteLock that don’t even attempt to properly do the work they are being hired to do, people come to us wanting us to help them out for free since they already paid the scamming company (which we are not in the business of doing for what should be obvious reasons). That was the case with someone that contacted us after being told by 123 Reg that their website was hacked, hiring their partner SiteLock to clean it, and having SiteLock claim to have cleaned it up. While SiteLock claimed the website was the malware free, 123 Reg wouldn’t unsuspend the website to due them claiming their still was malicious code on it.

When we were contacted about the website it was suspended, so we couldn’t see what was going on with it, but when we went to check on the website a couple of days after we were initially contacted, we found that the website was no longer suspended and that clearly it still had malicious code on it since when trying to access the homepage we were redirected to a malicious website.

What this situation shows is that 123 Reg should certainly be aware that the security company they have partnered with isn’t getting things done. That they continue the partnership is a good indication that the partnership is based not on helping their customers get connected with a reputable security company, but instead is based on them getting paid to push their customers to hire SiteLock.

What is the most unfortunate element is that there really isn’t a solution apparent here. If people hired reputable companies like ours they could avoid this type of situation, but what we have found is that most people will ignore warnings about companies like SiteLock until after they have been scammed and then in situation like this they want someone else to help them for free.

GoDaddy’s Idea of Security Involves Leaving Websites to Get Hacked

If it were not for seeing the great value we can provide in quickly resolving hacking situations that have gone on for weeks or months, we likely wouldn’t have anything to do with the security industry, since it is such an awful industry, which seems to be largely built around taking advantage of people. One reoccurring example of that is that those in the security industry promote leaving websites insecure as security, instead of telling people what would actually keep websites secure (which doesn’t involve the services they are selling). As yet another example of that, here is how GoDaddy sells people on a security service that they charge up to 29.99 a month for:

Complete protection for complete peace of mind.

Website Security powered by Sucuri is advanced protection made simple. There’s no software to install, daily security scans run automatically and if there’s ever an issue our auto removal tools can’t fix, our security experts will repair it manually – no matter how long it takes and at no additional cost to you.

By repairing the issue, they are talking about cleaning up a hack, which shouldn’t happen since the website is supposed to be protected.

Also of note, with the claims made in that quote, is that our experience from often being brought in to re-clean websites after their security division, Sucuri, fails to get the job done, is that sometimes they will keep doing incomplete cleanups and in other instances they won’t come back in and will falsely claim that a website is clean when it isn’t. In either case what they don’t do is attempt to properly clean up the websites in the first place, which would negate the need for even discussing repeated cleanups.

Your Courses Will Remain After Upgrading Moodle

One common misconception that we don’t quite understand, but comes up often when we are contacted about possibly doing upgrades of software on websites, is a belief that after an upgrade the content of the website will not be there anymore and need to be transferred back to it. We are not sure where that would come from, since if that would be the case there wouldn’t be a reason for doing upgrades, since you could cut out a step and just do a new install of the software and do a transfer, if that was the case. (If an “upgrade” required that, it would actually be a migration, not an upgrade.)

Because it specifically came up recently, we wanted to make it clear to a wider audience that upgrading Moodle will not cause courses or other content to go missing and need to be restored. That being said when we do upgrades of Moodle we first do a test of the upgrade to insure that nothing goes wrong during the upgrade process and everything will work with the new version of Moodle, since a real concern is that there might be an incompatibility between the new version of Moodle and, say, the hosting environment the website is hosted on.

We offer both one time Moodle upgrades and ongoing upgrades on a subscription basis.

Paying a Lower Yearly Fee for an Ongoing Website Security Service When You Have a Hacked Website is Not a Deal

When people have had their website hacked the unfortunate reality is that there are lot of people out there looking to take advantage of them. A lot of that involves telling people what they want to hear while knowing that you are lying to them. Based on what people say when contacting us, what a lot of people with hacked websites are looking for is a service that will protect their website from being hacked again. The reality we tell them is that while there are plenty of services that claim to do that, they don’t work (as an example of that, we often have people coming to us asking if we offer a service like that that works after using one that didn’t prevent their website from being hacked) and in fact the providers of them don’t even present any evidence that even tries to support that they do. The additional reality is that the companies behind these services usually don’t even try to do the work that could possibly make them work.

That last element is in some ways the most important when it comes to someone that already has a hacked website, since part of the work that these service don’t do to try to protect website also is important part of cleaning up a hacked website. Just last Friday we mentioned an example of that with a company named Sucuri, which had press coverage for something that wasn’t meaningful when the real story should have been that they were publicly admitting cutting corners with hack cleanups by not even trying to determine how the website got hacked. If you don’t know how websites are being hacked, you are going to have a hard time even trying to protect them. That they admitted to that isn’t really surprising to us because we have been dealing with the after effects of their improper clean ups and their failure to protect website from being hacked in the first place for years.

Recently we had someone contact us while looking for a better deal for a website service after their web host GoDaddy was trying to sell them on a $299 a year subscription for a service provided Sucuri, which GoDaddy owns, after they claimed their website was hacked. Paying less for a service that won’t properly deal with a hack, isn’t a better deal, since at any price it isn’t going to properly resolve the situation. Instead, if your website is hacked what needs to be done is to get it properly cleaned up. Properly cleaning up a hacked website involves three key components:

  • Cleaning up the hack.
  • Getting the website secured as possible (which which usually involves getting any software on the website up date).
  • Trying to determine how the website was hacked and fix that.

Once that has been done, then doing the security basics is what is going to do a better job than these services to keep your website from being hacked again.

If you want your hacked website properly cleaned up your best bet is to hire us. On the other hand, if you want to get ripped off, then check out the other companies out there, since a lot of them would love to take advantage of you.

Security Journalists Should Be Focused on Sucuri Failing to Properly Clean up Hacked Websites Instead of Non-Notable Malicious Code

When it comes to the poor state of web security what is badly needed is security journalism that exposes what the many unscrupulous security companies are up to and how they take advantage of their customers, instead what we have found is they act more as the marketing department for them.

One such security company that would apply to is Sucuri, which is company that we are frequently brought in to re-clean hacked websites after they have not even attempted to properly clean them. One of the things we have often found that they haven’t done is try to determine how the website has been hacked. That is a problem for the cleanup, since you need to know how the website was hacked to be insure that vulnerability has been fixed and because from what we have found is that often Sucuri is missing parts of the hack code that could have been spotted if they had done the work needed to try to determine how the website was hacked. But the larger issue with this company not doing that is that their main service is supposed to protect websites from being hacked in the first place, which, in all likelihood, is going to be difficult if you don’t know how they are being hacked.

Sucuri’s own marketing speaks to the fact that they don’t seem focused on actually protecting websites, as on their home page they tout a number of stats about the service, not one is related to effectiveness of protecting websites:

The number of cleanups might be an indication of their failure to do that, if many of those are cleanups of existing customer’s websites (assuming the stats are even true).

You don’t have to take our word that Sucuri doesn’t try to determine how websites are hacked. A recent article on security news website Threatpost, Stealthy Malware Disguises Itself as a WordPress License Key, mentions that in passing, when it should be the focus of the story. Instead the focus of the story is in itself not newsworthy, as it reports on Sucuri describing a dime a dozen situation where malicious code has been added to the functions.php file of a WordPress theme. What might be newsworthy is how that code got there, but Sucuri didn’t even attempt to determine that:

“We had no access to their logs to determine the root cause, but it’s generally caused by compromised admin accounts or downloading and using themes/plugins from untrusted sources,” Moe Obaid, security analyst at Sucuri, told Threatpost.

Getting access to the logs would have been basic part of the work of a proper cleanup and shouldn’t be difficult.

How this person would know how this type of hack generally happens if they are not doing the work to determine that seems like an obvious question to ask them, but it would appear the Threatpost wasn’t interested in digging deeper in to an employee of this company admitting to cutting corners in the work they are doing. (You also have to wonder why someone is called “security analyst” if they don’t actual do security analysis.) One explanation for the lack of critical coverage of the security industry in this instance in general by the Threatpost, it that it appears itself to be owned by a security company.

Is the “Insecure content blocked: the page is trying to load scripts from unauthenticated sources.” message related to malware or another hack?

We recently had someone contact us looking for a cleanup of a hacked website due to the Chrome web browser displaying the message “Insecure content blocked: the page is trying to load scripts from unauthenticated sources.” when visiting their website, which they thought was caused by malware on the website. It was good that they contacted us and not one of the many unscrupulous security companies out there, as instead of taking people’s money before even knowing if our service is really needed, we actually make sure the website is hacked first (when there is a real hack, we don’t charge until the work on the cleanup is completed).

In this case the website wasn’t hacked, instead it was simply a case where some of the URLs for content on the page were using HTTP URLs even when pages of the website were requested over HTTPS, which creates a minor security issue, hence the warning.

What is important to note though is that this type of situation could be caused by malware, as it could be a situation where a hacker has added HTML code to the website’s pages that causes requests to malicious content over HTTP  even when the pages are served over HTTPS. So if you start seeing the warning without having changed anything on the website, a hack could be a cause of the message.

The important take away from this is that you want to make sure to confirm that your website is hacked before hiring someone to clean it. If a company is interested in taking your money before even confirming it is hacked, they probably don’t have your best interest at heart, which based on our experience of being brought in to deal with the results of others improperly handling hacked websites for years, could lead you to have even more problems than the initial hack.