Recently I got notification that a site was temporarily disabled because it had malware on it. Now that the issue is resolved, I believe it to be a false positive and overreaction from the hosting company. It also came on the night that I met a cleanup expert who works for Wordfence, the popular WordPress security plug-in. That meeting came in handy as I noticed scans on some of my sites weren’t completing successfully. My new Wordfence contact helped me find the appropriate settings to allow scans to complete and I wanted to share them with you.
Each of my own sites is hosted at SiteGround and some were recently migrated from other hosting. Even though the SiteGround hosting is far more robust than the previous hosting, I found that Wordfence scans on my sites were hanging up well before the scan was completed.
Let’s first look at the order of a Wordfence scan. Items go from left to right during a scan and the first three are only available for those with the premium version of Wordfence. My scans were hanging up in the middle of the File Changes stage and therefore never got to the Malware Scan. This was very frustrating as it left open the possibility for malware to go undetected.
Many of the things I needed to change were found on the Wordfence | All Options page. Once on that page, scroll down to the Scan Options section. While my sites were not set to do a High Sensitivity scan, it was recommended I not choose this option. All of the available General Options were checked, except for the last three. The boxes not checked are Scan files outside your WordPress installation, Scan images, binary and other files as if they were executable and Enable HIGH SENSITIVITY scanning.
In my own attempts to find a solution, I had tried a much higher Maximum execution time (100) based on a tutorial I’d read. My contact suggested setting this at 15. Probably the biggest thing changed was in the Advanced Scan Options. Each time a scan fails, the file on which it fails is added to the Exclude files list. Mine had grown fairly long and everything on that list was cleared. In it’s place, a few file types were added. While the file types can include malware, none can be executed directly so they are very low risk. The exact entry for those file types is listed below.
Once these changes were made (and the Save Changes button clicked), the scan ran successfully. Knowing that any problems will be detected quickly helps a Web geek sleep much better at night. Should you have Wordfence scan problems, I hope these suggested changes will help you find a way to get the scan running successfully again.
If you have a Web site, security is extremely important. The bad guys are trying to hack it, no matter how big your site. Having a few layers of security in place is an absolutely must.
Just over a week ago was WordCamp Phoenix and one of the speakers was Aaron Campbell who is one of the core developers for security in WordPress. He provided a lot of great information and he stressed that you absolutely must have strong passwords that are different on every single site. No matter how good your memory, you will never remember them all. I’ve always relied on Roboform as our method of creating and remembering passwords. I checked with Aaron and he said it is a great option.
Just a few days before that, I was at the GoDaddy Pro Summit and one of the speakers was Tony Perez of Sucuri. To say Tony is very animated when talking about security would be an understatement. I just felt more secure listening to him. Or did I feel more worried about security on my sites? Hmmm, I’ll need to think more about that. Sucuri provides a service to help you protect sites and is something you may want to consider for your sites.
Each time we hear about a Web site being attacked, the owner of the hacked site doesn’t understand why their site was targeted. The short answer is that the bad guys are rarely looking to attack a specific site. Instead they are looking for sites that are vulnerable. Let’s go over some of the specifics that can make your site vulnerable and ways you can protect it.
For a minute, pretend you are an enterprising hacker and you want to make the most money possible. If you are going to attack sites, wouldn’t it make sense to go after the most popular platform on the Web? WordPress powers 28% of all sites (as of this writing) which is far more than any other platform. Because of this, it is targeted regularly.
What Needs Updated
There are three major components to the WordPress ecosystem that can be vulnerable. First is the core WordPress installation. Next are themes installed in WordPress. Every site must have at least one theme and it is common to have 2-5 installed. The third are plugins that are added to a WordPress site. Typically sites will have 10-25 plugins installed. All of these components provide a way for bad guys to compromise your site. Let’s look at each component separately.
In a given year, the core WordPress is updated 5-10 times. Updates address known security issues, fix bugs and add new features. For site security, the most important reason to install an update quickly is to make sure the security issues are patched. When you purchase hosting for a WordPress site, it may include automatic installation of the core WordPress files. It also may not. We’ve seen sites that haven’t had the core WordPress updated in several years and those sites are huge targets for hackers.
For those of you who have hosting plans that automatically update the core WordPress, you can at least breathe easy on that component. Most site owners probably don’t even know if the updates are automatic so this is something worth investigating. If your site isn’t updated automatically, you need to develop a plan to check for updates and get them installed in a timely manner.
Do You Have a Good Theme?
It is possible that a theme never has updates released. While this may seem like a good thing since you don’t have to install the update, it typically means the theme becomes more vulnerable over time. Let’s pretend you use XYZ Theme (this is a fictional name) and it hasn’t been updated in a year. In total, we’ll say this theme is installed on 10,000 sites. When the hackers find an issue with that theme, they know they can attack a large number of sites very quickly. They aren’t targeting your site, they are targeting all sites with that theme.
Other themes are updated almost every week. While this can mean you have more updates to install, it also means the developers are making sure it is as safe as possible. This is one of many reasons we like Elegant Themes. Plus they are likely adding new features! The key is that someone must login to the back end of your site and install those updates in a timely manner. This is not a feature often included as part of your site hosting. So if you aren’t doing it, is someone else doing it for you?
Since most sites have a small number of themes installed, it is important to make sure they are all updated. Even the themes not active can be vulnerable. Maybe some of them should be deleted. Even then, the best plan is to make sure they are all updated regularly.
Plugins Provide Power and Vulnerability
Plugins make it very easy to add features to your site, even by adding a layer of security. But each plugin also provides one more component that can be vulnerable. You want a form on your site for visitors to contact you, right? So let’s pretend your site uses ABC Form Builder (again, a fictional name). It is a really popular plugin with 500,000 installs. And because it allows anyone to enter information, it is especially vulnerable if the developer has missed something. When you don’t update it for six months, the hackers will gladly come infect your site with malware.
Since most sites have at least ten plugins and these plugins are regularly updated, you have to really stay on top of it. On a given site, it is quite common to have at least five plugin updates in a given week. If any of them aren’t installed, the bad guys may have a way to attack your site.
We’re not aware of any hosting plan that includes plugin updates. Maybe your Web developer has included this in the plan they sell to you. What we’ve seen is that most site owners simply don’t install updates. It is those same site owners who don’t understand why their site was hacked. Are you installing plugin updates? Is someone else installing them for you?
The Basic Level of Protection
At the very least, every WordPress site must have a plan in place to install updates to the three components we’ve discussed. Even if this is only done once a week, it could take 10-15 minutes to login to the site and get everything updated. Over a month’s time, that could add up to as much as an hour. Will you take the time to do it? Do you want to pay your Web site developer for an hour of their time to do it?
This is exactly why we developed our WordPress Maintenance Service. Even our Bronze plan does more than simply keep these components updated. Instead of just doing it weekly, updates are installed more often to make sure security patches are in place quickly. So do you want to take an hour or more to do it? Do you want to pay for an hour of your developer’s time? Or do you want it done for a fraction of the cost on an even more regular basis?
What Happens When My Site Gets Hacked?
Each hack is different. Some hacks don’t seem to have any noticeable change to a site. Other hacks will take a site completely offline. Would not having a Web site for a few days hurt you? Some hacks install malware which infects visitors to your site and causes Google to label you as a bad site and remove you from search engine rankings. Would it hurt you if your visitors are mad at you and your site no longer appears safe to Google? Getting that label removed and re-gaining your Google ranking can take quite a bit of time.
We’ve also seen hacks where legitimate blog posts are deleted and a number of spammy posts were added. Would it hurt you if the posts you created were gone forever? Would your visitors trust you if your site had a bunch of spammy posts?
Instead of asking yourself why anyone would want to hack your site, you should just assume it is being attacked every single day. Why? Quite simply, it is being attacked. Installing updates regularly is the first line of protection. More can be done by making sure your site is backed up. Should it get hacked, the backup could save you. Active security protection can also be put in place to repel the attacks. This additional protection is part of our Silver WordPress Maintenance plan.
As I write this, I think of an appliance commercial from long ago with the tagline “you can pay me now or you can pay me later.” If you want to do the maintenance yourself, go for it. It’s just most of you aren’t doing it. I’d rather you invest in a maintenance plan to keep your site working well. If not, the cost to recover your site after a hack is probably going to be a lot higher. Add to that any lost revenue from being without a working site for a period of time.