No one enjoys reading about WordPress malware and security.
And if you’re like I was, you skip over many security tips and warnings because you’ve never had major issues.
Don’t be like me…
Please.
In addition to the plugin tech issues I was having with setting up my self-hosted course site, I was also very concerned about malware along the way.
And it didn’t help that several of you shared your membership hacking or malware nightmare stories with me.
I must say…
That was always something that made me nervous about hosting my courses. I just couldn’t get the “what-if-my-site-gets-infected-or-hacked” question out of my head.
I’ve already had several site malware issues over the years.
Fortunately I got the problem fixed last year after much frustration, and I want to share what I learned.
Keep in mind, I’m on a $200/month dedicated hosting account. I have a firewall and tried almost every “great” WordPress security plugin anyone recommends.
And my site was STILL compromised over and over again.
If you host (or plan to host) your own products and customer data, please don’t ignore this.
How Malware Impacts WordPress
Malware is a malicious file that can be inserted into your site through vulnerable/bad code (a WordPress plugin or theme).
Through that malware file, hackers are able to do all sorts of things such as send emails out from your server (and get your site IP address banned by email providers and Google), make changes to certain pages, etc.
That’s why you should limit how many plugins and themes you install and always make sure you update them.
Malware is difficult to avoid completely if you use WordPress plugins and themes because WordPress runs on PHP, which can create a vulnerable environment for malware.
However, you can help prevent it, and I’ll discuss that below.
I don’t say this to scare you away from WordPress (I could never imagine using anything else), but you need to be informed about what can happen.
My Opinion of WordPress Scanning Plugins
I know there are a lot of recommendations for free and low-cost security and malware scanning plugins for WordPress.
They do help to a certain degree, but if you have an e-commerce site and collect or pass customer information, you need something more reliable.
The free recommendations countless bloggers have made were not good enough to keep my site safe and clean.
I even had a premium version of Wordfence installed ($39/yr), and it overlooked a malware file that was installed right inside the main WordPress admin directory.
What’s crazy is I actually found the file myself!
You better believe I cancelled that service in a hurry.
I questioned their support about why this obvious file was not found during a scan. They sent me a response with all these settings changes I needed to make.
Okay fine. But the fact that the file was located right inside the main WordPress admin directory and the plugin missed it with the default settings really bothered me.
Sucuri To The Rescue!
I bit the bullet and signed up with Sucuri (no affiliation) last year. My host actually suggested it.
They’ve been featured in all the reputable tech magazines and blogs for years, but their price always scared me away.
However, I knew that if I was going to ever sell directly from WordPress, I had to get my site issues under control.
Up until that time, I had an ongoing issue with my entire server crashing. π
It was so bad, I had to pay an extra $15/month monitoring fee to auto-notify tech support and bring my site back up when it crashed.
No one could tell me what was going on. I bought several of these one-time malware scanning packages, and many of them said my site was clean.
My host continued to scan my server for malware, and I kept getting the “all clear” message.
Yeah right.
When I signed up with Sucuri the service immediately found a very old, buried malware file (probably from a plugin) outside the WordPress directories.
That was the culprit.
None of the other WordPress security plugins ever found it.
Hosting Companies Are NOT Security Pros
I have a friend who is a server tech and he told me that most of these hosting companies are not malware and security specialists.
The support staff are made up of server admins who are very well versed in topics such as Linux, SQL, file management, but not Internet security and malware.
They typically use very generic firewall scripts/software and their support staff is not trained to handle sophisticated hacking and malware issues.
They are often reactive instead of proactive when it comes to online exploits and security.
Now, of course there are exceptions.
Companies like WP Engine (no affiliation) are a little more advanced when it comes to that.
So a managed host that handles the security part for you may be better at the security piece. WP Engine doesn’t even let you install security plugins because they want to handle it for you.
But you’re going to usually pay more for that kind of host.
Honestly, I’ve used roughly 10 different hosts in my 19-year online journey, and have had malware issues with almost every host.
But that’s because it’s not the hosting company.
It’s the software we’re using as website owners (WordPress, forum scripts, plugins, etc).
I was with Hostgator (EIG) during one of my early outages and their solution was to buy more RAM to prevent crashing instead of fixing the root of the problem.
See what I mean? Hosting companies are not malware/security experts!!
By the way, I like to spread my sites around with regards to hosting so if something happens to one server, not all my sites are affected. Currently I use Website Palace (GoDaddy), Liquid Web (dedicated and VPS only) and NameCheap. As many of you know I stay away from EIG-owned companies.
Since using Sucuri for over a year, my malware crashing problem has completely disappeared (knock on wood).
It scans my site hourly and did find one malware file last year, but it was discovered and cleaned within 1 hour.
I will certainly keep paying for them even though I’m not going to be hosting my own courses.
Don’t Skimp on Security if You Collect Sensitive Customer Data
If you are collecting, passing (taking orders through PayPal, Stripe, etc.) and storing customer data, pleeeeeease look into top-notch security for your site and customers.
I know this stuff is boring, intimidating and you always think these things happen to someone else or more popular sites.
But here’s the deal. It doesn’t matter how popular or unpopular your site is…
Your site is a target.
Unfortunately because WordPress, Joomla, Drupal and most popular CMSs run on PHP, hacking and malware are always going to be a threat.
Here’s the biggest problem…
WordPress sites use the same file/folder structure so it’s easy for hackers to find sites that use vulnerable/exploited themes and plugins.
They use sophisticated scripts that can scan the Web and locate vulnerable sites in seconds.
And just like many of you, I trusted the free scanning plugins too. You think they are working fine…
That is…
Until your site gets infected and it’s not fully cleaned! π
I hear people say all the time that certain free plugins or scanners are great! But you don’t really find out how great they are until you have a major problem that won’t go away.
Sometimes they appear to work well simply because you haven’t had a major issue yet.
Sucuri passed the test because I’ve had malware, and it’s found and cleaned it instantly. Their support is also lightening fast and thorough.
(It ought to be for the price, right?) π
It’s certainly not cheap due to the fact you have to pay yearly, but worth it. Sometimes you have to put a price on peace of mind.
Again, I have no affiliation with them at all.
I am a genuinely happy customer who got tired of malware issues with no help from WordPress plugins or hosting support.
There’s no way I’d ever host my products or customer data without something like this guarding my site.
It’s a Two-Step Process
Remember there are two parts to this: prevention and cleaning.
You can prevent malicious activity by doing the following:
- Use a firewall to block “bad” traffic (Cloudflare and Sucuri have excellent ones)
- Use strong passwords (lowercase, uppercase, symbols AND numbers) Ditch those passwords with your kid’s names and ages.
- Keep themes and plugins up to date
- Delete old plugins and themes you aren’t using
- Don’t install plugins that haven’t been updated in 2+ years
Cleaning is a separate issue because if all the malicious files aren’t removed, you will continue to have problems.
That was my issue.
Hackers often hide multiple malware files within your site. (They’re called backdoor files.) So if you don’t get rid of them all, they can keep coming back and doing harm.
The scanners might find some files, but not all of them.
Sucuri has been the only reliable solution I’ve found for CLEANING my site THOROUGHLY after a malware injection.
But keep in mind, Sucuri or any malware scanner/cleaner is not going to necessarily help with prevention if you have other vulnerability issues such as weak passwords, poorly coded or outdated plugins, themes, no firewall, etc.
What Do You Use?
I realize Sucuri is not cheap, so I welcome you to share what services you use that have fixed problems you’ve had.
Perhaps you know of something that is less expensive, but has worked well for you.
And I’d especially like to hear from those who’ve had something major happened, and it’s been solved for a long period of time.
That’s how you know something is truly working.
I am not saying that free plugins and scanners don’t work. I believe they do to an extent, and could be fine for a standard WordPress site that is not hosting customer data or collecting payment info.
But if you are hosting or passing sensitive customer data, you should consider a premium solution where the company actually specializes in Internet security.
Why?
Because hackers are always coming up with new ways to do harm, so you need the support of a company that stays up on the latest and is proactive instead of reactive like a lot of web hosts.
Protecting your data and your customer’s data should be a top priority.
Hi Lisa,
Iβd never considered that my blog would be exposed to malware β Iβm glad that you brought it to my attention. Yes β I definitely want to save time and protect it before itβs too late. I appreciate all of the resources that you shared!
I am newbie in blogging field. I had a site on which i worked but due to spammy comments (which i approved) hacker redirect to their owns site. I will definitely work on it. Thanks for sharing information.
Hi, Lisa awesome post.
I recently start a blog, and i have some problem in my admin panel, i am receiving lot of spammy comment, how i should deal with that comments, which is more than 10000+ daily.
Waiting for the solution please help me. thanks
Hi Lisa,
I know you hate EIG owned hosting sites. I changed my hosting from Hostgator to Dreamhost after reading your post about that.
I am currently cannot afford to LiquidWeb, so I went to DreamHost shared hosting. Is DreamHost fine? My site is going to get 10k views daily. I will have to buy vps/dedicated server in coming months. Until then, is it okay to go with DreamHost shared hosting?
I know DreamHost offers DreamPress too besides dedicated and vps’s. Could you share if you know stories related to DreamHost?
Sincerely,
Ravi
I think Dreamhost should be fine for your site.
When users visit a website, Google will alert web users that the site contains malicious code, phishing, … through a tool called “Google Safe Browsing” Safe browsing). This is a plugin that is installed by default on browsers such as Firefox, Google Chrome or Cocoa. Whenever users use these browsers to access the Internet, they will be automatically checked to see if they are included in Safe Browsing’s blacklist. Instantly the browser will display a warning and block the user from accessing that address.
Steps to check and troubleshoot errors
– Use the anti-virus software (copyrighted) to scan the virus on the computer, and review the entire source code infected with malicious code support tools.
– Check for changed files in the near time when Google warns you most.
– Review index *, Default *, .htaccess and most .js files on the host. Remove all iframe-containing malicious code, which usually contains the following attributes: position: absolute; Margin-top: -1000000px; …
– Change the entire password of existing accounts with a more complex password.
These are the ways that I often apply to treat the security issues for a client’s website. We look forward to hearing from you
Hi Lisa,
I’d never considered that my blog would be exposed to malware β I’m glad that you brought it to my attention. Yes β I definitely want to save time and protect it before itβs too late. I appreciate all of the resources that you shared!
I agree with you about keeping an eye out for malicious code as the number of hacked websites is increasing. If you are using wp as the source code for your website then you can try using plugins like itheme security or word defendence to reduce the risk of hacking.
Brilliant post, we also work with Sucuri over at https://www.newtlabs.co.uk they’re good for their monitoring of our clients sites as they also do server side scanning, their firewall is good and whenever we need help with malware cleanup it’s good to know that they are there!
I definitely found this post helpful as a newbie blogger! Focusing this month on researching .
Thanks for the tips!
Great post π
Thanks for sharing this with us. One of my friend’s website was affected by a Malware and there were some explicit content showing on the website. Then he contacted with the Hosting provider but happened nothing. After real hard efforts, he managed to find the code.
This piece of advice is really helpful for everyone working in Internet world.
Thanks once again
lol., im always buid article at wordpress and now im reading this article , just realize wordpress can cause malwarre to our computer
Google recently updated their safe browsing policy. The changes are outlined on their security blog, but the major change is that Google will start penalizing sites with deceptive download buttons and other third-party embedded social engineering content. This could potentially affect your site if it contains download button advertisements that are deemed deceptive.
I think this is a good change overall, but webmasters have to be diligent and monitor everything that hits their site via anything 3rd party.
Hi Lisa!
Never knew WordPress addons can cause lot of malware. I used to write blogs (2 Websites) that was on WordPress, however now moved to SharePoint Wiki Sites.
These security features you mentioned on this blog is really informative and glad I can take a heads up before moving into WordPress back. And yeah, watch for silly addons though!
Nicely written!
Regards,
Saj
So Bluehost just sent me the email: “Your account has been deactivated due to the detection of malware.”
All of my sites (7) are down. They tell me to call them and choose ext. 5 which puts me through to a live person and a hard sell on Sitelock for a minimum of $400. They basically tell me there is no other way to clean the malware and Bluehost won’t reactivate my account until it’s cleaned.
If this isn’t a scam, I don’t know what is. And I’m prepaid through 2018 for a hosting “deal” with them. It may be worth leaving them anyway. Ugh!
Whatever you do don’t sign up with Sitelock. And what horrible service by Bluehost. Wow!! They won’t even help you scan and clean it?? Most hosts have a basic scanner. Terrible support.
So I’m looking to move at least 2 of my more profitable sites from Bluehost to another non-EIG company. I’m not able to afford Liquid Web or WP Engine, but would hosting at Website Palace combined with Sucuri’s Website Security package be a good alternative?
Sure Sue! Siteground is also another good host. Anything but EIG!! And if you go with Website Palace please let me know if you have any questions along the way.
ya it happened with me too. Thanks for sharing your advice.
The sad part is, these kinds of malicious people who hack blogs and websites are everywhere. Just pray for them that someday they’ll come into their right mind and be honest people and help others by turning heel who’ve been adversely affected by Malware.
I just dealt with malware on one of my websites, this is a serious issue. I am glad I found it quickly. The article and comments had nice information to consider. I have not been to your website in over a year, it looks good. Thanks Lisa.
Truly scary stuff Lisa.
But see, I’m just a small time dude trying to get his blog off the ground. I just didn’t think a fledgling blog like mine really factored in the mix. This is one helluva wake up call!
Don’t get me wrong – I’m definitely happy to have the info. But it is disheartening. I get the feeling that no matter what precautions one takes, the hackers/phishers/malware scripts simply adapt.
With that said though, Sucuri looks like it’ll be part of my ensemble going forward.
Thank you for this.
Hi Lisa,
I am pretty to blogging and WordPress. This post is an eye opener, I never really thought there was a chance for such grave security complications on WordPress. I will certainly check both CloudFlare and Sucuri. Thanks for the recommendations.
Hi Ms. Lisa…
I better take heed, as of late I’ve been working on my WP site AND all of a sudden I’m starting to see this icon of the letter “i” in a circle next to my url … when I click it, it says my site isn’t safe so dont give your info….well I do collect names and emails and have some ecom stuff….So because Im new to this malware stuff…which is interesting that the google article made mention of malware – didnt even know what it was …. What I thought it might be is – all of a sudden I seeing this only after having a fiverr gig done on my website with that person being in Nigeria. I wonder if they can mess your site up …so I guess I better get with it, because the last thing I want is something to happen to my site..Thanks for this valuable information.
Hey Lisa,
Thanks for sharing your experience with us.
Happy I’m back to blogging. For over half a year, I have been off, not reading and not commenting. So you see I have a lot to catch up.
Few weeks ago, I recommended Sucuri to someone. This post strengthens my recommendation π
BTW Lisa, I just spotted an affiliate marketing post on your blog “Convert More Affiliate Sales With These Credibility Boosting Tactics” I will be reading just after this comment. But I wonder you mentioned and recommend 2 powerful services on this post but didn’t use an affiliate link.
This is surely going to generate a lot of sales for them. Ain’t you interested in those commissions or are you rewarded otherwise?
Hope you are having a wonderful week.
Yeah I didn’t want an affiliation to cloud the recommendation in this case. Sometimes affiliate links can make things seem less genuine so I purposely left them off.
Thank you for your great post. I’m a new blogger. I’m using free services for my site security. In the future, I will try Sucuri.
Such an interesting post, Lisa. Thanks for taking the time to craft it!
Thanks for sharing. I am using only Wordfence Security, akismet, iThemes Security. What do you think? is it enough?
Great blog. I am just starting my Internet Marketing journey and I will sure be taking care of security now that I have read your article. Never really gave security that much thought. Thank you for bringing this up!
Lisa sorry about your problems with the membership site and the plugin, but if you would like I can set you up on cloud base membership site for free for three months, and I do mean no cost to you. If you like it we can talk if you don’t I’ll delete it no harm no foul, if you would like to see mine I can send you a password to check it out.
N.D.
P.S.
I’m willing to bet you will be impress with the figures
Thank you so much, Nate! I’m going to stick with what I’m doing for now. I’m so focused on POD at the moment that I want to ride this wave while it’s picking up steam. But I am so grateful and appreciative of your offer. Thank you.
Such an interesting post, Lisa. Thanks for taking the time to craft it!
I had a few questions for you.
1) When did the hack happen to you, roughly?
2) With Securi, do you just use their firewall system, or do you also use the Securi plugin too? And do you configure the plugin’s or their firewall settings (on their website/your Securi dashboard) in any specific manner to further increase your website security, or have you simply set up the firewall and that’s it?
3) On a lighter note, are your cartoon images from the Bitmoji app?
Thanks,
Brian
Hey Brian!
Yes, it is the Bitmoji app. LOL I thought I’d add some spice to a boring topic. Ha ha!
I honestly don’t know when the hack happened. I believe there were multiple ones. We’re talking years ago. Hard to know when it started. It’s been too long.
My firewall is configured through Sucuri’s dashboard. I don’t have any Sucuri plugins. It’s all done server side.
The only WordPress security problem I ever ran into is people tryin’ to login to my Admin site.
I then changed the url of the login page and it worked.
Hope I never have to be worried about any problem π
Nice article though. Thanks
Use should use some simple plug-in ChangeURLlogin or some security pug in like Jet pack or i Them Security. π It works to me
Heyy there Lisa girl!
Now this is a fantastic post on the importance of WordPress Security. I absolutely LOVE wordpress…BUTTTT I hate that hackers are always trolling trying to hack them.
I use Siteground to host my websites coupled with the All-In-One Firewall and Security plugin and haven’t had any issues with Malware (knock on wood).
Glad you are shedding some light on this topic though. Peeps need to know that they should not take wordpress security lightly….
Hey Kim! Thank you chica. π
I have heard great things about your host over the years. So it’s good you’re not with EIG!
This is amazing. The exact same thing happened to me over a year ago on my church’s website. One day I went to it and it had disappeared. I lost valuable pictures and information that I had not backed up. The price is a bit hefty but it will give me peace of mind. I have not put the site back up again because of fear. Thanks for the info.
Love the Bitmojis Lisa! They are so cute.
I think security issues is the biggest downside to using WordPress. We need to constantly update our themes, plugins and run the latest version of WordPress. There is NO such thing as “set it and forget it”. A friend of mine was using a really old version of WordPress simply because she was afraid that it would “break” her blog if she updated. I begged with her to update but she would not budge. Well, of course, as you can imagine — the very next day her site was hacked and it took weeks for her host (and a few WordPress gurus) to get her site back online.
What have you heard about using SiteLock on WordPress blogs?
So true Ileane. I used SiteLock on Website Babble and I was not impressed. Someone else mentioned not liking them in an earlier comment. And their support was not helpful either. Way overpriced for what they do.
Hi
Just a note from Norway. I’m a programmer and developer and have host my own webserver for nearly 20 years, and working with programming since old Basic in the beginning of 80’s. On all my laptop, desktop and servers we use Malwarebytes Anti Malware premium version(Paid).
If it fit WP I don’t now, but I have never experience malware after installation of this program.
On the server we also use following rules: long and difficult password, rename admin account, only open folder that website use(we go through every folder and checks access and users) , remove email(use an extern email provider and download it on your desk/laptop) and very carefully validating of all input forms(this is important to avoid inject of code)!
And always take regular backup of your program/databasefiles and websites files.
All this take some time, but it pays off by attacks from malware
Hi Knut,
I have had the premium Malwarebytes version and Norton on my computer for years now, so I keep that pretty clean. I also use very long difficult passwords.
I have no doubt the malware was from a plugin or script, which of course, has nothing to do with the other things I mentioned above. If the code is bad, malware can get in.
Have you had issues with plugin installation after renaming your admin folder? I’d love to do that but worried about installing other scripts that name that path in the code. How has that been for you?
Hi Lisa
Since you are working on a WP folder tree, don’t rename folders.
Then you got trouble with plugin because of default path ++ and also with other thing internal in WP software
I have use WP a little, but since I use big SQL databases, WP is not an option.
It is the admin user account I rename, and like someone before says, there are constant someone who try to log on as an admin.
If you have access to event viewer you will see this. This is robot’s who try to crack password for admin.
I’m not sure about WP but I think there is tools to prevent this if it is irritating. My webserver are IIS and there is tools to avoid it, and sure the same with Apache.
For installing plugin or script, the name of admin doesn’t matter, it is the folder.
Most of the script I use I wrote my self, or I use Javascript.
The path to the database or other folders are in extern files. So I just load that files on every websites.
And for security always check script/plugin before you install them, and update them when there is new versions and delete them when you don’t need them.
And of course follow the things I mentioned in my last post.
But since I use my own server, database and have written nearly all code my self, I can control the most of it.
My way to work is different from all who use some Open source software like WP, drupal, joomla +++, but the security problem are often the same.
I have been on “the dark side” before when I was younger and I know what we looking for.
But still I’m programming manually in textpad:)
Oh I NEVER use admin. Yes that’s a golden rule of WordPress. I thought you meant you re-named the wp-admin folder and as I said that will cause path problems. OK thanks for the clarification.
Lisa, as always you’ve written about a really important subject with refreshing honesty and great practical info. I’ve had a terrible problem with Malware on my site recently. I’m moving to WPengine and I’ll not try any serious e-commerce through WordPress at the moment. It’s too much of a target.
Yeah I hear ya, Rob! WP Engine is definitely a good managed host from what I’ve read.
I’m so glad I made the decision not to host my products myself as well. Sure, there is control and benefits to doing so but I don’t think they outweigh the risks and tech issues anymore.
There are just too many other great, 3rd party options that give you the same self-hosting control and benefits.
Lisa,
Thanks, for sharing this great information! I’ve been dealing with hacked sites for several years and I literally threw my hands up a couple of months ago out of frustration… giving up on my attacked sites!!!
I know I will have to start over… moving my files AND sites to another hosting company (currently back with HostGator) UGH!!! I am so sick of them offering fewer and fewer services and help. And I’m tired of their partner, SiteLock, trying to extort money from me to clean my sites!
I would like to thank all of y’all who shared helpful information and sources providing some sense of security and protection against hackers and malware. It has given me some hope that I may be able to resurrect and secure my sites without being constantly bombarded with these malware issues.
Who are your top three recommendations for hosting companies for those of us with WordPress sites using shared servers?
You’re welcome Iris. Trust me, I know how frustrating it can be. I had to deal with this for YEARS with no help so I feel your pain.
I hear a lot of great things about Siteground. They are shared. The other 2 I hear the most great things about are not shared (Liquid Web and WP Engine). But maybe someone else can share other shared suggestions.
It’s hard to recommend without having experience with the others but Siteground is one I hear good things about consistently.
Lisa,
Thank you for this insight! I have been watching your videos for some time now. I just keep a low profile. π
You do such good work and I’d recommend you in a heartbeat! You speak well. Plus, what you say makes a lot of since, and you’re HONEST! I can’t say this about many.
But, I’ll say it about you! I wish I had the funds to take your COMPLETE course. If I did, I would! All bloggers need to go through training from you. In the near future, I’ll write a post about you!
Keep up the good work Lisa, and have a great day! ~Kim
“Sense”
Wow! What an endorsement!!! Thank you Kim. You are so kind to say that. π
You’re welcome Lisa. You deserve it! π
I had similar big fight with virus on my site for over a year! In the end of the day virus infected my core files and database in random tables. It was devastating feeling. All these fancy wordpress protection plugins was useless in my case.
I beat it by exporting posts to xml and copying media files to the absolutely new wordpress installation. Had to setup all plugins and settings almost from the scratch (not a lot of them as you know are exportable), but it was worth spent time – website is seems fine now (allegedly, lol).
Allegedly! π Love it. Yes, I guess we have to take the good with the bad when it comes to owning a website huh? Glad you got it fixed.
I am using Wordfence besides Norton Security, and it seems they are both functioning well regarding my website security. What do you think?
I also have Norton for my computer and it’s important to mention this because you should also make sure your computer is free of viruses and malware because that can impact your online stuff as well.
As I said in the post, I was not happy with Wordfence, but many people love them.
Interesting article.
On some of my sites, I use the iThemes security plugin. What I like about it is that it provides an easy way to move the wp-admin page that you (and bots) use to log in to another address. If the bots can’t find the login page, they can’t brute force their way into the site. So far, so good.
(and to be super-security conscious, I’m not linking to any site with my comment, because I’ve revealed the security plugin I use on some sites!)
Now THAT is a great idea about moving the page.
I’ve even considered moving the entire wp-admin folder but then I realized that might not be good when it comes to installing plugins since the path would change. But some people do actually change the name of the wp-admin folder to something else.
I have a woocommerce site hosted on Bluehost (EIG) shudder. Yes, we have been compromised. It’s hard enough changing hosts but I think for ecommerce sites maybe big commerce or shopify might be the answer. What do you think?
Bluehost? Ugh. LOL
Yes, it is intimidating changing hosts but it’s really not that bad. As long as you move to another host that has cpanel they can literally port your site over with zero downtime.
They put your site on a test server so you can make sure your blog, etc. is working. Once you confirm, you simply change your domain nameservers over to the new host and BOOM you are live. When I moved 2 Create a Website to dedicated I had to do this and I had no downtime.
The trick is when you move from cpanel to another type of hosting environment. Now that can be tricky. But as long as the hosting companies use the same kind of environment, it’s really not that bad. And I had a huge forum attached to one of my sites and it moved over with no problem.
Oh and I don’t really have much experience with Shopify but I do know they are one of the top ecommerce platforms right now and they have a WordPress plugin which makes integration easy.
Something similar happened to me 18 months ago. I started getting malware warnings and it took months to rectify.
I tried Sucuri and it wasn’t enough. The hacker still kept getting in. Then I switched security companies and they couldn’t stop the hack.
I eventually had to port my website to another hosting company, hired a developer to move it and now have Wordfence on the case.
The amazing part is that I still, to this day, average around 800 attempted break-ins a week according to my Wordfence stats. Yes, you read that right. 800!
But luckily 99.999% of these attempted hacks use “admin” as the username (that’s been changed) and my “web guy” set it up where it would a herculean effort to get in now.
Cost me a bundle, but it was worth it.
Yep, I believe it. I get those admin attempts all the time too.
Limited Login Attempts and other plugins can help with those, but I also find those overrated because they block by IP address. Hackers are smarter than that. They use proxies to create a different IP and try with that one. So it’s a very complex issue and always ongoing.
Glad you got your site fixed. Do you mind mentioning who you used? I think it’s good for others to share in case someone wants to check that company out. Thanks for sharing that.
It wasn’t a company.
I found a local guy who was in a networking group I go to recommend him. The name was Chris Fidis and his email is pegabytes [at ] aol.com. Very good on the technical end of things and really was a life saver.
I would have had to start over without him.
Awesome! Thanks for sharing.
Lisa,
It would be my pleasure to help anyone on this blog post having security issues with word press sites and their hosting companies.
I read a customers feedback and I am humbled.
Please if you like I am reachable at pegabytes@aol.com.
they can also call my google voice number at 516 308 2291
http://www.syntelsys.com is the website to visit and reach me.
I have also been profiled recently in long island newsday
with the recent ransomware attacks.
Stay in touch if i can help any of your readers.