No one enjoys reading about WordPress malware and security.
And if you’re like I was, you skip over many security tips and warnings because you’ve never had major issues.
Don’t be like me…
In addition to the plugin tech issues I was having with setting up my self-hosted course site, I was also very concerned about malware along the way.
And it didn’t help that several of you shared your membership hacking or malware nightmare stories with me.
I must say…
That was always something that made me nervous about hosting my courses. I just couldn’t get the “what-if-my-site-gets-infected-or-hacked” question out of my head.
I’ve already had several site malware issues over the years.
Fortunately I got the problem fixed last year after much frustration, and I want to share what I learned.
Keep in mind, I’m on a $200/month dedicated hosting account. I have a firewall and tried almost every “great” WordPress security plugin anyone recommends.
And my site was STILL compromised over and over again.
If you host (or plan to host) your own products and customer data, please don’t ignore this.
How Malware Impacts WordPress
Malware is a malicious file that can be inserted into your site through vulnerable/bad code (a WordPress plugin or theme).
Through that malware file, hackers are able to do all sorts of things such as send emails out from your server (and get your site IP address banned by email providers and Google), make changes to certain pages, etc.
That’s why you should limit how many plugins and themes you install and always make sure you update them.
Malware is difficult to avoid completely if you use WordPress plugins and themes because WordPress runs on PHP, which can create a vulnerable environment for malware.
However, you can help prevent it, and I’ll discuss that below.
I don’t say this to scare you away from WordPress (I could never imagine using anything else), but you need to be informed about what can happen.
My Opinion of WordPress Scanning Plugins
I know there are a lot of recommendations for free and low-cost security and malware scanning plugins for WordPress.
They do help to a certain degree, but if you have an e-commerce site and collect or pass customer information, you need something more reliable.
The free recommendations countless bloggers have made were not good enough to keep my site safe and clean.
I even had a premium version of Wordfence installed ($39/yr), and it overlooked a malware file that was installed right inside the main WordPress admin directory.
What’s crazy is I actually found the file myself!
You better believe I cancelled that service in a hurry.
I questioned their support about why this obvious file was not found during a scan. They sent me a response with all these settings changes I needed to make.
Okay fine. But the fact that the file was located right inside the main WordPress admin directory and the plugin missed it with the default settings really bothered me.
Sucuri To The Rescue!
I bit the bullet and signed up with Sucuri (no affiliation) last year. My host actually suggested it.
They’ve been featured in all the reputable tech magazines and blogs for years, but their price always scared me away.
However, I knew that if I was going to ever sell directly from WordPress, I had to get my site issues under control.
Up until that time, I had an ongoing issue with my entire server crashing. 🙁
It was so bad, I had to pay an extra $15/month monitoring fee to auto-notify tech support and bring my site back up when it crashed.
No one could tell me what was going on. I bought several of these one-time malware scanning packages, and many of them said my site was clean.
My host continued to scan my server for malware, and I kept getting the “all clear” message.
When I signed up with Sucuri the service immediately found a very old, buried malware file (probably from a plugin) outside the WordPress directories.
That was the culprit.
None of the other WordPress security plugins ever found it.
Hosting Companies Are NOT Security Pros
I have a friend who is a server tech and he told me that most of these hosting companies are not malware and security specialists.
The support staff are made up of server admins who are very well versed in topics such as Linux, SQL, file management, but not Internet security and malware.
They typically use very generic firewall scripts/software and their support staff is not trained to handle sophisticated hacking and malware issues.
They are often reactive instead of proactive when it comes to online exploits and security.
Now, of course there are exceptions.
Companies like WP Engine (no affiliation) are a little more advanced when it comes to that.
So a managed host that handles the security part for you may be better at the security piece. WP Engine doesn’t even let you install security plugins because they want to handle it for you.
But you’re going to usually pay more for that kind of host.
Honestly, I’ve used roughly 10 different hosts in my 19-year online journey, and have had malware issues with almost every host.
But that’s because it’s not the hosting company.
It’s the software we’re using as website owners (WordPress, forum scripts, plugins, etc).
I was with Hostgator (EIG) during one of my early outages and their solution was to buy more RAM to prevent crashing instead of fixing the root of the problem.
See what I mean? Hosting companies are not malware/security experts!!
By the way, I like to spread my sites around with regards to hosting so if something happens to one server, not all my sites are affected. Currently I use Website Palace (GoDaddy), Liquid Web (dedicated and VPS only) and NameCheap. As many of you know I stay away from EIG-owned companies.
Since using Sucuri for over a year, my malware crashing problem has completely disappeared (knock on wood).
It scans my site hourly and did find one malware file last year, but it was discovered and cleaned within 1 hour.
I will certainly keep paying for them even though I’m not going to be hosting my own courses.
Don’t Skimp on Security if You Collect Sensitive Customer Data
If you are collecting, passing (taking orders through PayPal, Stripe, etc.) and storing customer data, pleeeeeease look into top-notch security for your site and customers.
I know this stuff is boring, intimidating and you always think these things happen to someone else or more popular sites.
But here’s the deal. It doesn’t matter how popular or unpopular your site is…
Your site is a target.
Unfortunately because WordPress, Joomla, Drupal and most popular CMSs run on PHP, hacking and malware are always going to be a threat.
Here’s the biggest problem…
WordPress sites use the same file/folder structure so it’s easy for hackers to find sites that use vulnerable/exploited themes and plugins.
They use sophisticated scripts that can scan the Web and locate vulnerable sites in seconds.
And just like many of you, I trusted the free scanning plugins too. You think they are working fine…
Until your site gets infected and it’s not fully cleaned! 🙁
I hear people say all the time that certain free plugins or scanners are great! But you don’t really find out how great they are until you have a major problem that won’t go away.
Sometimes they appear to work well simply because you haven’t had a major issue yet.
Sucuri passed the test because I’ve had malware, and it’s found and cleaned it instantly. Their support is also lightening fast and thorough.
(It ought to be for the price, right?) 😉
It’s certainly not cheap due to the fact you have to pay yearly, but worth it. Sometimes you have to put a price on peace of mind.
Again, I have no affiliation with them at all.
I am a genuinely happy customer who got tired of malware issues with no help from WordPress plugins or hosting support.
There’s no way I’d ever host my products or customer data without something like this guarding my site.
It’s a Two-Step Process
Remember there are two parts to this: prevention and cleaning.
You can prevent malicious activity by doing the following:
- Use a firewall to block “bad” traffic (Cloudflare and Sucuri have excellent ones)
- Use strong passwords (lowercase, uppercase, symbols AND numbers) Ditch those passwords with your kid’s names and ages.
- Keep themes and plugins up to date
- Delete old plugins and themes you aren’t using
- Don’t install plugins that haven’t been updated in 2+ years
Cleaning is a separate issue because if all the malicious files aren’t removed, you will continue to have problems.
That was my issue.
Hackers often hide multiple malware files within your site. (They’re called backdoor files.) So if you don’t get rid of them all, they can keep coming back and doing harm.
The scanners might find some files, but not all of them.
Sucuri has been the only reliable solution I’ve found for CLEANING my site THOROUGHLY after a malware injection.
But keep in mind, Sucuri or any malware scanner/cleaner is not going to necessarily help with prevention if you have other vulnerability issues such as weak passwords, poorly coded or outdated plugins, themes, no firewall, etc.
What Do You Use?
I realize Sucuri is not cheap, so I welcome you to share what services you use that have fixed problems you’ve had.
Perhaps you know of something that is less expensive, but has worked well for you.
And I’d especially like to hear from those who’ve had something major happened, and it’s been solved for a long period of time.
That’s how you know something is truly working.
I am not saying that free plugins and scanners don’t work. I believe they do to an extent, and could be fine for a standard WordPress site that is not hosting customer data or collecting payment info.
But if you are hosting or passing sensitive customer data, you should consider a premium solution where the company actually specializes in Internet security.
Because hackers are always coming up with new ways to do harm, so you need the support of a company that stays up on the latest and is proactive instead of reactive like a lot of web hosts.
Protecting your data and your customer’s data should be a top priority.