A couple weeks ago, I wrote about my website hosting move from Hostgator to A2 Hosting. Much has happened since then and I’m doing a follow-up blog article about my experiences.
The day after my article was published, there was a very polite comment on my blog from Brian Muthig, CEO/Founder of A2. He apologized for my bad experience and wanted to find out the complete story. To give a short synopsis, if you haven’t read my previous article, two days after I moved my sites to A2, I got a couple emails from A2 saying I had malware in my files. They identified the files and asked me to get them cleaned up within 24 hours or they would quarantine the files.
Bryan also sent me an email, reaching out to see if we could work together to discover if their system had a false positive in finding malware, or if my files really did contain malware. I had already deleted all my files and closed my account with them at that time. I still had my sites up over at HostGator. I was happy to work with him. I sent him one of the emails that contained the list of the infected files. They were able to look in their deleted items on the server and determined it WAS malware. Many of the infected files were from within the theme and plugin folders for a site I’d been hosting for a family member.
My Site DID Have Malware
When I looked in the User section of this site in the back-end of WordPress, I saw 8 ‘new’ Admin accounts – named admin, root and variations of admin. Of course, this is very bad and a clear indication security had been breached. I immediately deleted all the accounts and changed the password. There was another site I was hosting for a friend and she had the same kind of thing in her User accounts. Those were deleted too. I found similar admin accounts on my site too. I had overlooked them since I’d recently started using the Postmatic plugin – with that, you import all the newsletter subscribers from your mail program so the plugin could send out posts. Since there was a number of email addresses in there, I didn’t notice the few admin accounts buried in there.
Then, using helpful suggestions from Bryan, I started to get the sites fixed. The best thing would be to find a backup that didn’t have the malware in it. So that started a week or so of using both BackupBuddy and the Duplicator plugin to restore the various backups I had for these 2 sites. After the sites were restored, I first checked the User area and if there were the rogue admin accounts in there, I’d delete the site and try another backup! I must say, I got rather adept at deleting and restoring sites – using both BackupBuddy and Duplicator.
I finally found one backup from April that fixed the problems of my brother-in-law’s site (luckily, his site is static). I had a backup from August for my friend’s site, but it was infected even back then. So for her site and mine, I installed (one at a time), these security plugins:
They all have a lot of the same features, but some had features others didn’t have – that’s why I ran all of them (but not at the same time). These plugins could find changed theme and plugin files and revert them back to original (yay). I could look at logs and see who had logged in and could trace IPs back to their source. I could block IPs, block certain countries and set times up where no one could log in. I could limit logins and so much more. After running scans and implementing fixes, things are looking back to normal.
How Did this Happen
The first rule of WordPress is to update, update, update. I did that to my own site regularly since I blog weekly. I’d update my themes and plugins as notified. However, after I set up my brother-in-law’s site, I forgot about it and never added it to my list of websites that I update for clients. So it just sat there, unattended for months and I’m thinking that was the weakness that allowed it to become infected. Since the other two sites were on the same account, they also got infected.
There are other things everyone should do with a WordPress website. This article from WPBeginner has some good tips.
Lessons Learned/Silver Lining for Protecting WordPress Sites
- I now have the other two sites set up with iThemes Sync. This great service keeps track of updates that need to be made, they will send me an email to let me know what all needs to be done and I can do the updates from their dashboard. Check them out. You can get 10 sites on their maintenance plan for free.
- Many people don’t recommend sharing and hosting other people’s sites along with your own on one account. Although this is permitted with many hosts, the behavior and practices of the other people on your account could adversely affect your account.
- Since I was logging in nearly daily to my cPanel account, I grew very familiar with file structure and what was what. I’ve built quite a few sites and many of them using the subdomain feature on my account. Because of that, there were lots of orphan folders for things I hadn’t used in some time. I had deleted quite a few folders, but after having to move and re-install these 3 sites so many times, I finally had the confidence and knowledge to get rid of unnecessary folders. Now everything is clean and up to date.
- I’ve been a BackupBuddy user for a number of years, but until now, I’ve rarely had to use it and when I did, it was a time consuming process (for me). I had to refresh my memory on the steps and how to access my root directory and making sure my database was ready. Since I’ve done it so many times now, I can restore a site in five to 10 minutes.
I appreciate Bryan Muthig and the many emails we exchanged and appreciate his expertise and his offer to have his people scan my sites. Hostgator had NOT been scanning for malware (they just recently started doing it again). A2 does it and has tools to do many of the things the plugins mentioned above do. So that is good to know and something they should promote more in these days of higher than ever WordPress attacks.
Hopefully, this will get people thinking of stray WordPress installations still on their account or sites that have been dormant for a while. This is not a pleasant experience to go through. But unfortunately, most people do learn the hard way. A big shout-out of appreciation to Bryan Muthig over at A2 Hosting for taking the time and effort to help a formerly dissatisfied customer get through this difficult time.