Site Security: An Example (Nightmare) of Why You Shouldn’t Ignore It
Editor’s note: While I am glad to have May More on the blog today, I hate that it’s to share her own personal sex blog nightmare. Not all (very few, actually) hosting or security companies have our best interests at heart, and without enough information or knowledge, site owners receive little help or unnecessarily spend hundreds of dollars. Learn from May’s experience and remember that it can happen to any of us.
I started my blog – Sex Matters – in 2016 but only wrote a handful of posts between then and mid 2017. I was tentative and also recovering from a leg injury.
The first time my site became infected.
When my site was about ten months old I received an email from my hosts informing me that a routine scan had discovered a couple of infected files in my database. Their advice: Take out a plan with SiteLock.
Here is excerpt from the email…
During a routine scan, the security team at (my hosts) discovered infected files in your “ifsexmatterscouk” account… You can view a list of the infected files in the stats directory of your account… Please make sure to check any file backup(s) you have for a clean copy of the infected files. If you have clean copies, you can upload those. If not get the infected files cleaned or removed… However, If you don’t feel comfortable removing the infected files yourself, or would like to talk to a security expert, we recommend that you contact our preferred partner, SiteLock.
Shortly after another email arrived warning me that my site would be taken offline if I didn’t act.
I am not rich but often I have time.
Time on my hands
I used my time to look into what had happened and unearthed a mountain of online information, from other bloggers, that SiteLock were not worth the money. Many alleged the company lied about the corrupted files or perhaps even infected the database with malware themselves. Then touted for your custom. Nothing more than an online protection racket. Now I was more determined than ever to sort the problem myself.
- Checking the scan, I was able to pinpoint that only two files had been tampered with.
- Looking at backups and information from valid sources online, I could tell which lines of code were bad and deleted them.
I have worn many hats in my life, one of them as an analyst programmer. I contacted my hosts and asked them to re-scan. They did and all was fine.
Sex Matters continued on its merry way.
The second corruption
I got the site an SSL certificate and last year opened a sub-domain for other projects I wanted to be involved with under the name of May More. Unfortunately I couldn’t afford a certificate for the second site.
About four months ago I once again received an email almost identical to the one above. It appeared now my sub domain had been targeted. I checked the scan report and saw that Sex Matters was perfectly clean. Then I did something stupid. I ignored the email. I was busy and wanted to write, not check code. And anyway I thought – it is only my second site – I will fix it when I have a bit of time.
But I didn’t. However, being as my main site -Sex Matters- is precious to me, I downloaded the Wordfence plugin for security and ran a high sensitivity scan. This confirmed the scan report from my hosts and indicated that even though the projects site had numerous infected files Sex Matters was completely OK – phew. I knew I should deal with the issues as the problem had got larger so… I put it off until tomorrow.
Tomorrow never came.
Both sites taken offline
The next thing I knew – at the beginning of May 2019 – both my sites were offline. When I attempted to sign into my admin, a screen said there were serious malware problems with the site ,and I needed to contact my hosts urgently. Others who tried to view my site as readers saw a tamer screen –
But, as mentioned above, I had two different scans showing Sex Matters was clear. So why was it offline?
I immediately panicked. Having put up a sponsored post earlier that day I didn’t want to appear unprofessional. I started to sweat and tried to get through to my hosts but could not even sign-in to them.
Finally I managed to open an online chat…
- Without typing a thing I was put directly through to SiteLock. The first question they asked was my site name. Still only concerned with Sex Matters I didn’t even mention my projects site. But they did. “Is there another site you care about?” – were their actual words. Then I understood, somehow they already knew why I was there and which site had issues. I told them my projects site name. They replied,“We can clear that up for you,” and started naming prices.
- I explained that I would not be paying them to do anything and said I wished to be put through to my hosts. But instead they cut me off.
- Eventually I managed to sign into my hosts site, started a chat and asked why Sex Matters was down. They claimed that even though my main site did not contain any malware (so a third clarification), because my sub domain did, they could not let Sex Matters online either.
- Knowing there were too many bad files for me to deal with myself, impetuously, I told them to delete the sub domain. Due to the malware I would need to go into my database and do that myself. Of course if I was unsure, Sitelock would sort the whole thing out for me.
- More than once I mentioned that was I paying them to be my hosts on the assumption that they would help me to solve this kind of problem. This fell on deaf ears. I ended the chat.
- Once in my database, I deleted the projects site completely. I attempted to copy a backup file but my computer is old without extra space, so in my haste I gave up on that.
- Back online to my hosts, I told them what I had done and that I wanted Sex Matters up and accessible ASAP. They explained they would need to scan first. It didn’t take long before they came back and said a file in Sex Matters was corrupt also! How could that be? Only an hour before I had three separate assurances that it was OK. Smelling fishy.
- I was fuming. Nearly in tears. It appeared this was some kind of “inside job,” because I had refused to take out a SiteLock plan. I checked the scan they had just done for the corrupted file name. Finding out on the internet what the code should look like, I hurriedly deleted the added bit. It did feel like a stab in the dark, and I do not recommend you try this unless you know exactly what you are doing, but at that point I was almost past caring.
- Luckily I did it right. They scanned again and all was fine. Sex Matters was clean and up and running.
Who is this Security company?
Then I began to investigate who SiteLock are…
- The actual owners of SiteLock are board members of the Endurance International group. This company owns many host companies, including mine.
- Because of this connection, certain web hosts have to collaborate with SiteLock . Of course the host company then get a cut of any SiteLock services sold. It does not sound very ethical to me.
- I needed to go through all the dead-links on Sex Matters. The links to my projects site. I used the Broken link checker.
- Occasionally when I came across a link that didn’t exist, the plugin would offer me one from the online archive library. This is a valuable resource and I suggest you take a look at it. It’s helped me gain access to many posts I thought were lost.
- Missy also discovered that she was still able to see some of my posts from the WordPress reader and copied out the narrative for me. This is something to consider if you have lost any work.
My advice is
- Make sure you are familiar with your site’s database.
- Have a good security plugin like Wordfence as well as something that backs up your site (Editor snote: UpDraft is a good one to use — h/t to DomSigns for that tip)
- Keep all themes and plugins updated as outdated scripts can cause a problem too.
- If you get an email similar to the one above, do not ignore it.
Editor note: When in doubt, hire someone who understands these things and can help you. Michael Knight (aka DomSigns) is the person I recommend. Whoever you hire, they should be knowledgable and easy to work with.