Maybe I’m Paranoid, But ...

About ten days ago a certain well-known shared hosting provider sent an email saying they were adding SiteLock to the hosting account for free. I didn’t think much of it, as those offers come and go.

But then a couple days later, my husband got a Google manual penalty on one of our sites — turned out there was some spam/malware we didn’t know about. When I checked, all our sites with this host had the same issue. Interestingly, the sites that were hosted with other providers didn’t.

My alter ego Paranoid Sharon believes the host was hacked but didn’t tell anyone, otherwise how could this appear on all the sites in a shared hosting environment? After all, I use WordPress, have the Sucuri and Wordfence installed on all of them, and keep all the installations up to date.

So my next move was to try to find and remove the offending files and folders, which was harder than it looked. First of all, I used Exploit Scanner to check the original site we were told about for bad files and folders. Then I logged into Cpanel and manually removed anything suspect. I also deleted one plugin that seemed to be one of the main weak points.

Then I started looking for help elsewhere. I know that there are people who will remove malware for you, but I wasn’t prepared to spend hundreds of dollars on sites whose fate we’re still deciding on. (We went through a domain buying phase, set up some experimental sites for different aspects of our business and are currently decommissioning most of them).

GOTMLS to the Rescue

That’s when I found GOTMLS Anti-Malware Security and Brute-Force Firewall — a regularly updated infection cleaning plugin. You have to register for free (from within the dashboard) and update the malware definitions, but it doesn’t take too long.

I installed it on all the sites and started running scans. Some took longer than others (there’s a counter that tells you how long you will have to wait), but the upshot was that on all the sites on this host (even the one I’d already started cleaning) there were still backdoors and malware. Luckily, this plugin helped with the cleaning process.

There was one setback, when I accidentally on purpose tried to clean some files before the scan had finished running (don’t do it!) and borked one of the sites. That meant going back to Cpanel to manually upload a theme, delete the borked theme and get everything working again.

All in all, it took a couple of days from the first notification to having clean sites. I also installed the plugin in the sites hosted elsewhere and they were clean. From now on, I’ll be running scans regularly.

And because I’m paranoid, I’ll be looking to change from the popular host to one that’s hopefully less vulnerable ASAP. Have you had any hacking horror stories?