Just a random observation for all you folks using security plugins to monitor your website.
Website security is a lot more than running a “plugin” and hoping for the best. Most of the well-known security plugins will do fine in catching the obvious malware. But keep in mind that malware is only a symptom. The underlying cause “cannot be fixed” by plugins. You’ll still need to have someone do a thorough security review to catch the real culprits/entry points.
Tangentially, a client called me and mentioned that he’s recently cleaned his website, but wanted a second opinion.
He’d done some manual cleanup on his own and as far as he could tell all was fine. He likewise used a couple of popular website security plugins and each one gave him a clean bill of health.
Upon further review, it became pretty clear that his site had been compromised through one of the six administrator accounts he’d set up previously. And while he had done wonderfully well in removing the malware files within his website, and while the security plugins said all was well, the human element had been missed.
Turns out that the hacker had likewise edited the footer text using his WordPress theme’s “Footer Settings” configuration page. And because the domain names added into the footer text had not been yet flagged as malicious in Google search or otherwise, the robots could not tell the difference between the good or bad links.
The moral of this story is that human eyeballs remain an essential part of fully securing a website account.
Running automation and hoping for the best has its shortcomings…
Enjoy!
If you reading this post, I suspect you’ve either been introduced to or met the WordPress user “wp.service.controller”