website security

The Freemius Wake-Up Call Why Your WordPress Plumbing Matters

Posted on 05.23.26 | Jim Walker | Leave a Comment

I spend a lot of mornings staring at ruined WordPress databases over my first cup of coffee. You get used to seeing the obvious break-ins. A weak admin password. An abandoned slider plugin. But the Freemius SDK issue caught my eye because the threat was hiding in “the walls.”

It was buried in the plumbing. The recent vulnerability proved that shared third-party code carries shared risk. It forces us to look past the visible plugins and inspect the foundation.

Key Takeaways

The Freemius vulnerability proved that shared third-party code carries shared risk. The bug was a reflected XSS issue. It gave attackers a way to abuse an admin workflow. The fix is version 2.5.10 or higher. The best part? Updating just one of your Freemius-powered plugins usually upgrades the SDK for the whole site. Update your code. Press the button.

What Is Freemius, Anyway?

Imagine a store manager living inside your software. That is Freemius. Developers hate building checkout systems and licensing engines from scratch. They plug in the Freemius SDK to handle the heavy lifting.

It is incredibly efficient. It also builds a massive shared dependency across the WordPress ecosystem. When a common library catches a cold, everybody sneezes. The ripple effect hits thousands of sites instantly.

Plain-English Translation: You trust the plugin developer. You also have to trust the invisible third-party code they bundled into the zip file.

The Risk: What Almost Happened?

Security researchers flagged a reflected cross-site scripting vulnerability. We call it XSS. An attacker could craft a malicious link and wait for an administrator to click it. Once clicked, the script executes inside the admin browser.

People hear “XSS” and brush it off. They think it is a minor bug. That is a mistake. In the right place, one wrong click hands the keys to the kingdom over to a stranger. Game over.

Why This Matters: A lot of site owners ignore XSS warnings. Do not be one of them. It is the first falling domino.

Luckily, the developers caught this early. They used coordinated disclosure. Nobody saw widespread attacks in the wild. That is exactly how security is supposed to work.

The Bigger Lesson: WordPress Is a Supply Chain

Your website is a supply chain. I wish more people understood this.

You install five plugins. You think you added five isolated tools. You actually installed dozens of shared libraries and background scripts. Your attack surface grows quietly.

Shared code is great for developers. It prevents duplicate work. But you must respect the reality of the situation. One cracked pipe floods the whole neighborhood.

My Advice: The Hack Repair Checklist

1. Check Your Active SDK Version

Find the Freemius page. Verify you are running version 2.5.10 or higher. That is the safe zone.

2. Update at Least One Freemius-Powered Plugin

Here is the magic. You do not always have to update everything at once to fix the SDK. Upgrading a single plugin often pulls the newest Freemius code into the entire environment.

Jim’s Pro Tip: Look at your dashboard. If several Freemius-powered plugins are installed and only one has an update available, start there. It patches the whole neighborhood.

3. Do Not Click Weird Links While Logged In

The delivery method is usually human error. A weird support email arrives. It tells you to click urgently. You are logged into wp-admin. Stop. Take five seconds. Close the tab.

4. Audit Your Plugins

Delete unused code. Deactivating a plugin is not enough. Less code means fewer hiding spots for bugs.

5. Treat Updates Like Maintenance, Not Decoration

Patches only work if you install them. I clean up hacked sites every week because someone was afraid to click “Update”. Don’t be that person.

Important Note: A patched SDK is great. It does not fix other bugs in your theme. Keep everything updated. A patched shared library does not erase other problems those products may still have.

Sidebar: The 30-Second Security Audit

Don’t guess if you’re safe. Enter your domain to generate a direct link to your audit page, then verify your version status below.

Enter your website domain:

Generated Audit URL:
Go to Dashboard Status ↗
Once on that dashboard page, look for Active SDK version and enter it here:

✓ You are protected! Your site is running version 2.5.10 or higher.

⚠ Action Needed: Your version is vulnerable. Please run your plugin updates immediately to patch the “neighborhood.”

Frequently Asked Questions

Is my site currently being hacked? +

There are no reports of widespread real-world exploitation. The fix was released before hackers figured out how to use it on a large scale. However, the risk remains until you update.

I don’t see a “Freemius” page. Am I safe? +

Not necessarily. Some plugins hide the Freemius menu. Ensure all your plugins are updated to their latest versions. If any one of them uses the new SDK, your whole site benefits.

Why does one update fix other plugins? +

Freemius detects the newest version of itself available on your site. It uses that version for all plugins. It is like a smart plumbing system that automatically upgrades the pipes for the whole house when you renovate one room.

The Bottom Line

The Freemius scare is a perfect wake-up call. The worst security threats hide in the code you never look at.

The developers did their job. They patched it fast. Now the responsibility is yours. The fix only helps if you actually install it.

Keep your site clean. Do the maintenance. Sleep well at night.

If you need help auditing outdated plugins, cleaning up a hacked WordPress site, or figuring out whether your current setup is creating hidden risk, see HackRepair.com. We work with site owners who want practical help. No jargon. No finger-pointing.

[ A flaw in the Freemius WordPress SDK was a reminder that security problems often bypass the front door. Here is what happened, why version 2.5.10 matters, and how to check your site. ]

Why Is My Church or Non-Profit Website a Target for Hackers?

Posted on 04.22.25 | Jim Walker | Leave a Comment

I’m asked these questions quite often: “Why was my church’s website hacked?” And, “Why would a hacker want to hack my little non-profit WordPress website?”

First of all, if your non-profit-related website has been compromised, try not to take it personally. In my experience at HackRepair.com having worked on thousands of hacked websites over the years, I can tell you that it’s almost never personal.

In this article, I’ll cover the basics of website account security and describe how you can greatly increase the security of your non-profit’s website today. Topics are:

Why do website hackers hack websites?
So how do website hackers break into a website’s account?
Why is segregated website hosting important?
I update my website password often. Isn’t that enough?
What should I look for if my website has been compromised?
What is a backdoor script?
What are some common website hacking related terms?
How can I help prevent my website from being hacked?

Why do website hackers hack websites?

Well, believe it or not, hacking websites is big money according to security researchers. Some hackers make more than $80,000 a month.

Church and non-profit websites are often targeted by hackers for a variety of reasons. Some of those reasons are:

Non-profits are more often maintained by part-time volunteers with limited WordPress expertise.
Well maintained religious-based websites have better-than-average domain authority, credibility, and readership, which is especially appealing to black-hat SEO hackers.
Non-profit websites’ donation forms are appealing targets for harvesting credit cards.

So how do website hackers break into a website’s account?

You may think your website is secure because your web designer is reputable and experienced. In my own experience over the past decade over 80% of all the compromised websites I’ve helped clean and secure after being hacked were the result of hackers taking advantage of exploits through either:

1. Outdated plugins.
2. Outdated themes.
3. Or poor “key control.”

The majority of exploited website accounts I’ve encountered were then compromised in one of two ways:

1. The hacker either injected files into the website account.
2. Or the hacker injected text or code into posts or web pages.

And once hackers have a foothold into a website’s account they rarely give it up easily, often hiding their back-door scripts in various placed throughout the hosting account. I’ll cover back-door scripts a bit later.

Why is segregated website hosting important?

There’s a common misunderstanding among website owners about the dangers of hosting multiple websites within a single shared account.

Many people have fallen prey to unlimited shared hosting account services. While on the surface it seems like an unlimited shared hosting account is an efficient and low-cost way to host multiple websites within a single website account. In actuality, this type of service is akin to renting office space where all of the internal office doors share the same front door key.

If you are hosting multiple WordPress websites within a shared hosting account, your risk of being compromised is exponentially greater than a website hosting account with a single WordPress installation.

For this reason, segregating each website into its own separate hosting account is an important long-term website security strategy.

I update my website password often. Isn’t that enough?

Now back to my earlier note about poor “key control.” Non-profit organizations, in particular, are susceptible to password “leakage.” Because the roles of volunteers within a non-profit organization may change regularly, both real-world physical security and website password security can be a challenge.

For instance, a single segregated website account may have dozens of sub-passwords, each being a potential entry point for hackers. If you are working to improve your organization’s password management I recommend locating and periodically updating each of the below passwords at least every few months:

1. 1. Your web hosting company’s “billing” login password.
  2. Your web hosting company’s website control panel (cPanel, Plesk, et al.).
  3. All FTP passwords within your website’s hosting account control panel.
  4. All WordPress administrative user account passwords.
  5. Your organizations social media accounts as well (Twitter, Facebook, et al.).

While reviewing a client’s list of WordPress user accounts, look at what I stumbled upon:

What should I look for if my website has been compromised?

Example list of hacker files littered throughout a compromised website. — Click to View

A website hacker’s modus operandi is injecting malicious code or text into files or web pages. This injected code can do any number of things, like redirecting site visitors to other websites; advertising text or links; or harvesting visitor data.

Today’s websites can be a mix of thousands of files. That’s a lot of hiding places to consider when reviewing a compromised website account. And nearly all of these files, from text files to PHP files and even images, may harbor malicious code.

Hacker files or code injections most often fall into one of three categories:

1. Backdoor PHP scripts.
2. Malicious text or code injected into legitimate files or databases.
3. Or a combination of backdoor and malicious text or code injections.

When reviewing a recently hacked website I always start by sorting the directories and files within a website by date. With code injections, it’s often possible to quickly identify compromised files by viewing the text within the most recently changed files.

Theme files like the 404.php, functions.php, and header.php are commonly exploited files, example below:

**What is a backdoor script?**

Backdoor scripts are files or code injected into legitimate files that give hackers access to add or edit files or databases within a website hosting account.

Once in place within a website, these files or code injections may allow hackers unrestricted access to an account until they’re removed.

And with all of the places a hacker may hide malicious code within a website, you can’t assume anything when it comes to locating and removing backdoor scripts within a website’s account. Every file and directory must be carefully reviewed for signs of malicious content.

In the case of WordPress, even the latest malware monitoring security plugins often miss or misidentify these files. Written by financially-motivated black-hat hackers, backdoor scripts often require a bit more effort to identify than running an off-the-shelf malware scanner. Human eyeballs haven’t yet been automated out of this job (at least not yet).

Below is an example of hacker code injected into a legitimate WordPress file, which allows the hacker to pass commands along to another file added by the hacker:

What are some common website hacking related terms?

Since you are reading this article, I suspect you are hoping to better educate yourself about website security. Below are a few of the commonly used terms associated with the website hacking “business”:

Phishing is the fraudulent practice of masquerading as a reputable company in order to trick you into revealing confidential information.

SEO spam, also known as spamdexing or injected backlinks, is an attempt to manipulate search engines by including links or content within a legitimate website to help increase the search engine position of another website.

Black-hat SEO hackers inject SEO spam within legitimate websites to improve the search engine position of less legitimate websites.

Harvesting credit cards may be possible by injecting code into a payment page in order to “sniff” credit card information while information is being entered.

Badware or drive-by downloads refer to the unintentional download of malicious code into a computer or mobile device. The scary part is that a click or other action may not be required to inject the malicious code into the device.

DDoS attacks or “distributed denial of service” attacks may involve surreptitiously using the processing power of a number of unsuspecting websites against another website in order to interrupt the services of a specific target website.

Ransomware is a form of virtual blackmail, where malicious software is employed to lock data until a ransom fee is paid.

Malware is a term used to describe malicious code that may cause harm to a website, it’s reputation, or devices connecting to a given website.

Website defacing most often refers to someone changing the content on a website with malicious intent.

A quick Google search on any of these phrases will bring up hundreds, if not thousands, of stories describing the criminal behavior relating to each of these website security-related terms.

How can I help prevent my website from being hacked?

Below are four actions you can take today that will greatly improve the security of your website account and decrease the likelihood your website will be compromised by hackers tomorrow.

Backups. Maintain a weekly automated backup of your website to a cloud service account like AWS, Google Drive or Dropbox.
While you may not be able to monitor your website every minute of every day, a solid backup program will help turn a potential disaster into a one-click-to-recover insurance policy. For WordPress, try one of these plugins: UpdraftPlus, BackupBuddy or JetPack Backups.
Updates. With content management systems like WordPress, the regular updating of your website’s plugins, themes, and WordPress are required steps in improving the security of your website and hosting account.
Monitoring. If your website was built with WordPress, there are a number of well-regarded security plugins to choose from. WordPress security plugins are not foolproof but they may help reduce the impact of bad bots and automated intrusion attempts by monitoring and notifying you of bad behavior on your website as it happens.
Management. And lastly, use a secure password management system to save passwords. This is a great way to reduce our very human tendency to use the same password for every website we password protect.

Have questions?

If you have comments, suggestions or questions, Jim Walker may be reached at [email protected].

“A thing done well is rarely done alone.”
And many thanks to the following good folks who helped in proofreading and editorial review: Joyce Walker; Mike Dudas @tvcnet; Mark Glover @servingwithamission; and others.

Jim Walker, Website Security Professional
I am a website security professional, with HackRepair.com, where I’ve been helping non-profits and businesses recover from compromised website situations and have been helping to secure websites against hackers for over 20 years.

How to Effectively Remove the McAfee SiteAdvisor Blocklist in Google Chrome

Posted on 05.08.24 | Jim Walker | Leave a Comment

McAfee SiteAdvisor and McAfee WebAdvisor are two names for the same service. Originally known as SiteAdvisor, the service underwent a rebranding in 2017 and is now referred to as McAfee WebAdvisor. To dispel any confusion, this article will focus on the process of removing blocklist warnings from both fundamentally identical services. I’ll use the service names McAfee SiteAdvisor and McAfee WebAdvisor interchangeably throughout this article, as many of McAfee’s internal links still use the original name. I know, it’s 2024… Right!

What is McAfee SiteAdvisor?

It functions as a web browser-based security tool, providing users with safety ratings for a multitude of websites in Google Chrome. We’ll delve deeper into the specifics of this service in the “Understanding McAfee SiteAdvisor and McAfee WebAdvisor” section below.

Why is it important to know how to submit a removal request to McAfee SiteAdvisor?

There could be instances where a website is inaccurately flagged and blocked, or a competitor might submit false reports intending to tarnish a website’s reputation. This can cause significant inconvenience to both the website owner and its visitors, to say the least. In this article, I aim to provide a comprehensive guide on effectively removing a McAfee SiteAdvisor blocklist warning and implementing measures to secure your WordPress website against potential future blocklisting.

Understanding McAfee SiteAdvisor and McAfee WebAdvisor

McAfee SiteAdvisor, also known as McAfee WebAdvisor, is a product from McAfee that, according to their website, “keeps you safe on the internet by alerting you about potentially harmful websites and downloads.”

When you perform a search on a search engine like Google, McAfee WebAdvisor adds small icons next to each search result, indicating the safety rating of the corresponding website. A green tick represents a safe website, a yellow exclamation mark indicates a potentially risky site and a red cross signifies a dangerous site that’s best avoided. Likewise, if you visit a website that McAfee WebAdvisor deems risky, you may see a warning screen appear like the one at the right.

Interestingly, at one point in time, you could download the McAfee WebAdvisor extension from the Google Chrome Web Store, but the extension has since been removed and is no longer available in the Chrome Web Store. Instead, you are now asked to install the McAfee WebAdvisor software from the McAfee website.

The Impact of Being on the Blocklist

Being on their blocklist can significantly impact your website’s reputation and traffic. Visitors who use McAfee SiteAdvisor will see a popup warning message when they try to access your site, which may deter them from proceeding further. This can lead to a decrease in website traffic, user engagement, and potentially, revenue.

Steps to Remove McAfee SiteAdvisor Blocklist Warning

Step 1: Identify the Issue

The first step in removing the McAfee SiteAdvisor blocklist warning is to identify why your website was flagged.

Visit the sitelookup.mcafee.com website and enter your website address into the search box. Choose the McAfee SiteAdvisor option, as shown in the below image, and then submit your review request. A “Minimal Risk” response means your website has not been reported to McAfee SiteAdvisor.

Step 2: Rectify the Issue

Once you’ve identified that your website has been marked as malicious, the next step is to rectify it. This could involve removing malware, fixing vulnerabilities, or addressing other security concerns. It’s recommended to work with a professional cybersecurity expert to ensure all issues are thoroughly addressed. I can help with that.

Step 3: Request a Review

After rectifying the issue, you can request a review from McAfee SiteAdvisor by following step #1 again and entering your request for review.

Once you have secured your website and submitted your removal request, they will review your website and remove the blocklist warning. Removal requests are typically responded to on the same day.

Step 4: Monitor Your Website

Even after the blocklist warning in Google Chrome is removed, it’s important to continuously monitor your website for potential security threats. Regular monitoring can help you identify and address issues before they escalate and lead to another blocklisting. For more on monitoring, see my other article, “The Blacklist Blues: How a Bad Reputation Can Ruin Your Business and How to Deal with Being Blacklisted“.

Securing Your WordPress Website

In addition to removing the McAfee SiteAdvisor blocklist warning, it’s crucial to secure your WordPress website to prevent future blocklisting. Here are some steps you can take:

Secure Hosting Environment

Your hosting environment plays a key role in your WordPress website’s security. Choose a reputable hosting provider that offers built-in security features, such as SSL certificates, firewalls, and regular backups, like TVCNet.com. Additionally, ensure that your hosting provider uses the latest versions of PHP, MySQL, and other server software, as outdated software can have vulnerabilities that hackers can exploit.

WordPress Configuration

Proper WordPress configuration is essential for security. Here are some steps you can take:

Update Regularly: WordPress regularly releases updates that fix bugs and security vulnerabilities. Ensure your WordPress core, themes, and plugins are always up-to-date.
Use Strong Passwords: Use strong, unique usernames and passwords for your WordPress admin account. Avoid common usernames like “admin” and use a password manager to generate and store complex passwords.

Secure Themes and Plugins

Themes and plugins can introduce vulnerabilities into your WordPress website. Only use themes and plugins from reputable sources, and keep them updated to the latest version. Remove any unused themes or plugins to reduce potential entry points for hackers.

User Management

Limit the number of users who have admin access to your WordPress website. Use the principle of least privilege, i.e., give users only the permissions they need to perform their tasks. Regularly review user accounts and remove any that are no longer needed.

Implement Security Measures

Implement additional security measures such as two-factor authentication, limiting login attempts, and using security plugins that can monitor your website for malware and other threats.

Conclusion

Being on the McAfee SiteAdvisor blocklist can have significant implications for your website. However, by identifying and rectifying the issue, and requesting a review from McAfee, you can have the blocklist warning removed within a matter of days. Furthermore, by securing your WordPress website, you can prevent future blocklisting and ensure a safe and secure browsing experience for your website visitors. Regular monitoring of your website can also help prevent future blocklisting. By following these steps, you can ensure a safe and secure browsing experience for your website visitors.

Hello, I’m Jim Walker, The Hack Repair Guy – a veteran website security expert with over 20 years of experience in website hosting, security, and cleaning up hacked websites. As a trusted advisor to website owners and businesses worldwide, I provide website cleanup, management and protection services, and educational resources, to safeguard their online presence. My hands-on approach and expertise have helped thousands of clients recover from hacked websites and rebuild their online presence. I’m dedicated to making a positive impact in the website security industry, providing peace of mind and a secure online presence for everyone I work with. You can trust me, The Hack Repair Guy, to keep your website safe and secure. Please feel free to call or email me if you have any questions regarding website hosting or website security. I’m here to help!

___

I hope you’ve appreciated this article. Before you move on, I wanted to ask if you would consider buying me a cup of coffee as a thank you. It takes a good bit of time to put together helpful articles, not to mention the energy required to write when I’m not focused on helping people with their hacked websites or security concerns. Thank you for caring!