Call for Free Consultation Today: (619) 479-6637     Hack Repair Testimonials Read more five star service reviews?

Website Malware andHack Repair Services

"We Fix Hacked Websites"

Web Hosting Security in 2021 – Who’s Responsible Today?

| | Leave a Comment

Jim Walker The Hack Repair GuyI’ve been reading a number of rather aggressively toned discussions against various web hosts in forums over the past few months.

 

I would like to take a bit of your time today to address some of the statements made against shared hosting companies and their responsibilities in resolving WordPress-related malware issues.


My background.
In case you don’t know what I do, I have over 15 years of experience in managing the security of web servers and cleaning hacked websites—I’m not just making this stuff up. I’ve lived this reality in real-time for over two decades.


To start…
Malware scanners are full of errors. One man’s malware may be another’s legitimate code.

Malware scanners are only as good as they are maintained and developed.

I see errors in malware reporting and in automated malware reports nearly every day.


Who’s responsible?
Before you say, “The host is responsible and they’re responsible for hackers hacking my site,” think again.

Callback to this later:
Reducing client support tickets is the highest goal of any successful hosting company


SiteGround (and other shared hosts)
With SiteGround, for example, they have industry-standard malware scanners and firewalls in place. And zero-day exploits are real.

No host or scanner can guard against what they don’t know

 
A few examples of recent plugin and theme exploits being actively exploited in the wild.
Suffice it to say, if the legitimate code within your theme is exploitable, your web host can do very little to prevent exploitation of those publicly accessible theme files/scripts:

Exploitable in early 2021:


WordPress security?
That said, these past few months, there have been many more exploits discovered within a number of very popular plugins and themes.

So before you say, “My host sucks because they can’t stop hackers from hacking my exploitable theme” that’s simply a false assessment. And if you think that a host quarantining your themes files/scripts will solve the problem, then you are misunderstanding the concept of quarantine.


Quarantine that Sh**!
When I (your host) quarantine your hacked theme script/file, I am REMOVING the file from your account—pushing it off to a safe directory.

That means that I (your host) will likely bring your website down in the process by removing a file/script that your theme requires.


“Hosting company, you need to delete hacker scripting in my website files now!”
Another false belief. If you’ve attempted to use a security plugin to clean up a website and found it actually made the situation worst, then you know that one man’s malware may be another’s legitimate code.

And hackers are not always nice about how they insert their code into files—meaning that removing the “bad” code may actually further break the website (which was previously running without error).


The callback…
What is the goal of a successful hosting company?

Reducing client support tickets

 

And since quarantining every hacked file located on the server may result in unintentionally breaking client’s websites by removing files, what would you do if you were running said hosting company?

  1. Remove “all” hacked files knowing it may break websites and dramatically increase support tickets (increasing perceived downtime and lost business as clients move out in anger over you, the host, breaking their website)?

  2. Do your best to implement strong firewalls, malware scanning, and customer notification as soon as malware is located?


Paying more for website security (not a commercial—just a statement)?
Yes, there are a few hosts that do implement methods to reduce code injection into WordPress websites along with other security safeguards. If you don’t mind paying a lot more than $20 per month and you’re okay with certain hosting restrictions necessarily to implement those safeguards, then you always have pricier hosting options to choose from as well.

This discussion is about shared hosting, in the $5 to $20ish USD/month range.

Yes, you can always pay more for more security. But do you need to? (an article for the future)

 

#wordpress #malware #hackrepair #websitesecurity #sharedhosting

Website Security in The New Year 2021 – Are You A Cat Herder?

| | Leave a Comment

As we all head into the new year, if you implement the below strategies you’ll greatly reduce the likelihood your account will be compromised in 2021.

Are You A Cat Herder?

1. Segregation*
2. Monitoring
3. Regular updates
4. Backups

  • If you choose to not segregate your WordPress installations to separate accounts the risk your hosting account will be compromised will be exponentially greater this year.

 

 

Are you still “herding cats” like it was 2006?

 

As an expert cat herder, I can help you with your cat herding problem today.

 

#wordpress #infection #hackrepair #websitesecurity

Website Security Heads Up for May!

| | Leave a Comment

Website Security Heads Up for May

The pandemic has dramatically impacted the status of vulnerabilities for all of the major content management systems, like Joomla, Magento, and WordPress.

Hackers stuck at home with nothing to do but “code” have been wreaking havoc on the community of website management scripts, especially WordPress.

Luckily plugin and theme developers have likewise been “available” and most of the exploits listed below have patches in place now.

Sadly, the patches came too late for many. There has been a steady increase in privilege escalation hacks (where hackers gain access to lower-level user roles such as “Subscriber” to do their evil deeds).

Suffice it to say there is enough evidence to demonstrate that allowing subscribers to subscribe without any management oversight and not doing a reasonable amount of due diligence before installing a new plugin is a long term receipt for disaster.

 

Below is a shortlist of WordPress related plugins and theme whose code have been exploited in some way during the month of May (list credit to the WPScan Team).

Plugins:

Add-on SweetAlert Contact Form 7 < 1.0.8 – Authenticated Stored Cross-Site Scripting (XSS)

Advanced Order Export For WooCommerce < 3.1.4 – Authenticated Cross-Site Scripting (XSS)

Ajax Load More < 5.3.2 – Authenticated SQL Injection

bbPress < 2.6.5 – Authenticated Stored Cross-Site Scripting via the forums list table

bbPress < 2.6.5 – Unauthenticated Privilege Escalation when New User Registration enabled

bbPress 2.6-2.6.5 – Authenticated Privilege Escalation via the Super Moderator feature

Chopslider <= 3.4 – Unauthenticated Blind SQL Injection

Drag and Drop Multiple File Upload for Contact Form 7 < 1.3.3.3 – Unauthenticated File Upload Bypass

Easy Testimonials < 3.6 – Authenticated Stored Cross-Site Scripting (XSS)

Elementor < 2.9.8 – SVG Sanitizer Bypass leading to Authenticated Stored XSS

Elementor Pro < 2.9.4 – Authenticated Arbitrary File Upload

Final Tiles Gallery < 3.4.19 – Authenticated Stored Cross-Site Scripting (XSS)

Form Maker by 10Web <= 1.13.35 – Authenticated SQL Injection

Iframe < 4.5 – Authenticated Stored Cross Site Scripting (XSS)

Login/Signup Popup < 1.5 – Authenticated Stored Cross-Site Scripting (XSS)

MapPress Maps < 2.54.6 – Improper Capability Checks in AJAX Calls

Multi Scheduler <= 1.0.0 – Arbitrary Record Deletion via CSRF

Official MailerLite Sign Up Forms < 1.4.4 – Unauthenticated SQL Injection

Official MailerLite Sign Up Forms < 1.4.5 – Multiple CSRF Issues

Page Builder by SiteOrigin < 2.10.16 – CSRF to Reflected Cross-Site Scripting (XSS)

Page Builder: PageLayer – Drag and Drop website builder < 1.1.2 – CSRF leading to XSS

Page Builder: PageLayer – Drag and Drop website builder < 1.1.2 – Unprotected AJAX’s leading to XSS

Paid Memberships Pro < 2.3.3 – Authenticated SQL Injection

Photo Gallery by 10Web < 1.5.55 – Unauthenticated SQL Injection

Site Kit by Google < 1.8.0 – Privilege Escalation to gain Search Console Access

Team Members < 5.0.4 – Authenticated Stored Cross-Site Scripting (XSS)

ThirstyAffiliates < 3.9.3 – Authenticated Stored XSS

Ultimate Addons for Elementor < 1.24.2 – Registration Bypass

Visual Composer < 27.0 – Multiple Authenticated Cross-Site Scripting Issues

WooCommerce < 4.1.0 – Unescaped Metadata when Duplicating Products

WP Frontend Profile < 1.2.2 – CSRF Check Incorrectly Implemented

WP Product Review < 3.7.6 – Unauthenticated Stored Cross-Site Scripting (XSS)

WTI Like Post <= 1.4.5 – Authenticated Stored Cross-Site Scripting (XSS)


Theme:

Avada < 6.2.3 – Missing Permission Checks leading to Arbitrary Post Creation, Edition, Deletion and Stored XSS

 
Be sure to double-check whether your site is using any of the above plugins. And if so, please consider updating them soonest.

 
* Yes, HackGuard.com service client’s plugins have all been fully updated to the latest version respectively.

Enjoy!

 

Recent Posts

 

Buy Jim a cup of coffee?

 

WordPress Hacker Insurance and Support

Concerned about WordPress security and would like someone to watch your back? If this sounds like you then you are in the right place.  Taking a vacation, or maybe your web designer has wandered away?  Why worry about dark side of the Internet. Let HackRepair.com worry for you. It's what we Read More

Latest HackRepair Tweets