So I had a long run of some very problematic website issues…vicious infiltrations on client-owned things that I managed. They followed me from host to host, and took me months of work to finally eradicate (they are clean, and have been for weeks now). It was a pretty bad nightmare, though.
The Pain
It all stemmed from one of my clients loading in a shitty plugin, after he had set up a user account with the password of “password”(I am not kidding) – and this plugin with that even brief access created a gateway that quickly leaked out into other unrelated sites co-hosted on the server. The plugin concerned me from the get-go, but it was a crucial part of the guy’s build, and I was trying to be accommodating: big mistake on my part. Rules are not all meant to be broken.
The way the poison worked, was it would create a couple of files in a WP install – files that you would not ever see in normal WP dashboard management, but only thru FTP. Then, it would infect any site on the server it could exploit – in my case, it leaked out to maybe 5-6 of them in various ways…no consistency I could ever find.
The hidden files then start creating folders of “files” that are triggered to render from “normal” web operations. Self propagating keyword-based ugliness. So an otherwise standard header request, would instead get rerouted (in a millisecond) to a bad folder, with a spammy hateful page – inadvertently hosted by ME! I could find the folders and delete them, but they would regenerate at unbelievable speeds unless I found the root of it all.
It destroyed my account, and at Web Hosting Buzz, they shut down my account repeatedly, hurting all of the sites I had that were NOT compromised, only because it was a standard response they did. I then learned Web Hosting Buzz had changed my server, so I was working on an old one for over a week–and my live one, was even more compromised than the one I kept cleaning.
That was the final straw for me- Web Hosting Buzz was sliding for months, and now they were just infuriating me.
I dealt with their helpdesk a LOT, and they cleared me multiple times – -often to only shut me down again in a couple days for exactly the same thing they said I just completely fixed. I was losing my mind, and spending DAYS on this issue that became weeks; deleting files became half of every workday, and I was exhausted.
The Fix
The way I finally found it, was by rebuilding each site from scratch that I had in this account (about 45 of them)…it was long, arduous work, but it was the only true way I could make it stop. All new user accounts and passwords, universally. Deletion of all old files/accounts.
It was easy for me to clean out the infected sites and make them whole – it just needed new WP installs, free from the vulnerabilities and exploits in Web Hosting Buzz.
I ended up moving my hosting for this account to Dreamhost, based on prior experience and some suggestions/support from some friends with many more sites than I have. The cost was reasonable, the support looked fine, the interface was actually refreshingly clean, simple and easy to manage.
When I got to the truly bad site, I saw almost immediately, that the problem came directly from ONE plugin – which I removed, kicked into the yard and went postal on for a while (at least in my head I did). I told the client that he could NEVER use that thing again – and I built him a new framework with trustworthy plugins.
So far, it has been weeks, and not a single incident on the new stuff – my nightmare seems like it is finally over.
The Advice
So to avoid this kind of crap, the simplest thing, is to limit your plugins to only trusted ones (no duh, right?). It is something I got lax on, and I paid the price for sure…had to give away a lot of time to make it right with the poor folks who suffered thru no fault of their own.
Stick to frameworks that have MANY reviews, current updates, and transparency – there were red flags all over the bad plugin I fought with here, but being Mr. Nice Guy got in my way of killing it faster. It was also very insidious, and threw me in the wrong direction a lot…it did not create only one page, it varied its assault to keep trying to stay hidden…so no rules would prevent it enough. It was like a zombie.
Know what the files are for the latest WordPress install – compare it to the files in your installs…the bad guys are getting smarter at creeping in without you seeing them. Keep it updated and secure.
Use smart passwords, and even isolate sites if you need to (VPS, firewalls, hide the login page location) – there are some pretty simple ways to prevent them from getting in, since most of what they do is automated.
And above all, know that a cheap web hosting option rarely is worth it – I learned it the hard way, but am wiser for it now.