I have not been busy with my blog in the last couple of months because of other pressing priorities (that lasted longer than I expected).
I’m wondering if any of you used the MailPoet Newsletter plugin to collect subscribers info on your WP blog?
For those of you who did, here is a word of advice: EVEN IF you kept it up-to-date, you should immediately check your site for malware. I’ve used Anti-Malware and Sucuri plugins (both free on WordPress.org) and found malware in all of my WP installs that had the MailPoet Newsletter plugin installed…
Insidious, invisible, bad news.
The thing is there was a vulnerability that was found only in June and by the time they issued the updates, most sites were already infected. Excepts all sites were still running smoothly in the front-end. Late in July, they realized that and sent another update (the first one was not enough) and THEN told us to check our sites with anti-malware. So even if you had kept everything up-to-date (like I had) your sites could be infected without you knowing it because the front-end was still working fine.
If you’re lucky, it’ll be a very easy operation. I’ve been lucky. On my own sites, there were a few intrusions, all easily removed. On one of my clients’ site however, things were different. The client had given an administrator account to a supposed expert (!), and that site has been hit so badly I had to have my own hosting provider (I’m a hosting reseller) check the site thoroughly and they still found malware code after running checks & cleaning up with plugins (Anti-Malware plugin has been updated with that data afterwards). I _strongly_ suspect my client’s so-called expert’s password was too weak and opened the door because it’s the only site that was so badly hit.
I’m a hosting reseller and site developper, and I always ask my clients, in the contracts I have with them, to use secure passwords:
- more than 8 characters
- a mix of small and capital letters, figures and symbols
- NO word that can be found in a dictionary (even in a foreign language – robots access ALL dictionaries)
This may not make the sites impenetrable, but looking at my other sites where passwords are secure, it certainly proved useful this time.
Don’t trust what you see
The other lesson for me here was that I couldn’t trust what I was seeing. All my sites kept running smoothly. NOTHING was visible on the front-end (visiting the site). Which means my sites (and hosting space) were most likely used to do spam or launch various attacks on other sites or maybe simply used as a space resource.
The bad thing about this, besides the fact it makes you an accomplice to bad stuff going on on the Web, is that you might endup with your site blacklisted and you will likely loose your ranking on Google. Why? Because if your site is infected, Google will pick up on it and until your site is cleaned up, forget ranking…
Bottom line lessons for me
- Keep everything up-to-date
- Don’t trust the fact that our site seems ok when you visit it.
- Install malware-checking plugins
- Install a plugin that will let you know when WordPress, your theme or your plugins need updating, so you don’t have to go check every day (I installed WP-Updates-Notifier – again free in wordpress.org)
- Make sure you and all your users have secure passwords
- Pray that life be good to you 🙂
I was keeping everything up-to-date and I had secure passwords, and I had faith in Life being good to me, but I neglected the other points.. It cost me a full week of work, when I didn’t really have time for that at all. I hope this post will spare you a bit of that.