The Nightmare!

Hi everyone!

I have not been busy with my blog in the last couple of months because of other pressing priorities (that lasted longer than I expected).

I’m wondering if any of you used the MailPoet Newsletter plugin to collect subscribers info on your WP blog?

For those of you who did, here is a word of advice: EVEN IF you kept it up-to-date, you should immediately check your site for malware. I’ve used Anti-Malware and Sucuri plugins (both free on and found malware in all of my WP installs that had the MailPoet Newsletter plugin installed…

Insidious, invisible, bad news.

The thing is there was a vulnerability that was found only in June and by the time they issued the updates, most sites were already infected. Excepts all sites were still running smoothly in the front-end. Late in July, they realized that and sent another update (the first one was not enough) and THEN told us to check our sites with anti-malware. So even if you had kept everything up-to-date (like I had) your sites could be infected without you knowing it because the front-end was still working fine.

If you’re lucky, it’ll be a very easy operation. I’ve been lucky. On my own sites, there were a few intrusions, all easily removed. On one of my clients’ site however, things were different. The client had given an administrator account to a supposed expert (!), and that site has been hit so badly I had to have my own hosting provider (I’m a hosting reseller) check the site thoroughly and they still found malware code after running checks & cleaning up with plugins (Anti-Malware plugin has been updated with that data afterwards).  I _strongly_ suspect my client’s so-called expert’s password was too weak and opened the door because it’s the only site that was so badly hit.

Secure passwords

I’m a hosting reseller and site developper, and I always ask my clients, in the contracts I have with them, to use secure passwords:

  • more than 8 characters
  • a mix of small and capital letters, figures and symbols
  • NO word that can be found in a dictionary (even in a foreign language – robots access ALL dictionaries)

This may not make the sites impenetrable, but looking at my other sites where passwords are secure, it certainly proved useful this time.

Don’t trust what you see

The other lesson for me here was that I couldn’t trust what I was seeing. All my sites kept running smoothly. NOTHING was visible on the front-end (visiting the site). Which means my sites (and hosting space) were most likely used to do spam or launch various attacks on other sites or maybe simply used as a space resource.

Loosing ranking

The bad thing about this, besides the fact it makes you an accomplice to bad stuff going on on the Web, is that you might endup with your site blacklisted and you will likely loose your ranking on Google. Why? Because if your site is infected, Google will pick up on it and until your site is cleaned up, forget ranking…

Bottom line lessons for me

  1. Keep everything up-to-date
  2. Don’t trust the fact that our site seems ok when you visit it.
  3. Install malware-checking plugins
  4. Install a plugin that will let you know when WordPress, your theme or your plugins need updating, so you don’t have to go check every day (I installed WP-Updates-Notifier – again free in
  5. Make sure you and all your users have secure passwords
  6. Pray that life be good to you 🙂

I was keeping everything up-to-date and I had secure passwords, and I had faith in Life being good to me, but I neglected the other points.. It cost me a full week of work, when I didn’t really have time for that at all. I hope this post will spare you a bit of that.



This entry was posted in Blog, Newbies, Real Life, Security and tagged , . Bookmark the permalink.

6 Responses to The Nightmare!

  1. Catherine says:

    Thanks Marie. I haven’t used that plug-in, thankfully. I do have Sucuri installed and have done a check on my blogs, but I don’t think I would know how to remove malware even if I found it!

    • Marie Di says:

      Hi Catherine,
      Anti-Malware, when it finds hacks, cleans them up itself (you just have to click a button). I have not yet used Sucuri to check and clean the site, only as protection, but I would think it would do the same – clean up once the malware is found.
      Good for you if you never found any 🙂

  2. Hi Marie,

    Thank you so much for this valuable information. I have used anti-malware plugs for a while, and I am sure that I would have been in trouble at some point or another without it.

    However, great advice on the passwords, and I need to police this more seriously.

    Thanks again.

    Dave H

  3. Sandy Tan says:

    Thanks for this post Marie. Would like to ask if there is any trusted anti-malware plugin to recommend? Thanks again 🙂

  4. Marie Di says:

    I’m no expert at this. I went through the repository of plugins and I chose two, which I named in my post: “Anti-Malware” and “Sucuri” plugins, both on Good luck!

Leave a Reply

Your email address will not be published. Required fields are marked *