Do not neglect WordPress security

Day 15: #WP20 From Blogs to Blocks

An important lesson that I learned during launching a client’s website was to never neglect WordPress security.

Security might not be a priority for the client but when a site gets hacked or infected with malware on launch, it can destroy your reputation as a professional in the eyes of your client.

I am not going to name the website project here but a few years back I worked on a WordPress website project for a POS company. Everything went well for the most part of the project. That project had come to me due to my friend. My friend had contacted another designer who abandoned the project midway. So my friend contacted me about the project. The money was good so I got involved.

I didn’t have even the faintest idea that this would turn out to be such a nightmare down the road.

When the project was transferred to the client’s website within a few hours I got various calls from my friend who was managing the project now.

He was worried and said that the CEO of the company is angry and said that he will take us to court as the website is infected with some malware and they keep seeing popups on the website.

I thought that cannot happen as I had installed security plugins on the website and there were no alarms raised or any warnings issued by them.

But the company sent us screenshots and a video showing the popups.

I checked the website in incognito mode, and lo and behold there were those weird popups all over the website.

Later, I learned that the malware was designed in such a way as to not be visible to logged-in users. It created a list of the IPs who had admin accounts and kept track of them. The malware was activated for all the users except the ones with admin rights (clever).

I was confused and enraged.

How could this be happening?

This is the worst nightmare for a web designer or developer of any professional that website presents issues on launch.

Now, I had to quickly do something about the problem.

My first step was to identify the issue.

I checked the website files and found out that there was a weird duplicate copy of each file in each directory.

I researched Google about the malware and I found some information that was helpful.

I worked all night that day and managed to send the clients a clean install.

But had to return the money. All of it.

It was like a bad dream for me.

The thing I learned from this fiasco was to not neglect security. I don’t know how the site files got infected with the malware. I suspected that the theme being used may have been infected as it was not a theme from a popular author. or maybe some other site’s files were infected and the malware migrated to this website too.

I had to clean out the entire hosting too after this malware infection. In fact, I bought whole new hosting.

The problem may have been that the security plugin was not installed at the beginning of the website development but at the end. Maybe that gave the malware a chance to slip under the radar.

Whatever the reason may have been, I highly encourage each and every client of mine to not neglect WordPress security ever. I take special steps to harden the WordPress installations of my clients now and a security plugin is the first thing I install on any new website that I work on.

Do the same. I promise you that it will only save you in the long run.

Leave a Reply

Your email address will not be published. Required fields are marked *