Amanda Wright founded Little Bird Web Services in London in 2009. At the start, they offered a huge range of services: from graphic, branding, and web design to email marketing, flash development, SEO and web accessibility development. After a few years, Amanda honed in on what the company did best and wanted to offer, so she decided to specialize in building and maintaining WordPress websites for small to medium-sized (SME) businesses, including nonprofits, local government, and the public sector.
The company's focus was twofold: provide quality consultancy and web development, while also dedicating site maintenance to its WordPress clientele. Recently, they have expanded site maintenance and consultancy offerings to non-clients.
We wanted to take on the remediation of WordPress sites that have real problems, such as being years out of date, having security or performance issues, like so badly written that they are too bloated to run on a server without crashing it.
One particular client site was running a large WordPress site on a standard Linux-shared host account at TSOHost. Originally the site, and its SSL, had been set up on an old server that didn’t support SNI, meaning that all traffic on the site was logged as coming from an IP on the host’s internal network. Some of this website had gone three years without receiving WordPress core and plugin updates.
Amanda’s initial assessment didn’t come by surprise; the site had been infected by malware via a persistent SEO spam. She spotted a file that, although had a “wp-” prefix, was not a part of a WP install; therefore, it shouldn’t have been on the site’s root server. Using a third-party tool her team regularly scanned the site. The tool always identified the files in the WP core that had been altered to require the malware file, but couldn't identify the malware files themselves.
I used the free Sucuri site scanner to get confirmation of what kind of malware was running.
Though Amanda’s team removed the malware manually, along with auditing the site for security, hardening the install, changing passwords, and updating the WordPress core plugins, within 24 hours the malware returned - this time in the wp-includes folder, not the originally hacked files.
Some of the plugins were orphans and needed to be replaced, so this took time. For the next couple of weeks we removed the same malware every 24 to 36 hours.
Additionally, Amanda and team did a mass password change for all of its users, re-salted the secret keys, and changed the DB credentials as well, which in her experience, usually works to end a WordPress infection. But this time it didn’t work. And that’s when she knew they would not be able to keep the malware out.
Because the hacker’s point of entry or vector attack couldn’t be determined, Amanda sought the Sucuri Firewall Pro Package because it seemed the right fit for the client’s ultimate goal of mitigating the site to VPS hosting which provides a proactive method of security.
We spoke to a Sucuri support person before the purchase of the product and they gave some really good general advice about more ways we could harden our server security as well as advising on the right product level for our site, helping us choose Pro, we were considering Business.Within 3 minutes we received an email saying the scanner found and removed the malware.
The problem wasn’t just the regular altered WP core files and their payload file but instead, the backdoor that allowed for reinsertion.Aside from embarrassment to the client from links to pharmaceutical sites, Google downrated the client’s site. As a result, they received a number of angry calls and negative social media comments, not to mention the overall impact to their reputation.
Working with the Sucuri customer support team we got Server Side Scanning and the Firewall activated a couple of days later...The Sucuri support was very helpful in pinpointing the problem with the host server - the old server didn’t support SNI, meaning that all traffic on the site was logged as coming from an IP on the host’s internal network.
To date, the site is now clear of malware and no longer links to online pharmaceutical sites in its SERPs. As well, the site’s service users are no longer receiving spam.
The client was impressed with the speed in which the problem was cleared and have confidence the site is protected. From my perspective, the Sucuri Antivirus and Sucuri Firewall are two more products that I can offer my clients who wish for security of their website.