WordPress Hosting + Site Repair
Summary – If your wordpress site goes down make sure that your webhost has not altered your hosting. I did and maybe still do, have some malware on some sites. However, my core issue was a PhP update that took my sites down.
Advice – Don’t throw money at the problem until you know what it is! Change all your passwords. Read the posting for my story and links to other posts that offer reliable help.
Process of Detection and Repair
My site went down and several of my other sites were affected. I contacted my webhost, Bluehost, immediately. I noticed a major reorganization and new graphic symbolism on their site after sign in. The control panel (cpanel) that I use to control any issues is now under “Advanced” at the bottom of the sidebar. The hosting now opens by default on a page for WordPress management.
Call One – First I asked if my site had been moved by Bluehost. Previously, I had issues when a reorganization moved my hosting to another server location. I also pointed out the redesigned site and asked if there were major upgrades. I was told that Bluehost had not done anything to affect my hosting.
I was informed that I had malware on my site and that a Sitelock scan could identify the issues. I was surprised because when Sitelock was introduced to me, I was told it was a constant scan to identify any malware issues on my sites. If anything was found, I would receive an email.
Now that I have a problem, the Bluehost support told me that the free version is limited. They can run a scan on request, but I would be responsible for removing the malware myself. She offered to email me the scan when it was complete. The tech was not sure if there was a real time scan at all. there was a sales pitch for the paid version.
I will have to investigate Sitelock, “We secure websites by automatically finding and fixing threats”. So far, they are not inspiring confidence. It makes no sense for me to have to request a scan if they are “automatically finding” and the “fixing” is only in the paid version. I had a false sense of security because Bluehost told me I had Sitelock on my sites.
The scan would be an important tool. but I was still investigating the issues. I wasn’t sure that was the whole story as the sites were affected differently.
Repair One – Changed my hosting password. Noted that all the html pages were loading, but only the WordPress was affected.
Call Two – I contacted Bluehost support again with questions. This support individual apologized and told me that the scan could be found on my hosted files. Support technicians are not allowed to email clients. Good to know. I found the scan using file manager from the cpanel. This individual advised me to download affected files to my computer and repair them.
No way would I ever do that. I am always careful with downloads and it is not advisable to download possibly inflected files to your computer.
REPAIR Two – A Under the Advanced>cPanel>File Manager
Oh good it is still there. I found the Sitelock report and opened it, copied the text and pasted it into a text editor on my computer. The report is not in the folder public html so should not be affected. Even so, I am careful.
I saw a lot of PhP errors, but only a few traces of html malware. The ones I knew I could repair were code in html. I found them by using the power of the cPanel File Manager to search the online site for the offending code. I copied the code from the report into search and hit enter. Then I opened the affected file in the File Manager, removed the code and resaved.
Most of these files had been untouched for years according to the date listed. None of the repairs I completed fixed my sites.
REPAIR Two – B Check the internet for help – > The Medium
A super great post on the Medium. They advise having something like Sitelock but say:
A good security plugin would identify and alert you, in real-time, of all the changes made to your website.
That’s what I thought was happening, but it did not work as advertised.
The Medium article advises to check core wordpress files. They give some methods, but I have Jetpack installed on all my wordpress sites. Jetpack is a plugin made by wordpress and they have a good article with advice on my problem.
Another option is to completely reinstall WordPress to ensure all core files are clean. You can do that via Dashboard > Updates, by clicking ‘Re-install now.’ It sounds scary, but this will only replace the files at the very core of WordPress and will not remove or replace any of your content, media, themes, or plugins.
If you are a member of wordpress.com, you can access your sites and scan them from your account. My site checked out with no malware in core files.
My wordpress core files are good.
Call Three – Late at night, I reached a technician who really knew PhP. She Knew that Bluehost had updated to PhP 8.0 Then she investigated and found my sites were still using older versions. She updated the PhP connection and my site works.
I still have some sites that were not repaired.
Repair Three – I am now changing the admin passwords on all my sites and checking some that I maintain, but do not visit regularly.
A representative of Sitelock contacted me by email and by phone about my malware issues. He told me my personal site has malware that is “phoning home” and causing reinfection, so I need to purchase monitoring and cleaning.
It seems that any good technician could find the beacon that is contacting the infecting site and remove it.
I am not impressed by their lack of attention while using the free version and their slogan of “automatically finding and fixing issues”. My long experience shows that automatic is not the best. Why should I pay them so much for pressing “scan”, then “repair”?
I was amazed when he informed me that Jetpack and Akismet (now a part of Jetpack) may host malware. Certainly any file on a website can contain malware, but infecting these would be very tricky. As these plugins are made and supported directly by WordPress, it seems unlikely they would be the source of an infection.
WordPress is constantly monitored by the best in the biz and I trust them. It seems more likely that a plug-in or theme would be the source.
I do not think I will be employing Sitelock as my core problem was PhP related. They saw the scan and most of the issues were PhP not a html infection. They did not suggest that there could be am issue with PhP compatibility. They just talked about signing up and the cost of plans.
They seem a lot more interested in signing up clients than fighting malware.
I did have malware on my site, but I am in the process of changing all my passwords and removing the unused themes and plugins. The individual who phoned me did not even recommend that I do that when it is Step One!
There will be another post as I continue to follow the steps outlined in the article in the Medium and on the Jetpack site.