Wordpress website was removed by hosting company

hello everyone,

I’m little bit perplex and like some 3d opinion.
An unlimited hosting company removed a client’s website saying some malicious code was inserted. As solution to put it back they asked client to removed old wordpress version, install new one, change ftp, mysql passwords. This is all I know. So, doesnt sound as big problem for me and I didnt request for details because client never payed a dime for this pretty big and very complex website and comfortable used it for two years, and now wants me to repair everything for free again.

Now what I’m concerned about. This is my first “hacked” website (I made around 20) and I dont want this happen again, or do my possible to prevent it. I must say, I advise my clients to go to shared hosting and I update their wordpress versions regularly. For this client, it was different, as he was cheap, he stayed with big unlimited hoster and never updated his wordpress version. Could the problem be there?

I strongly appreciate your opinion, thank you, guys!

I don’t use WordPress, but I believe old versions are vulnerable to hacking. One of the reasons for updates is to fix vulnerabilities. Sites can, of course be hacked in other ways, too. (I had a couple of static HTML sites hacked, so I can sympathise with the hassle this causes.)

The hosting company seems to have given good advice on recovering from this, but you might also find this detailed post helpful: http://www.sitepoint.com/forums/showthread.php?634630-Resources-on-web-application-security&p=5324870&viewfull=1#post5324870

I don’t use Wordpress either but it is a constant target, it’s worth checking a site like http://www.cvedetails.com/product/4096/Wordpress-Wordpress.html?vendor_id=2337 for new vulnerabilities and make sure you have a system in place to make sure your clients site are regularly updated.

As far as the hosting company removing the site, I don’t blame them, especially if the vulnerability could have affected other sites on the same server. They probably say something about their removal policy in their terms?

At the end of the day no system is foolproof but the three that get touted a lot (Wordpress, Drupal, Joomla) all have a long history of having many vulnerabilities. That’s the risk you take when you use one of these…

“Big” hosting companies are ousting WordPress installs more than is made public so expect to see more of this in the future. Support departments just don’t have the bandwidth/staff to fix everyone’s WordPress installs for free once they’re hacked. And, too many WP novices are doing WordPress setups without installing the appropriate security.

Small hosting companies have gone the other direction and charged their WP hosting clients monthly maintenance fees for $20-$100/month to go in every week to keep the plugins and WP version up-to-date. The other problem that comes into play is customization. It’s hard for a hosting company to just activate the “auto-updating” features because plugin updates can conflict with customizations. Then they have another problem on their hands…restoring the custom features/design that were added prior to the updating.

So, there you have the two opposing problems. Present that to your client and then offer to fix the problem and then charge a monthly maintenance fee that you feel is fair to keep the site clean from malicious code.

Always have sections in your development contract that state what maintenance and warranty is included and over what period. Have exclusions based on hosting choices if necessary, and to make it doubly clear, state what maintenance tasks are NOT included.

It’s particularly important with wordpress - there can be a large overhead of maintenance of the core, themes and plugins. What happens if the host switches to a newer php version? What about when a new version of internet explorer comes out and breaks stuff? All needs to be contractually covered unless you want to end up spending a lot of time doing unpaid work.

I won’t use WP unless a client requires it. If that’s the case, I require the client to check DAILY for WP updates (with follow through, if required - I also demand that any extensions be updated, too). As stated above, the reason is that WP installs are hacked VERY often because their webmasters do not perform this very necessary task.

WP installs, when hacked, can be used to send massive amounts of SPAM (not to mention defacing the associated website) and, if not completely deleted and all but the ORIGINAL admin’s access removed from any database restoration, it’ll be hacked again (via installed back doors) almost immediately.

I’ve seen some WP users say that there are WP extensions which offer increased security but I have my doubts that they would protect the underlying code when an attack vector is discovered.

I’m not saying that other CMS’s are any better. WP is the most popular and, therefore, is the most used (and, therefore, the most targeted).