Normally when a potential client brings you a site that is hacked, you do everything you can to get it cleaned thoroughly. That would include updating all files for WordPress and plugins and your theme, to the latest version. New versions of the software often contain fixes for recently discovered security issues.
But what do you do if that client says there is custom code for WordPress or plugins? Code that is needed for something in the site, and updating WordPress and the plugins, would remove that. They have concerns that updating WordPress, the plugins, and the theme, would break something necessary for the site.
The WordPress blog of a friend of mine has been hacked. It’s his fault because the core and a lot of plugins are out of date but he customized a lot of code and now he doesn’t want to update and manage (pay for…) the maintenance on the customization. I’ve reverted back the posts into pages, restored original revisions, changed all the password. I’ve installed WP security plugin. Now the site is apparently back to the normal condition but I’m not allowed to update the core nor the plugins so it’s not a safe condition. What other things can I do to prevent this kind of attack again?
What Exactly Are the Changes For?
Site owners have little ability to predict whether the change they want, that might be a big change visually, is going to take a slight tweak or a major change in the code. Developers have that expertise, not people whose businesses are other than website development.
Most of the time, the changes made to WordPress or plugins are actually small changes, from a developer’s point of view. No matter how the change looks on screen, in code it is usually a very little change. Developers know that big changes would be better done by making a plugin specifically for this site’s needs. Developers who have the skills to make large changes, to a WordPress site, know how to make a plugin, and know the issues with making several changes to some other plugin or WordPress core.
Good developers know WordPress well enough to know what small changes will produce the results; good non-WordPress developers might be able to make a change but in a way that is incompatible with WordPress updates; bad developers make changes not knowing what WordPress updates will do to their changes.
Said another way, only amateurs make changes to someone plugins written by someone else, to be updated by someone else. (That of course is different than people submitting fixes or improvements to the author of the plugin, hoping they will be incorporated into future releases of the plugin.)
The changes are likely to be inserting code for some external script; or changing the HTML of something. Small, targeted, specific changes. There are always better places to make these changes than in the WordPress core files.
These probably seem “major” to the site owner, bringing some obvious visible changes to the site. But these would not be major changes for an experienced developer. These changes very likely can be brought into a simple plugin, or into a child theme’s CSS. Or maybe WordPress now has features that handle the information directly, no modifications needed. Examples would be incorporating YouTube videos, or Google Analytics code.
Find out what the customized code is, and you might discover that there are simple ways of accomplishing the same thing while keeping your plugins and WordPress itself updated.
While you are identifying the changes made to your site’s code, also have a programmer assess whether there are security risks in that code. Any form handling must be coded to prevent SQL injection. Any file uploads must be carefully screened, to not allow uploading malware; all files installed on your hosting account are given full permission to execute — if hackers install one file they can take over everything on your site. (Upload only into the default uploads folder, and have security blocking execution of all files in that folder, except image files and audio files, which still should be validated with your audio player.)
Should You Update?
What is the cost to their business of losing the custom code?
What is the cost to their business of the site being hacked again, perhaps very soon? How is their reputation affected? How is their “reputation” with the search engines affected?
If the changes were for important business information being displayed, move the changes into a properly written plugin.
The costs of getting hacked almost certainly outweigh the costs of re-doing the changes the right way. Update early, at least weekly.
What order do you perform updates in? Update your plugins, then your theme, then WordPress. There could be changes in the plugins to make them compatible with upcoming changes in WordPress, so update WordPress after the other updates. And, update WordPress now.
What if there have not been any updates in a very long time? Probably best to update a few minor version updates at a time. That way, any changes to the database are more likely to be done correctly. (Plugins, themes, core, in that order, a few months at a time.)
Do They Really Need to Re-Think Their Site?
Have they clearly identified the specific people they want to talk to? So they can write as if to a single person, addressing exactly what that person is looking for?
Do they know what problems that specific person is hungry to solve, that they can take care of?
The old site is very likely not focused on the right person, or even worse is talking to “everyone” (which winds up meaning “no one”). The old site likely knows nothing about what search engines are looking for, which is current relevant content for exactly what their users are looking for.
The old site likely doesn’t work well with mobile devices, which might be the biggest group of visitors that might become customers or clients.
Is it time to redo the site, to fit what they want to accomplish with their potential clients via their website?
What questions should the site answer for people? What is important to their visitors, that they really want to see on the site? What actions do they want visitors to the site to take? How can the site best have people interacting with them?
Even if only briefly, find out what they want with their site, before updating it.
Maybe the way to stop the malware is to quarantine the entire site, and copy/paste the text into the re-designed site.
Ongoing WordPress Maintenance
I do WordPress maintenance for small businesses. I know how to keep sites working well. Maybe it will make sense for you to have me take care of your site for you, so you focus on what to say to your visitors.
Don’t get hacked, especially not again. I’ll keep your site safe.