Hi, I’ve been getting the same bunch of exe files uploaded to the root of my server for the past few weeks. I installed WordFence and also bought an expensive “Sitelock” service / firewall for $50 a month! Sadly my site is not making any money yet so this is a huge expense. I’m at my wits end and hope you can help. Thank you!
Hopefully this isn’t about your site…
There are many indications your site has been hacked. Seeing many unknown files is a clear sign. Seeing a warning from your web browser or Google Analytics is definitely something to take seriously. Seeing pages of your site listed in search engines containing content you didn’t write, is another common way of finding out your site is hacked.
I would say you do not need both WordFence and Sitelock, especially since your site is not making money yet. Use WordFence, and many sites can use the free version unless you see a paid feature you really want.
It is important to go through all the WordFence settings, to make sure that you have the most secure settings that will work on your hosting account. (Change a few settings, make sure everything works on your hosting account, then make more setting changes.)
The WordFence application firewall is especially useful for blocking malware from spreading. For example, an image slider plugin that has a security vulnerability might allow a hacker to upload malware instead of an image; but the firewall would likely stop it from running, so there would be no damage to your website. (It would likely alert you to any attempts to run that file, and recommend you delete it.)
Is the Site Still Hacked?
How confident are you that you have found the source of the “bunch of exe files” and removed it? Almost nobody should attempt cleaning a hacked site themselves. It truly requires an expert. Hire WordFence to clean your site, using the money you have been paying to SiteLock. (I have nothing against SiteLock, but most sites will be adequately protected with WordFence, especially if you are using a good hosting company.)
There are sites that offer “site scans”. However, these are not thorough assessments of every part of your hosting account. WordFence and Sucuri offer them, and they say clearly their free scans are not thorough.
For example, some hackers install scripts that “stay asleep” for a while, to avoid detection, and only act when the hacker has work for them to do. Said another way, your site could have been hacked months before you noticed anything wrong, or a site check noticed anything.
When the WordFence Application Firewall is installed on your site (different than scanning from outside your site), it can check every file for problems and every action your site takes, and every incoming request to your site. If the firewall reports your site is clean, you have much more certainty it is accurate.
How to Prevent Many Hacking Attempts
You should also look at removing plugins you do not need, and look at removing plugins that do not have excellent reviews in the WordPress plugin repository. Replace any plugins that have not had any updates recently. (Same rules apply for themes.) Do not simply deactivate them, you should delete them from all your WordPress installations. (Never have WordPress installations “lying around”, you must keep every installation of all your software updated.)
The hacker could have gotten in through insecure plugins. Don’t install plugins that haven’t been thoroughly vetted by the WordPress repository, and by your most technical friends/colleagues (or better still, your WordPress Meetup). Keep all plugins updated, and WordPress updated — many of those updates include security patches.
The hacker could have logged in as You, and installed malware. It is much easier than you think, for hackers to guess your password, unless you have a computer-generated password. Use a password keeper such as LastPass, have it store and fill in your login information on all sites you visit (and use it to store all other important data, e.g. your WiFi password, router administration login, credit card information, software licencse, etc.) Have your password keeper generate the longest password each site will accept (up to maybe 50 characters). No using the same password on different sites. See my Strong Passwords for WordPress for why you really need to use a password keeper, and how to make a hard-to-guess but easy-to-remember and easy-to-type password for your password keeper’s master password. (I also use a very good password for access to my computer.)
Another way hackers could get your login information is by your not using SSL. You must have SSL on every website. Why do you need SSL? Because without it, anyone with WiFi sniffing software can see the plain-text information sent by your WordPress forms, including your login form. When SSL certificates were expensive and hard to install, the rule was you needed SSL if you were doing anything ecommerce; now SSL certificates are available (on all the good hosting companies) for free and installation is “click a button”.
The hacker could have gotten in through your hosting company not having adequate security; now is a good time to assess whether you can evaluate hosting companies for WordPress security (most people can not). Many popular hosting companies have inadequate security.
What Hosting Company to Use?
The Arizona WordPress Meetup has many people who set up and maintain sites for clients, and they have identified very few hosting companies that are worth using for your website. I use SiteGround.
SiteGround is probably about the same cost as your current hosting company, if you picked your hosting company by price (most people do). But SiteGround provides excellent technical support and excellent website security.
On SiteGround and other excellent hosting companies, SSL certificates are free; unlike GoDaddy which charges more for SSL for a year than for hosting.
As a website developer, SiteGround provides many tools to make my job easier.
Could You Do It Yourself?
If you can’t hire WordFence to clean your site, if your site is a small enough number of pages, make a copy of Just the Text and Just the Images of your site, of every page. Then have your hosting company Wipe your entire site completely clean, every file, the entire database, every configuration setting.
Then install WordPress fresh, then WordFence right away, then only the plugins you need, then the default WordPress TwentyTwenty theme (or Astra theme) and Elementor page builder, and then remake all your posts.
That is the only way to have any certainty the hack is removed, if you’re going to “do it yourself”.
Leave a Reply