Once you've had a manual malware clean completed by a SiteLock Security Analyst, it's critical that you review the email in full immediately. There are typically follow-up steps that need to be performed to keep the site functional and malware-free.

Removing the malware is only half of the battle. After the malware has been cleaned, the original vulnerability that allowed malware to enter your account in the first place still needs to be resolved. Failing to complete follow-up steps will result in a likely malware re-infection.

While SiteLock cannot provide the specific attack vector the malware used, your SiteLock Security Analyst will check for common malware entry points and make recommendations based on the findings.

By working together, we can keep your website secure against most malware attacks!

> Update CMS & Related Files

Content Management Systems (CMS) like WordPress, Joomla, and Drupal make it easy to manage websites, but they can also introduce vulnerabilities if they're not properly maintained. It is critical to keep your CMS updated regularly to ensure your website is secure against newly-discovered attacks.

--- Why CMS Updates Are Crucial

CMS platforms are constantly evolving to improve features, fix bugs, and most importantly, patch security vulnerabilities. Hackers often exploit known vulnerabilities in outdated CMS versions, plugins, or themes to gain unauthorized access, deface sites, or inject malicious code.

Failure to update your CMS puts your site at risk of being compromised through:

• Exploited vulnerabilities: Outdated software is one of the most common ways hackers infiltrate websites.
• Insecure plugins and themes: Even if the CMS core files are updated, outdated plugins or themes with vulnerabilities can lead to attacks.
• Reduced performance: Besides security, updates often enhance the performance of your website, ensuring it runs smoothly and efficiently.

--- Best Practice:

1. Enable Automatic Updates (When Possible)
   Many CMS platforms offer automatic updates for minor security patches. Enabling this feature ensures that your site gets updated as soon as security fixes are released, reducing the risk of exposure to known vulnerabilities. For major updates, you may prefer manual updates to ensure compatibility with plugins and themes, but security patches should be automatic whenever possible.
   
2. Regularly Check for Updates
   Even if automatic updates are enabled for minor releases, it's important to regularly check for new updates for your CMS, plugins, and themes. Major updates often include critical security fixes that automatic updates may not handle.
3. Backup Your Website Before Updating
   Always create a full backup of your site before performing updates. If an update breaks your site or causes a conflict, you can restore it to its previous state without losing data.
4. Store backups off-site
   Keep backups on a separate server or cloud storage to ensure they are safe if something goes wrong with the main server.
5. Monitor Plugins and Themes for Updates
   While CMS core updates are essential, don’t forget about the plugins and themes that power your site’s functionality and design. These components can also have vulnerabilities, and outdated versions are frequently targeted by attackers.
6. Set a schedule
   Allocate time weekly or monthly to check for updates.
7. Test updates
   Before applying major updates, test them on a staging environment to ensure compatibility and prevent potential issues.
8. Remove unused plugins/themes
   Deactivate and delete any plugins or themes you no longer use. Unmaintained code presents a security risk.
   
9. Use reputable plugins/themes
   Choose well-reviewed and regularly updated plugins or themes. Always download from trusted sources such as official repositories.

> Uninstall File Manager Plugins

A File Manager Plugin essentially adds convenience at the cost of security. By default, most hosts provide cPanel or a similar experience that has a secure file manager built in. Furthermore, hosts typically provide FTP access to allow users to create FTP connections to the site using a secure FTP Client like FileZilla.

Adding a File Manager plugin adds this powerful functionality to upload, download, modify, or delete files directly to the website level. Additionally, these File Manager plugins often have permissions to see files outside of just the website files.

What does this mean?

This means that if one of your website admins has a bad password, or clicks a bad link/email, the user may become compromised. The presence of a website-level file manager means this attacker now has direct access to the files for not just this website, but any other website hosted in the same account.

• Security Risks: File manager plugins often have vulnerabilities that hackers can exploit to gain unauthorized access to your site. These plugins provide direct access to your site's file system, making it easier for attackers to upload malicious files.
• Excessive Permissions: These plugins typically require higher permissions to manage files, which increases the potential for misuse, especially if they are not properly configured or if a vulnerability is discovered.
• Redundant Functionality: Most hosting platforms offer secure file management through services like FTP or SSH, which are more secure and controlled. File manager plugins can be redundant and unnecessary when you have these safer alternatives.
• Increased Attack Surface: The more plugins you have, the larger your site's attack surface. By removing unnecessary plugins, especially those with direct access to critical files, you reduce the chances of security breaches.

Best Practice:

For security and performance reasons, it's safer to manage your website files using your hosting account control panel or via FTP, SFTP, or SSH instead of relying on file manager plugins.

> Remove Backups from the Hosting Account

One of the most common ways to create a temporary backup is simply duplicating a directory full of files. This allows you to make changes, then fall back to the duplicated directory if there are issues. This may be a decent temporary approach, but oftentimes, website admins then leave the duplicated folder on the server. The thought process is, if they need to do a restore down the road, the directory backup will exist.

Unfortunately, this logic leads to many malware attacks. The duplicated directory still has executable code; just because there is not a live domain pointed to this duplicated folder, does not mean that an attacker can't use a temporary domain or IP to access the outdated code in the duplicated directory.

This duplicated folder ends up with the following issues:

• In the event of a malware attack on the live website, malware replicates through the file directory, infecting these improperly-stored duplicate directories, rendering them useless as backups, as they contain the same malware as the live website.
• In some cases, the improperly-stored duplicate directory may be the source of the malware. This is, after all, a directory full of outdated code sitting in the same location as the live, production website. This duplicate directory could lead to your live website becoming compromised.

Furthermore, these duplicated directories make remediating malware on your live website a real nightmare. Your SMART File Scanner may be scanning and removing the same malware from your website daily. This is a good sign that you have malware outside of the website root (often in improperly-stored, duplicate directories).

Best Practice:

The best practice is to backup frequently, and make sure those backups are stored in a location other than your web server. This ensures that, in the event of a malware attack that damages your website, you have reliable backups that have not been impacted.

The "low tech" solution is to create backups manually and store them in a secure folder on your computer. This is a manual process, so a consistent schedule is key.

Additionally, there are many website backup solutions available - from plugins to full service backup solutions like the SiteLock Backup.

Update Website Passwords

One of the most widely-known security tips is strong passwords, and for good reason. One compromised admin user can lead to devastating impacts on your website. It's critical that you do not reuse passwords. Third-party applications are compromised frequently, and data stolen from these third-party applications can end up in data dumps on the dark web.

These data dumps typically contain email address and password information for that compromised application. If you have used the same email address and password combo in other locations, all of those locations are at risk of compromise until the reused credentials have been updated.

This also opens you up to fake ransomware emails, where an attacker sends an email to your email address and provides your password as "proof" that they have access to your data. In a real ransomware attack, the attacker will encrypt your data and offer the key for a fee. These emails are a low effort way to leverage a compromised email and password into profit.

If you would like to check your email address against known data breaches, HaveIBeenPwned is a great resource: https://haveibeenpwned.com/

Website Password Best Practices:

• Use Strong, Unique Passwords
  • Length: Passwords should be at least 12-16 characters long.
  • Complexity: Include a mix of uppercase and lowercase letters, numbers, and special characters.
  • Avoid Predictability: Don’t use easily guessed information like names, birthdays, or common phrases.
  • Unique for Each Account: Avoid reusing passwords across different accounts. Each account, especially administrative ones, should have a unique password.
• Enable Two-Factor Authentication (2FA)
  • Add an extra layer of security by requiring a second factor, such as a text message code or app-generated token, in addition to the password.
• Regularly Review Website Users
  • Auditing your website admins, as well as the other roles that have elevated permissions, regularly is a great way to make sure you only have access provided to users who need them. A user may need temporary admin access to make a change, but unless that user is going to be making frequent changes, the access should only be provided for as long as access is needed. This is the principle of least privilege, and it's a great way to control access for your website.
• Regularly Change and Update Passwords
  • Periodically update passwords, especially for high-privilege accounts (like admin or server access). If there is any suspicious of a compromise, or following a malware clean, it's strongly recommended to update passwords.

> Install CAPTCHAs

Using CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) on your website forms is an effective way to enhance security and improve user experience. Here’s why incorporating CAPTCHAs is beneficial:

Prevent Spam and Bot Attacks

• CAPTCHAs are designed to differentiate between human users and automated bots. By requiring users to complete a CAPTCHA challenge (like identifying objects in images or typing distorted text), you can block bots from submitting forms, reducing spam and automated attacks.

Protect Against Abuse

• Forms on your website can be exploited for various types of abuse, including:
  • Comment Spam: Automated bots can flood your comment sections with irrelevant or harmful content.
  • Form Submission Flooding: Bots can overwhelm your server with a large number of form submissions, leading to potential outages or performance issues. CAPTCHAs help mitigate these risks by ensuring that only human users can submit forms.

Reduce Fake Account Creation

• CAPTCHAs can prevent bots from creating fake user accounts on your website. This is especially important for sites that offer user registration or require login credentials, as fake accounts can skew analytics, misuse resources, or cause security issues.

Enhance Security

• CAPTCHAs add an additional layer of security by verifying that interactions with your website are coming from real users rather than automated systems. This can help protect against credential stuffing attacks and other automated security threats.

Best Practice

Incorporating CAPTCHAs into your website forms is a proactive measure to protect your site from spam, abuse, and automated attacks while ensuring that interactions come from genuine users. Balancing security and user experience is key, so choose a CAPTCHA solution that fits your site’s needs and provides a smooth experience for legitimate users.