What to do if your website home page now say’s ‘The Site Ahead Contains Malware’

If you get to a website and you see the warning “Site Ahead Contains Malware”, you need to act fast.

If it’s not your site, you need to turn around because there could be malware on the website you are trying to access.

If the site ahead happens to be your own site, you need to act fast to fix the situation. This message indicates that your website is either infected with malware and/or has been hacked. Google crawls websites regularly to add new or updated content to the search index. These crawlers also can detect if your site has a malware infection.

If Google or other search crawlers find malware on your site, they immediately flag your site and display this warning to protect users from accessing the web site. This warning has detrimental effects on SEO, site traffic, and your credibility. It can also lead to your web host suspending your hosting account.

Why did your WordPress website get hacked?

Websites get hacked for the following reasons:

  • economic gain
  • drive-by downloads – malware injections
  • black hat SEO
  • system resources
  • hacktivism

How did your WordPress website get hacked?

Malware can infect your site in a number of ways:

  1. Plugins – An infection could have come through the plugins installed on your website. This can happen for several different reasons – a) old plugins without recent updates are prone to vulnerabilities; b) pirate software is free but often contains malware; c) you may have installed a plugin from an untrusted source.
  2. Your Computer Might Have Malware – Often when a computer is infected with malware, uploading a file to a website can lead to a website infected with malware.
  3. Brute-force attacks by hackers – Hackers can use a brute-force attack to guess your username and password and break into your website.

What do you do if your site now say’s “The Site Ahead Contains Malware”?

It’s important that you act fast. You will have to remove the malware from the website and then submit your website to Google for review. Google’s safe browsing policies that you need to follow before you submit your site for review are:

  • You need to log into Google Search Console and prove you are the owner of your website.
  • You need to make sure that your website is clean and free of any malware infections or backdoors.
  • You need to fix the vulnerability that led to the hack. We recommend installing the premium version of Wordfence.
  • If your host has suspended you for malware, you need to contact them and request they remove the suspension. Your website needs to be back online prior to submitting it to Google for review.
  • Call Connect4 Consulting at 202-236-2968 so we can help you with these steps.

How do you prevent “The Site Ahead Contains Malware” from happening again in the future?

If you’ve ever had the misfortune of finding yourself in this situation, it is imperative that you do everything possible to prevent it from happening again. To do that, implement the following procedures:

  • Make sure someone is actively managing the hosting of your website. That means you need to make sure that all plugins and WordPress are updated as soon as updates are available. You can’t just rely on hosting alone.
  • Install Wordfence or Wordfence Premium to protect your website.
  • Update WordPress regularly.
  • Only use trusted themes and plugins – stay away from free plugins or themes – particularly if there have been no updates in the last 3 months or more.
  • Remove inactive themes and plugins – the more elements you have on your website, the greater the opportunities a hacker has to break into your website.
  • Update website passwords, remove inactive users, limit login attempts, install an SSL Certificate.




Why Websites Get Hacked

I spend a fair amount of time working on new websites as well as fixing websites that have been hacked and this question always comes up:

Why would anyone ever hack my website? I’m just a small business owner.

Depending on who you are, websites get hacked for different reasons, but there are a few specific explanations.

Automation is key

Websites attacks that target small businesses and smaller websites are fully automated. The benefits of automated attacks provide hackers the following benefits:

  • Mass exposure
  • Reduction in overhead
  • Tools for everyone regardless of skill
  • Dramatically increases the odds of success (for the hacker)

The majority of these attacks are automated and follow a specific sequence:

  1. Reconnaissance
  2. Identification
  3. Exploitation
  4. Sustainment

While thinking about how these attacks occur, it’s important to address the two types of attacks: attacks of opportunity and targeted attacks.

Attack of Opportunity

Almost all small business website attacks are attacks of opportunity. This means that it’s not one individual or group that is trying to hack into your specific website, but rather a coincidence. Something about your site was caught in the trailing net as they crawl the internet looking for hacking opportunities. It could have been something simple like having a known plugin installed, or maybe displaying the version of a platform (displaying the fact that you’re using an outdated version of WordPress, for example).

According to Sucuri, a website security company, it takes about 40 days for a new website with no content or audience to be identified and added to a bot crawler. Once added, the attacks can begin immediately without any real rhyme or reason. It can be any website; the only commonality is that they are all connected to the internet.

These web crawlers then begin to look for identifying markers. Is the website running WordPress, Joomla, Drupal? If so, is the website running any software with known vulnerabilities or bugs in the code? If the answer is yes, the site will be marked for the next phase of attack, exploitation.

The sequence of events can happen in a matter of minutes, days, or months. It’s not a singular event; it’s ongoing and occurs continuously as the bot crawlers are scanning for vulnerabilities. Once your website is on the list, it will just keep on trying until it succeeds. This is why it is so critical to have someone actively managing your website and – at a bare minimum – updating software.

Targeted Attack

Targeted attacks are often reserved for big businesses, but not always. Think of the NBC hack in 2013 or the Forbes hack in 2014. There are many examples of these attacks lately but it’s obvious why there’s an uptick in this trend. Even though it requires much greater hacking skill, the payoff to the hacker can be huge. A very common type of targeted attack is called a Denial of Service attack in which the attacker works to bring down the availability of your site by overloading it with traffic.

Hacking Motivations & Drivers

Now that you have a better understanding of how these attacks happen, let me unpack some reasons why websites get hacked.

Economic Gains

The most obvious reason why websites get hacked is for economic gain. These are attempts to make money by your audience, either by getting them to click on something or download something.

Drive-by Downloads

A drive-by download is the act of injecting your website with malware and hoping to infect as many website visitors as possible. Think of someone visiting your website and then calling you because they installed a fake piece of software that you supposedly recommended on your website. Then their bank accounts were drained. Scary and very real and devastating.

Black Hat SEO

The other type of strategy are black hat SEO campaigns. These are not as devastating, but can be more lucrative for the hackers. This is the game of abusing your audience by redirecting them to pages that generate affiliate revenue.

System Resources

The business of farming system resources is a huge motivator for hacking groups. Botnets are nothing more than interconnected systems across the internet; these can be desktops, tablets, and even servers and they can be tethered together to perform tasks like Denial of Service attacks simultaneously. These attacks that target your system resources are dangerous because they can happen completely behind the scenes without you knowing what’s going on until you get a notice from your host – or worse, a huge bill – exceeding bandwidth.


The point of these website attacks often comes down to awareness and frequently consists of a hacker defacing your homepage. This form of attack can be combined with others, but more often than not they are somewhat benign and create more embarrassment to the site owner rather than affecting their site visitors.

Pure Boredom

Unfortunately boredom seems to come into play and often there is no real reason why websites get hacked.

Conclusion – Your Best Defense is Knowledge

It is easy to be overwhelmed by all of this, but we believe that your best defense is knowledge and if there’s any real take-away here, it is that you should

  1. hire someone to manage and maintain your website
  2. update whenever updates are available

Remember, security is not about the elimination of risk. Security is risk reduction. Take what you know and use it to lower your chances of getting hacked.

WordFence Security Update

We are seeing exploits in the wild appear within the last week for the following WordPress themes and plugins. If you are running any of these themes or plugins, check if there is a recent security update and install the update, or remove the item from your system if there is no security update. If you’re unsure, contact the theme/plugin developer or vendor.

  • Cubed Themes version 1.0 to 1.2. Remote file upload vulnerability. Distributed by themeprofessor.com. Exploit released on 9 November 2013.
  • Army Knife Theme, unspecified version. CSRF File Upload vulnerability. Theme is distributed by freelancewp.com. Exploit released 9 November 2013.
  • Charcoal Theme. CSRF File upload vulnerability. Distributed by the official WordPress repository. The theme hasn’t been updated for several years, so we recommend deleting all files from your system.
  • WP Realty Plugin may contain an email sender vulnerability. Please contact vendor for clarification. We’re seeing exploits that claim to exploit this hole. Plugin is distributed by wprealty.org.
  • The following themes distributed by orange-themes.com appear to contain a remote file upload vulnerability and we’re seeing exploits appear in the wild, all published around November 12, 2013: Rockstar Theme, Reganto Theme, Ray of Light Theme, Radial Theme, Oxygen Theme, Bulteno Theme, Bordeaux Theme. Please contact the vendor to find out of your theme is applicable and what action to take.
  • Amplus Theme version 3.x.x contains a CSRF file upload vulnerability. We’re unclear who the vendor is, but it appears to be Themeforest.
  • Make a Statement Theme version 1.x.x (also known as MaS ) contains a CSRF file upload vulnerability. Exploit distributed November 17, 2013. Vendor is themes.mas.gambit.ph.
  • Dimension Theme, unspecified version, contains a CSRF file upload vulnerability. Theme is distributed by ThemeForest. Exploit appeared November 17th, 2013.
  • Euclid Version 1 Theme contains a CSRF File Upload Vulnerability. Exploit appeared today. Theme is distributed by FreelanceWP.com.
  • Project 10 Theme, Version 1.0. Remote file upload vulnerability. Distributed by ThemeForest. Exploit appeared today.

Please remember: Deactivating a theme or plugin with a security hole does not make it safe. You need to remove all files from your system to remove the security hole in a theme or plugin. If your theme or plugin is listed here, don’t panic. First contact your theme or plugin author or vendor. Work with them to determine if your particular version contains the vulnerability we’ve publicized and get their advice on what action to take. If they are not contactable after a reasonable amount of time, work with your hosting provider or site developer to determine if you have a vulnerability and what action to take.

Source: www.wordfence.com


Security Holes in Two WordPress Plugins – WordPress Poll and Social Articles

There is a SQL injection vulnerability in WordPress Poll. Please upgrade to WordPress Poll version 35.0 immediately which was released a few days ago and fixes this security hole. We are currently seeing exploits for this vulnerability in the wild.

The Social Articles plugin appears to have an arbitrary file upload vulnerability in the current version which is 1.4. The vulnerability is in the upload-handler.php script included with the plugin. The exploit for this security hole is already in the wild. A fix has not been released yet so we recommend that you disable and delete the plugin until a fix is released.

Computer Viruses to Watch Out for: Cryptolocker and Ransomcrypt

Cryptolocker and Ransomcrypt – New, Serious Threats

While Ransomlock Trojans have plagued the threat landscape over the last few years, we are now seeing cybercriminals increasingly use Ransomcrypt Trojans. The difference between Ransomlock and Ransomcrypt Trojans is that Ransomlock Trojans generally lock computer screens while Ransomcrypt Trojans encrypt (and locks) individual files. Both threats are motivated by monetary gains that cybercriminals make from extorting money from victims.

Recently, a new threat detected by Symantec as Trojan.Ransomcrypt.F (AKA Cryptolocker) has been growing in the wild. Trojan.Ransomcrypt.F encrypts data files, such as images and Microsoft Office documents, and then demands payment through Bitcoin or MoneyPak to decrypt them—all within a countdown time period. This Ransomcrypt Trojan uses strong encryption algorithms which make it almost impossible to decrypt the files without the cryptographic key.

What is particularly scary about this new threat is that it is working. People whose data is being held ransom are paying up and there is a legitimate concern for copycats since this has proven to be a successful scam.

The screenshot below is what pops up if your computer is infected.


How to avoid the cryptolocker and ransomcrypt virus

According to reports from security firms, CryptoLocker is most often spread through booby-trapped email attachments, but the malware also can be deployed by hacked and malicious Web sites by exploiting outdated browser plugins.

Fortunately, there are a couple of simple and free tools that system administrators and regular home users can use to minimize the threat from CryptoLocker malware. A team of coders and administrators from enterprise consulting firm thirdtier.net have released the CryptoLocker Prevention Kit – a comprehensive set of group policies that can be used to block CryptoLocker infections across a  domain. The set of instructions that accompanies this free toolkit is comprehensive and well documented, and the group policies appear to be quite effective.

Individual Windows users should check out CryptoPrevent, a tiny utility from John Nicholas Shaw, CEO and developer of Foolish IT, a computer consultancy based in Outer Banks, N.C. Shaw said he created the tool to mimic the actions of the CryptoLocker Prevention Kit, but for home users. So far, he said, the CryptoPrevent installer and its portable version have seen tens of thousands of downloads.

CryptoLocker might be the best advertisement yet for cloud data storage systems. 

For further reading on cryptolocker see:

BleepingComputer discussion thread.

Malwarebytes: Cryptolocker Ransomware: What you need to know.

Naked Security (Sophos): Destructive malware Cryptolocker on the loose.


Reddit thread: Proper care and feeding of your Cryptolocker

Makeuseof.com: Cryptolocker is the nastiest malware ever and here’s what you can do

Ars Technica: You’re infected — if you want to see your data again, pay us $300 in Bitcoins


Secure your Website with Wordfence Plugin

The First Step in Securing Your Website – Install Wordfence

I’m going to start blogging about my list of go-to plugins. Plugins can sometimes be the weak link in a website, particularly when a site relies on too many plugins and no one makes it their duty to update plugins or find ways to hardcode around relying on them.

That said, some plugins are worth their weight in gold. And that’s particularly the case when you stumble across a free plugin.

Wordfence is the leading cyber security solution for WordPress

With wordfence, you can block a hacker even if they’re changing IP addresses by banning their network, their range of IP addresses, or even their entire country. If your site has been hacked, you can use source code verification tools to determine what has been changed and help repair hacked files, even if you don’t have backups. Wordfence combines data on the newest hacks and their sources and uses the data to block the newest distributed attacks. On top of all of that, wordfence has a regular blog and email post publicizing weak plugins and themes.

Download Wordfence or ask your wordpress administrator about it as soon as possible. It could be lifesaving. Or, at least website saving.

Website Security: Steps to Protect Your Site From Being Hacked

Recently a client of mine contacted me because his site looked like this:

Screenshot of a Hacked Website

Screenshot of a Hacked Website

78% of malware cases are attributed to outdated core applications, plugins or modules. That means an outdated version of wordpress, an outdated version of a theme, or an outdated version of a plugin.

Seven Steps to Prevent Your Website From Being Hacked

  1. Backup your site regularly to a location that is different from your website host.
  2. Update plugins, theme, and WordPress version whenever there is an update. Do not let versions lapse. Updates frequently exist because someone has discovered a security vulnerability.
  3. Remove themes and plugins that are not in use. Inactive themes and plugins can be used to access your website. Remove anything that is not pertinent to your site.
  4. Replace plugins that are more than 2 years old and have never been updated.
  5. Use strong usernames and passwords – a non english word with uppercase, lowercase letters, numbers and special characters.
  6. Change your nickname so it’s not your username. Otherwise you are giving hackers half the puzzle.
  7. Use a malware/security service like sucuri to protect your site.

What to do if your site is hacked?

  1. Keep a deep watch – hackers usually don’t hurry to mess with your site. They do everything slowly. If you think your site has been hacked, watch everything very closely.
  2. Hope that you have that backup in hand.
  3. Contact your web host – try to contact your web host immediately regarding the unnatural activity. Maybe they can help you or mayb they know something about it.
  4. Change your FTP/SSH login passwords – immediately change the FTP and SSH login passwords. And this time, choose completely different and stronger passwords.
  5. Change “admin” username. Do not use “admin” as your username. 99% of attacks take place with this username.
  6. Change password. The hackers know your password. So – change the passwords of all the admin accounts asap. Change the database password as well.
  7. Forced Logout. All users (and hackers) stay logged in until the cookies are expired. Because cookies will be valid even after the password is changed, you need to force everyone to logout. Go to – https://api.wordpress.org/secret-key/1.1/salt/ generate a new secrete key. Add the whole code in your wp-config.php file. If similar code already exists there, just replace it. This will invalidate all the set login cookies.
  8. Update WordPress version. If you’re using an older version of WordPress you really need to update it. This might be how hackers hacked you in the first place.
  9. If the above things don’t fix the situation, there is only one option and that is to create a fresh wordpress installation.

The real lesson here is relatively simple and goes back to that old Boy Scout mantra –

Be Prepared. Have a recent backup of your site. Know how to restore it or who to call in an emergency. Keep your website, content management system, and plugins up to date. Keep all of your username and login information someplace secure because you will need this for your website host and your domain name in an emergency.