We’re failing at answering malware and hacked site questions in groups on Facebook, that are dedicated on helping people learn and troubleshoot WordPress. When it comes to malware and cleaning up websites, when I see someone post about it in a WordPress help group on Facebook, I cringe. Why? Because I know what type of dumb answers are going to be shared, and they aren’t always a completely true or thorough answer.
How we are failing at helping people learn about hacked sites and malware in WordPress
Some of the answers are usually:
- Use this plugin or that plugin.
- Make the host clean it it for free.
- Statement: Malware is so easy to to remove. It’s always so obvious.
- Use this malware cleanup service or that service.
- Do a scan and remove the files that come up.
There’s more that I’ve seen on different WordPress support groups over on Facebook, but generally, a lot of them are somewhat similar to this list.
Use this plugin or that plugin
A malware plugin or security plugin is not always going to pick up all malware. Even Clam AV and other outside scanners don’t pick up every type of possible infection.
Make the host clean it it for free
The web host is not responsible if you use bad passwords (for the host, FTP/sFTP, database, WordPress), don’t update your site (WordPress core, outside scripts, plugins, themes), or have working clean backups (which would save you more headaches from cleaning, both time and money). YOU ARE RESPONSIBLE FOR YOUR WEBSITE. They won’t clean it for free unless it’s actually part of an add-on security service you previously purchased. Frankly, it’s even in most web host terms of services that you should be keeping any running scripts up-to-date too. That’s why, in some web hosts, they suspend your site until it is cleaned.
Statement: Malware is so easy to to remove. It’s always so obvious.
FALSE! FALSE! FALSE! Because there are cases that some malware and website virus scanners do no pick up everything, some things, are not so obvious. I’ve seen some really badly infected sites over the years, even multiple types of infections, and I’ve cleaned a few thousands sites in the past decade and a half. Some I’ve had to manually hunt it down. Some sites were so hacked that no files and a database was left. Some sites, ALL of it was gone, and the website owner didn’t have a single backup (even with the host.)
This type of statement usually comes from someone arrogant and knowledgeable enough in malware cleanup and security, but usually not advanced enough. People who know better and have seen the worst of what can happen, don’t say this type of thing.
Use this malware cleanup service or that service.
Great! But what if the person wants to try it themselves first? Why not nudge them in the direction of a tutorial first, THEN you can suggest a service. I like making money, but I’d rather at least give them the option of trying it out and also the option of choosing a service. Be helpful before selling something. They will choose what will work for them, and frankly a tutorial may give them the idea of whether they really want to tackle cleaning up and re-securing their website.
Do a scan and remove the files that come up.
Okay? Sure. That’s all?
NO IT IS NOT THAT SIMPLE. This type of answer helps no one. It doesn’t even address putting a security method in place and even other important things. It doesn’t address redoing all passwords, or even a backup plan. This is an incomplete answer. In this case, don’t even answer if you can’t be bothered to provide a proper sequence of steps to removing malware and securing site, as well as other preventative security tips.
How can we add more value to the WordPress malware support questions?
Let’s be more helpful and thoughtful. The majority of users join WordPress support groups to either get help, network, share knowledge, and in some groups, even make money or promote their brand. The problem is, that incomplete answers don’t really help anyone. It’s like throwing a lifesaver to a drowning person, but not doing anything to help lead them back to safety.
One of the pain points in the WordPress community is getting newbies help, whether just sharing a link to a proper tutorial resource, or giving them directions. It only takes moments, and believe me, from experience, they’ll appreciate it. If you’re burnt out, sit back and let someone else do it.
However, for those in the community who know security and know where some really great basic tutorials are, I’ve got a challenge for you. If you see a thread for malware and hacked questions, and the majority of the comments are incomplete answers to thoroughly cleaning an infected site, jump in and send them in the right direction. Don’t be afraid to point out that while some of the answers are right, they are not going to completely help them.
If you have done this, fantastic! It brings me joy to see that a new WordPress user has been helped.