Hacking update, and new WordPress security policy

Mon, 11 Mar 2019

If you do not have a WordPress website hosted with Virtual Creations, you can ignore this message entirely.

If you DO have a WordPress website (specifically WordPress), and it's hosted on our servers, then this message contains IMPORTANT information about your continued service with Virtual Creations.  Please read this entire message carefully.

If you're not sure what type of website you have, please reply to this email and ask, and we'll tell you.


The important points from this email are as follows...
  • In the last two weeks, as many as 60 WordPress websites on one of the Virtual Creations servers were compromised by hackers
  • The hackers got in via vulnerabilities within WordPress (mostly out-of-date or abandoned plugins), and NOT via any vulnerability in the server itself
  • We cleaned up all the hacked websites and fixed the vulnerabilities at great expense.  We have decided NOT to pass these expenses on to you, the website owner
  • We are implementing a more stringent policy about compromised or vulnerable WordPress websites.  Any such cleaning/fixing that we perform in future will be a chargeable job.


About two weeks ago (approx. February 22nd), hackers began targeting WordPress websites on our server.  They were successfully able to compromise up to 60 websites (which should give you some idea of just how vulnerable WordPress is as a platform).  This was a planned and coordinated attack, from more than one hacker (or group of hackers).  It seems to have been planned for some time.  They inserted malware (malicious software) onto most of these websites, such as phishing websites, spam-bots, etc.  Many of the compromised websites were reported to Google, who immediately blacklisted the sites, meaning that anyone attempting to visit such a site (in the Chrome browser, and some other browsers) would see a big red WARNING page instead of the actual website.  This blacklisting was correct behaviour by Google, in response to a very real danger to other web consumers.


In every instance that we could detect, the hackers gained unauthorised access by exploiting vulnerable WordPress PLUGINS.  Specifically, the following plugins were identified as dangerous:
  • StatPress Reloaded
  • Viper's Video Quicktags
  • My Page Order
  • Facebook Fan Box
Some of those plugins had inadvertent vulnerabilities in them, while at least one was deliberately malicious.  It's fairly easy for a hacker to determine whether a WordPress website is running any of those plugins, and then it's not too difficult for an experienced hacker to use the vulnerabilities to take control of the website, and possibly even the entire hosting account that the website sits in.

At no time did hackers gain access to the entire server.  They compromised many websites, and some hosting accounts, but not the server as a whole.

You may wonder how they got in if your website contained security plugins, such as WordFence.  Such plugins can alert you about out-of-date or abandoned plugins, or if someone logs in as an administrator - but usually such warnings are either configured not to be sent, or never read, or ignored.  And these security plugins can't detect all possible avenues for attack, nor every instance of a hostile takeover.  Sometimes the first thing the hacker does is simply remove those plugins.


We (Virtual Creations) became aware of the issue very quickly.  In response, we paid a security consultant to investigate.  The consultant identified the vulnerable plugins for us.  Then we asked them to do the following, for each website...
  • Restored the website from a recent backup, one that had not yet been compromised.
  • Removed the vulnerable plugins.  They were simply deleted.
  • Changed the WordPress admin password(s), and sometimes the hosting account (cPanel) password
  • Scanned the website for any remaining malware, and removed it if any was found
  • Installed security plugins, such as WordFence and Sucuri, if they were not already installed on the website
This took a couple of hours per website.  Big job!

This work, along with fielding numerous calls and emails from you (our clients) about why your website is not working, took hundreds of man-hours and cost us thousands of dollars.  For various reasons, we decided not to pass these costs on to you, the website owners.  Not this time.  Next time we will have a different policy (see below).


Hopefully very little.  As far as we're aware, all websites are back online.  Some possible repercussions are...
  • Some recent changes to your website may have been lost.  This is one of the side-effects of restoring a website from a backup.  We recommend that you check your website for any changes that you've made recently - you may need to make them again.
  • If your website was running any of those (now deleted) plugins, then the legitimate functionality of those plugins will have been lost when the plugins were deleted.  You may need to find alternative plugins to recreate that functionality.  Do NOT simply reinstall those same plugins!
  • You may now not be able to log into your website using your regular WordPress admin username.  If this is the case, then please use the "lost password" facility built into WordPress to reset your password.  If this doesn't help, then please email us and we'll send you the current password.


The bottom line is:  Issues like this are always the responsibility of the website OWNER - not the website developer, and certainly not the hosting provider.

When determining responsibility, it's a good analogy to think of your website as a "house".  Someone built the house for you (the web developer).  In this analogy, it's not possible for you to own "land" for the house - that "land" must be rented from a "landlord" - i.e. your hosting provider (which in this instance is us - Virtual Creations).  You own the house, we rent you the land to put it on.  Make sense?

In this analogy, the hackers are like thieves trying to get into your house.  In all likelihood you have dutifully locked all the doors and windows, but the hackers have discovered a vulnerability in the type of windows in the house (allowing them to be possibly removed or dismantled), or the air-conditioning ducts, or some such, and used them to get into your house and do naughty things.  These vulnerabilities were unknown at the time that the house was built, of course.

As your hosting provider (your digital landlord), we are in no way responsible for vulnerabilities in the HOUSE.  Our responsibilities extend only as far as the LAND (and to ensuring that your house maintains a reliable connection to the grid - the rest of the Internet).

If we also are the people that DEVELOPED your website (built the house) for you, then we have further responsibilities:  It is our responsibility to inform you about what a horribly vulnerable platform WordPress is, in general.  WordPress has many benefits:  It's FREE, and hugely flexible, and has thousands of highly useful plugins - all of which make it the number one choice for developing websites worldwide.  But a huge hidden drawback of WordPress is that it's easily hacked.  Thousands of WordPress websites worldwide are hacked daily (last week it was your turn!).  Whoever developed your website should have informed you about this risk.  If that was us (Virtual Creations), then it's likely that we did NOT inform you (we have never had a policy for doing so), and that's on us - we should have done so.  Apologies for NOT doing so.  That's the main reason that we decided to clean up this mess this time, free of charge.

So here is the warning that we should have given you before we developed your website (if it was us):

Owning a WordPress website is an ongoing headache.  It's vitally important to keep it up-to-date on a regular basis (weekly, or even more often).  Even if you do, it can still get hacked.  It's generally a good idea to install security plugins like WordFence.  Even if you do, it can still get hacked.  All you can do is LOWER the risk, but the risk never goes away entirely.

We have, for many years, offered a service to do all of this for you.  Details below...


Truth be told, this new policy is not new.  It's been around for several years (see here:  https://www.virtualcreations.com.au/dbpage.php?pg=view&dbase=news&id=70&tmplt=*Normal.htm).  But now it is slightly refined, and will be strictly enforced...
  1. Any WordPress website found on our server to be compromised will have its entire hosting account (website(s) and/or emails) immediately suspended.  This also applies to any hosting account found to be sending out spam emails.
  2. We will contact you and advise you of the suspension
  3. Unsuspending the hosting account will cost $60 (plus GST for Australian clients).  If you are, at the time, taking advantage of the service we offer to keep your WordPress website up-to-date (see below), this fee will be waived.
  4. Unsuspending can only happen when a website developer (or anyone capable) has been engaged to clean the website, and they are ready to do so.  We will not unsuspend the hosting account until they are ready to start work on cleaning the website.
  5. If you or the website developer ask us to restore the website from a recent backup, the fee for this will be $40 (plus GST for Australian clients)
  6. If you do not have a website developer to call on to perform this work, then we (Virtual Creations) can do it for you.  This work will be charged $120 per hour (plus GST for Australian clients).  It will likely take about an hour, perhaps two.
I understand that this policy may seem unduly harsh, or overly expensive.  For these reasons, you may decide that you no longer want your website hosted with us.  That would be a reasonable and understandable decision, which we will fully respect, and we will assist you in any way we can in getting your website transferred to another provider.  We will offer you a pro-rata refund of your hosting charges and your WordPress security charges (if you pay them).


You may be aware of the service we offer whereby we regularly (about once a week) log into your WordPress website and ensure everything is up-to-date:  Plugins, themes, and WordPress itself.  The service also includes running regular security scans (malware, etc).  We have offered this service for years, and many clients already take advantage of this service.  It simply relieves the burden of you having to do that yourself.

This costs $50 per year (plus GST for Australian clients).

This service will dramatically reduce the risk that your website will be compromised.  But a small risk will always remain.  Even if we are regularly performing these security services for you, your website may still be hacked.  And if it is, our policy (above) will still apply.  The service simply reduces the risk.


Thank you for reading this far.  I hope everything is clear.  If you have any questions, please don't hesitate to contact us.