We help IT Professionals succeed at work.
Troubleshooting Question

WP Vulnerability

APD Toronto
APD Toronto asked
on
38 Views
Last Modified: 2020-11-11
Hi Experts,

I have been advised that one of my website (www.iwscc.ca) is "at risk of being hacked" and was given the following link: https://wpsec.com/scan/?id=13e63ff19365e5de24974c2a583148a8

To view the report, I was prompted to open an account, then I'm prompted for 19 Euros per month.

Is the site indeed vulnerable? How can I get a report and correct? Is WPSec credible?
Comment
Watch Question

Terry WoodsWeb Developer, specialising in WordPress
CERTIFIED EXPERT
Most Valuable Expert 2011

Commented:
Not sure about its credibility (is the person that sent it to you trusted?), but I'd recommend installing the free Wordfence plugin and running a scan with that instead. It's very likely that any vulnerability would be detected, without having to purchase a report.
Terry WoodsWeb Developer, specialising in WordPress
CERTIFIED EXPERT
Most Valuable Expert 2011

Commented:
Wordfence can also add a firewall to the site that can help block hacking attempts, though if you want to block vulnerabilities that are less than 30 days old, you need to pay for the premium version of the plugin. The free version is still very much worthwhile.
Dr. KlahnPrincipal Software Engineer
CERTIFIED EXPERT

Commented:
Whenever somebody you don't know says "You have a security problem" and demands money to fix it, you're being scammed.  No ifs, ands or buts.  Reputable companies don't base their business on terrorizing clients.
David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Your site has several items to fix.

1) Upgrade WordPress to latest level. The WordPress core version you're running is a bit old + several security fixes have release.

And this is the least of your site problems.

2) Worst problem. You're running Visual Composer, one of the most hacked excuses for code ever written. Most hacked than CPanel.

3) If your truly concerned about security, you'll keep WordPress core + theme + all plugins updated ever day.

And...

Never install code, like Visual Composer, which has a long history of hacks.

Note: Any new project I take on running hackable code, like Visual Composer, I lock down the site so no hacks can escalate to file changes, then remove Visual Composer from the site, which can be a very long process because VC uses shortcodes.
David FavorFractional CTO
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
As Dr. Klahn mentioned. Anyone saying, "You have a security problem. We can fix it for a nominal fee" is certainly nefarious.

Which suggests another concern I'd have for your site.

Many of these fly by night "site fix services" have the following business model.

1) Find a site that can easily be hacked.

2) Send a message like the one you mentioned above.

3) If you pay them to keep your site clean, great, no further action.

4) If you don't pay them + they know how to hack your site, many will hack your site, then....

5) You get a new email sequence with pricing much higher to "Now your site is hacked bad + we can fix it!"

Which is super easy, because they initiated the hack.

Big Tip: Anytime you get a message like this, imagine your site can be hacked + do your own site scans + fix every backdoor you can find.
APD TorontoSoftware Developer

Author

Commented:
Hi, a couple of follow-up questions...

1- How can you tell which version I'm running and that I'm running Visual Composer?

2- I inheritted this website, and never used Visual Composer before. If I remove it, will I loose all of the formatting? I assume yes, as I see shortcodes starting with [vc_....] all over.

3- To compare, how would you say the security is for www.aces-project.com is?

4- For iwscc, I keeep getting "An automated WordPress update has failed to complete - please attempt the update again now." - but it keeps failing. For aces, I don't get this.

5- Both sites are giving me "PHP Update Required", and both are on PHP 7.0.33, but as soon I set either site to 7.2.34 - both sites crash (Error 500), front- and back-ends.

6- Are the results given by WP through Tools > Security a sufficient guide?
Web Developer, specialising in WordPress
CERTIFIED EXPERT
Most Valuable Expert 2011
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
APD TorontoSoftware Developer

Author

Commented:
For ACEs I am able to do a successful scan with Wordfence, but for IWSCC I keep getting Scan Failed, referring me to

https://www.wordfence.com/help/scan/troubleshooting/?utm_source=plugin&utm_medium=pluginUI&utm_campaign=docsIcon#if-your-scans-arent-starting

From the list, the only point I'm uncertain of is Check the database's tables, here is my log php_error.log 

Under Wordfence, I've also noticed