Mandy Curry

Key Takeaways

  • Update Plugins and Themes to Prevent Malware Infections. Outdated software is the main cause of malware infections. Keeping plugins and themes up to date is crucial for site security.

  • Scan and Clean Infected Sites Promptly. Contact support for deep-level malware scans and cleaning on WP Engine platform. Quick action is essential to prevent further damage.

  • Utilize Reliable Malware Detection Services. Services like Sucuri offer full scans for malware detection. Providing evidence of malware helps expedite the scanning process.

  • Change Admin Passwords and Run Anti-Virus Scans Post-Cleanup. After a malware cleanup, change all admin passwords and ensure all software is up to date. Running anti-virus scans is recommended for added security.

Learn what WP Engine recommends to help keep your site secure, and what steps you should take if you suspect your site is infected.

At WP Engine we take security very seriously. We continue to build security measures to ensure our customers are protected against a variety of attack vectors. However, security is a hand-in-hand partnership with our customers. One large aspect is ensuring our platform, servers, and WordPress® versions are up to date and secure.1 Since we leave plugin and theme updates to your discretion, the security of these aspects remains in our customers’ hands.

Security at WP Engine

WP Engine has tools and custom processes for vulnerability scanning, both externally and internally. We also partner with well-regarded security firms for auditing and remediation. Reports are processed internally and remedied as fast as possible with assistance from these firms. Any security announcements are reported on our public status blog, but only after we’ve made the necessary changes to reduce any chance of exposure.

For more information about WP Engine’s security environment, see our guide.

Update Plugins and Themes

Outdated software is number one cause of malware infections on sites. Most often, if a vulnerability is discovered within a plugin or theme, the developer patches it and releases an update fairly quickly. If the update is never performed, your site will remain at-risk to these vulnerabilities.

As such, it’s very important to keep your site’s plugins and themes up to date to ensure they are secure. If a widely-used plugin is discovered to contain vulnerabilities, we will notify our customers via email containing the known affected plugin(s), version(s) and which version(s) contain the security update.

If you aren’t able to manage future plugin and theme updates on your own, WP Engine offers an automated update service. This service includes automatic rollbacks if updates cause issues. Learn more about Smart Plugin Manager here.

Scan and Clean

If your site becomes infected with malware while on the WP Engine platform, you can contact Support through your User Portal. We will then follow our internal security procedures to do a deep level scan, malware cleaning of your site, and report back to you with our results. Keep in mind that a security scan and cleaning can take up to 24 hours to complete and may require changes to your website. Our processes include creating a backup checkpoint prior to cleaning should anything break.

When reaching out for assistance triaging a potential security issue please include any screenshots, logs or areas where the issue can be replicated. Replicating in these ways helps us resolve the issue far more quickly.

For malware detection, utilize services touted for their reliability like Sucuri for full scans. Evidence of malware or specific replication steps may be needed for escalated scanning requests.

After a malware cleanup, take these preventive steps:

  • Change all admin passwords (SFTP, wp-admin, User Portal, etc.)
  • Ensure all software (plugins, themes, WordPress core) are up-to-date
  • Run an anti-virus scan on your workstation

Scope of Support

We understand there are many concerns that come up if one of your sites becomes infected by malware – however, if you have no specific indication that a site has been infected by malware, we will not be able to submit it for a deep level scan and cleaning.

Some examples of free security scan services:

There are also a variety of security plugins that include malware scanning functionality:

If a site is migrated to our platform and you are already aware that it has been infected, since this isn’t an infection that happened on our platform, we would not be able to submit the site for a deep level scan or clean. Instead you can install security plugins to help detect and clean malware, or engage a third party service to help scan and clean the site instead. Sucuri, a web leader in security, has a free website check tool, and they also provide deep level scans and cleaning through their other services.

NEXT STEP: Learn how to fix mixed content and get a fully secured website

Tags:

You may also like