Wordfence Site Cleaning Customer Reviews

In June last year we officially launched the Wordfence site cleaning service. Our senior analysts Brad and Colette had worked hard to put the processes in place we needed to provide an excellent site cleaning service to our customers that was fast, effective and safe. Since then the site cleaning team and the level of service has evolved tremendously. Today I want to share some of that progress with you.

When we started offering site cleaning in June of last year, the team was still relatively small. Today the site cleaning team at Wordfence has grown to 15 people who all work together in concert to ensure that you receive the very best in customer service and a fast response time. The team does a great job of ensuring your site is up and running and back in the search results as quickly as possible while preserving the integrity and security of your data.

Managing growth while providing a ’boutique’ site cleaning service

We may have grown to a team of 15 people, but I still consider us a ’boutique’ operation because we pride ourselves on providing each customer with the best service possible.

We currently clean between 100 and 200 hacked sites per week. This is a very comfortable number for us because it is enough volume to give us excellent visibility into the kinds of hacks that the WordPress platform is experiencing on the ground at any moment in time, which assists with our research. With a team of 15 and that kind of volume, we are still able to give our customers individual attention and excellent customer service.

One of the ways we have optimized our processes to ensure you get the best service is to create a “site cleaning coordinator” role within our organization. We recently brought Jonathan on board who is our full-time site cleaning coordinator. His job is to ensure that customer response times are fast and that customer satisfaction stays high.

If a customer needs help understanding our process, what the team needs to do their job, or if they have any other issues that are blocking their site cleaning, Jonathan jumps in, gets that unblocked and helps get the cleaning moving forward.

Priced at $149 and lower, we provide the best value in the industry

One of the things I am most proud of is that our team has been working since launch to lower the price of our site cleaning service for our customers while actually increasing the value each customer receives. As we have grown, our internal efficiency has improved and we have been able to pass those cost savings on to our customers.

This has allowed us to lower the price of cleanings from $179 when we launched to just $149 for a site cleaning today. This is an incredible value when you consider that you get a Wordfence Premium license free with your site cleaning, a $99 value. That means that you are only paying an extra $50 for the site cleaning service, which is by far the best value in the industry.

We also offer awesome bulk discounts. Right now to clean 10 hacked sites it will cost you just $644. What you may not realize is that you get 10 Wordfence Premium API keys for free with those 10 site cleanings. If you had to buy those 10 API keys from us they would cost $429.10.  That means it costs you just an extra $214.90 to clean 10 sites – or just $21.49 per site. That is by far the best value in our industry.

The reason we decided to go into the site cleaning business is because we wanted the ability to analyze recently hacked sites so that we could better understand how to protect our customers. I went into some detail in our original launch post, explaining why we launched our site cleaning business and how it helps our Wordfence customers.

We are able to take the forensic data from each site cleaning and use it to improve our products. The synergy between our product development and the forensic data we get from the security analysts that clean hacked sites is another reason our costs and pricing have remained low while our service levels have stayed incredibly high.

Let’s hear from a few of our customers

Below I have shared some of the recent feedback the site cleaning team received from our customers. Thank you very much to each of our customers who has sent us their kind feedback. The team very much appreciates it and we are constantly sharing the positive feedback we receive on ‘Slack’, our internal chat system.

I recently contacted Wordfence to take advantage of their website ‘cleaning’ service after a really annoying hack.

Kathy at Wordfence was AMAZING! So patient and without going into details of what exactly she did a) – for security reasons and b) – because I didn’t understand it! I feel much happier with the way my sites have been cleaned. Hell they even load faster now too!

As part of the clean I received a full 4 page guide of what I would need to do after the hack to keep myself safe in future.

Kathy seriously went above and beyond what she needed to do and helped me out so much.

In the nicest possible way, I hope I don’t have to contact Wordfence again, but if you need to, I can totally recommend them.

— Wendy [Blog post]

Helene is a PhD researcher at a global think tank that researches geopolitical risk. It was our pleasure to help their organization recover from a hacked website.

I am so happy with the service you provide, the value and the personal assistance.

— Julie

Thanks for making it easy and fast!

— Annie

I am very satisfied with the quality of your work on my site and all the help you have given me. I am very happy with your services.
Many thanks.

— Emmanuel

David is an author who writes for the Huffington Post, Daily Beast and other publications. It was our pleasure to work with him.

THANK YOU SO MUCH for your professionalism, customer support and for taking care of my issues. I will spread the word. 🙂

It helps to have Wordfence under my dashboard to stay on top of it too. You are a true security analyst angel! 🙂

Thank you again Kathy! I greatly appreciate all of your help.

— Tracy

WOW. I commend you guys for your assistance.

— Derrick

Danke für die Erklärung –hervorragender Service! [Translation: “Thank you for the explanation -Excellent service!”]

— Volker

Thank you, Marco.

I’ve informed my client about the link potentially being infected and have removed it from the article. I’ll keep an eye on the backup buddy files.

Thanks again for your speedy help on this. Cheers!

— Olga

Shemeka is a keynote speaker, trainer and educational advocate. It was our pleasure to work with her.

Thanks for all the help! It’s very much appreciated. 🙂

— Jennifer

Thanks for your help and follow up, you guys provide a great service.

— Ross

Hi Marco

Thanks for checking in – I’ve had no more scary alerts from scans, hurrah!

Fingers crossed that’s it!

Thanks for all your help with this,

— Amy

Awesome, thank you Giles!

Things all seem to be back to normal. I’ve read your report and will quickly work on all the recommendations.

Very much appreciated. Thanks for getting the website back up and running so quickly.

I have a number of other websites I manage……if anything ever happens again, it’s nice knowing I can trust Wordfence services.

Rachel is a blogger who writes about books, lifestyle and parenting. It was our pleasure to work with her.

Dear Paolo,

Many thanks for your prompt assistance with this issue.

Excellent service.

Kind regards

— Dan


We would love to hear from you

Whether you are selling a product or service online, writing about technology, involved in advocacy, blogging for fun or sharing important ideas, a website is just a means of communication and it should not get in the way of the conversation you are having with your audience. A hack definitely should not interfere with that important communication.

Our site cleaning team loves working with our customers and there is a real sense of satisfaction when we are able to get a customer’s website back up and running and help secure them long term.

If need our world-class security analysts to help you recover from a hacked website, we would love to hear from you. You can click here to find out more about the Wordfence site cleaning service.

The post Wordfence Site Cleaning Customer Reviews appeared first on Wordfence.


Analysis: Methods and Monetization of a Botnet Attacking WordPress

At Wordfence we see a huge range of infection types every day as we help our customers repair hacked websites. We also find new kinds of malware as we analyze the forensic data we gather from a range of sources. Our normal day involves turning that forensic data into firewall rules and scan signatures which we deploy to your Wordfence firewall and malware scan via our Threat Defense Feed.

Those rules and signatures are then used by Wordfence to protect your site against the newest attacks. Our Premium customers receive those rules in real-time and our free customers have a 30 day delay.

Occasionally, as we examine our forensic data and turn it into threat intelligence, we run across interesting behaviors both in human attackers and the bots they control. Recently our analysts took a closer look at a botnet that is using stolen WordPress usernames and passwords to compromise WordPress sites and generate an income from the hacked sites.

In this post we go into some detail about how this botnet works and how its owners make money. We have given this botnet the codename “ChickenKiev” or CK for short.

Botnet Profile: ChickenKiev

About the botnet: Vital Statistics

Number of attack bots 83
Location: 35 bots in Ukraine, 10 in USA, 8 in UK, includes several other countries.
Networks Most bots are on:, and
Time Active: At least 2 months starting 24 November until present
Responsible for: A large number of hack attempts and compromised websites.

How the CK Botnet Works

The owner of the CK botnet is feeding CK stolen WordPress administrator credentials which the botnet uses to sign into WordPress websites and perform its malicious activity. The credentials are probably acquired through brute force attacks. The attacker may have performed the attacks themselves or has managed to acquire a database of compromised credentials from someone else.

At the start of its attack, CK logs into WordPress websites and uses the WordPress theme or plugin upload tools to install fake themes or plugins containing malicious code. Once it has the base malicious payload installed, CK installs additional backdoors and code that uses the website for malicious purposes.

The access log below shows a typical series of requests where CK is doing its initial infection of the website. This is a real access log from a website that was infected by CK which we repaired. We have redacted sensitive information to protect our site cleaning customer’s privacy.

As you can see, this bot which is part of the CK botnet visits wp-login.php and signs in as an ordinary user would. It then visits the plugin installation page in the WordPress administrative console. It installs a plugin that is made to look like the popular BB Press forum software.

At this point, infection by CK is complete. The bb_press.php code contains a backdoor that allows the attacker that is controlling CK full and continuous access to the hacked website.

What CK Installs on Hacked WordPress Sites

In addition to the fake BB Press plugin shown in the log above, we have seen CK also install the following fake plugins or themes:

  • /wp-content/plugins/wp-db-ajax-made
  • /wp-content/plugins/Akismet3
  • /wp-content/themes/sketch

CK uses a well known shell as a backdoor which is known as the WSO shell. It stores the backdoor in a file called wp-ajax.php which is made to look like a legitimate WordPress core file.

The backdoor is installed in fake theme and plugin directories and is also inserted by CK into real plugin and theme directories. Here are some of the locations we have found CK’s backdoor. Most of these locations use the filename wp-ajax.php. In some cases a different filename is used.

  • /wp-content/plugins/wp-db-ajax-made1/wp-ajax.php
  • /wp-content/plugins/wp-db-ajax-made/wp-ajax.php
  • /wp-content/plugins/ml-slider/wp-ajax.php
  • /wp-content/plugins/siteorigin-panels/wp-ajax.php
  • /wp-content/plugins/wp-db-ajax-made/wp-ajax.php
  • /wp-content/plugins/Akismet3/wp-ajax.php
  • /wp-content/plugins/accesspress-twitter-auto-post/wp-ajax.php
  • /wp-content/plugins/advanced-custom-fields/wp-ajax.php
  • /wp-content/plugins/ajax-thumbnail-rebuild/wp-ajax.php
  • /wp-content/plugins/bb_press/wp-ajax.php
  • /wp-content/plugins/bb_press1/wp-ajax.php
  • /wp-content/plugins/bb_press2/wp-ajax.php
  • /wp-content/plugins/oa-social-login/wp-ajax.php
  • /wp-content/plugins/wp-db-ajax-made-1/wp-ajax.php
  • /wp-content/plugins/wp-db-ajax-made-2/wp-ajax.php
  • /wp-content/plugins/wp-db-ajax-made/wp-ajax.php
  • /wp-content/themes/sketch/404.php
  • /wp-content/themes/twentyeleven/wp-ajax.php
  • /wp-content/themes/twentyfourteen/author.php
  • /wp-content/themes/twentyfourteen/wp-ajax.php
  • /wp-content/themes/twentyten/wp-ajax.php
  • /wp-content/themes/twentythirteen/wp-ajax.php
  • /wp-content/themes/twentytwelve/author.php

How CKs Operators Profit from Hacking Your Site

Once CK has infected your site, we have a seen the operators engage in a range of malicious activity. One of the ways these operators profit is by injecting their own Google ad banners into your site header files.

This causes your website to serve Google ads associated with the CK operator’s Google account. They profit from your website serving Google ads.

The CK operators inject their own Google ad code into your site header by using the WSO shell they installed. They can use the shell to execute any PHP code on your website. To install their ads, they execute the following code via their shell: (We have redacted sensitive content)

The code above searches for files called header.php or header-homepage.php. It looks for the closing tag in those files. It adds the Google ad banner code just before your site’s closing tag.

This causes your site to serve their own Google ads, allowing them to profit from the traffic that is visiting your website.

We have seen CKs operators engage in other malicious activity like installing additional administrative code to help them control hacked sites and installing code that redirects a hacked website’s traffic to other websites that they control.

How to Protect Yourself from CK

CKs owners need to get WordPress administrator logins to be able to install their malicious code. To do this they need to engage in brute force attacks or find another way to steal an administrator username and password.

Here are a few things you can do to keep your admin account safe:

  • Enable Wordfence on your website. It provides excellent brute force protection in the free and paid version.
  • If you are a Premium Wordfence user, enable two factor authentication, also called cellphone sign-in.
  • Ensure you use a long and complex password. 12 characters or more with a random combination of letters, numbers and symbols. Include upper and lower-case letters.
  • Make sure the Wordfence Firewall is enabled to block exploits that can compromise your admin account.
  • Don’t use the same password on other WordPress websites or accounts. If one of your sites is hacked this can result in the others getting hacked too.

The Wordfence malware scan detects all of the indicators of compromise that CK leaves behind. If you are worried that you may have been hacked, simply run a Wordfence scan to check your site status. Wordfence also does an excellent job of preventing any compromise from happening in the first place.

What to do if you have been hacked

At Wordfence we have an excellent team of security analysts who respond to incidents many times every day. If you have been hacked, our team can determine why, close any security holes, clean the hack and get you back up and running within a very short time.

Our site cleaning service includes blacklist removal, a 1 year Wordfence Premium license and we provide an in-depth report to help you understand what happened and how to prevent a hack in future.

Wordfence site cleaning is also very reasonably priced at $149 with no surprise fees and we provide excellent customer service.

Stay Safe

I’d like to encourage you to share this post with the community to create awareness and help other site administrators avoid a hack. If you have any questions or comments, please post them below and as always I’ll be around to reply when needed. Have a great week and stay safe!

Mark Maunder – Wordfence Founder/CEO.

Credits: Thanks to Senior Wordfence Security Analyst Brad Haas for doing the forensic analysis in this post. Additional thanks to members of our site cleaning team for their help. Thanks to Dan Moen for editing. 

The post Analysis: Methods and Monetization of a Botnet Attacking WordPress appeared first on Wordfence.


5 Things to be Aware of When Buying WordPress Security

If you are new to WordPress or reevaluating your security strategy, you are overwhelmed by choice in today’s market. The reality is that there are only a handful of tools that truly protect your WordPress website from a hack and help you detect an incident. With all of the claims that vendors are making, it can be tough to choose the most effective product to protect your investment and your customer data.

To help you in your decision making, I’m going to call out 5 things in this post that you need to be aware of before you choose a security plugin, a cloud solution or something that runs in the hosting environment that your hosting provider is selling.

1. Not all security products include a firewall

Many of the best known security plugins for WordPress don’t actually include a firewall. To understand this, it’s important to understand what a firewall actually is. The firewall in Wordfence is known as a Web Application Firewall or ‘WAF’.

For a WAF to be effective, it needs to fulfill a few basic requirements:

  1. It needs to block a wide range of attacks based on it’s ability to recognize website requests as attacks. Types of attacks include SQL injection attacks, remote code execution, cross site scripting and cross site request forgery attacks.
  2. The WAF needs to have a rule-set that is continuously updated. These rules are used to recognize attacks and block them. They can’t be updated only when the software is upgraded. They need to be updated constantly via a ‘feed’.
  3. The WAF needs to analyze ALL requests, not just requests that hit a particular application. In other words, if you have installed a WordPress WAF, it must block requests that try to directly access a script in a WordPress subdirectory along with requests that hit WordPress itself.
  4. The WAF needs to be very high performance. It will be inspecting every request that hits your site and it’s very important it doesn’t slow your site down at all.

Wordfence fulfills all these requirements. It has a comprehensive rule-set that blocks a wide range of attacks and is continuously updated via our Threat Defense Feed. The Wordfence WAF inspects every request made to a PHP application on your website. Whether it’s a WordPress request or a direct attack on a script like Timthumb, Wordfence will see it and analyze it and block it if necessary. Wordfence is extremely high performance. We use core PHP functionality for our rule-set that executes very fast, we pre-filter rules and only execute what is relevant and our rule-set is highly optimized.

Many popular security plugins for WordPress don’t include a WAF, or firewall. They include features like brute-force protection, file change detection, backups, strong password enforcement and so called system ‘tweaks’. But they don’t include the most basic security component of them all: An effective web application firewall.

When purchasing a security product, make sure it actually includes a firewall.

2. Cloud firewalls can be bypassed and don’t have identity data

cloud-waf-diagramBecause cloud firewalls execute on remote servers out on the Internet, it’s possible for an attacker to go around them and attack your site directly. We’ve written about this in some detail.

Because cloud firewalls execute remotely, they don’t have access to your WordPress API and database. That means they don’t know basic things like: “Is a user signed into your website or not?” They don’t have this data so they can’t use it in their decision making about who to allow and who to block.

If you don’t even know whether a request is coming from a site administrator or an attacker, how can you provide effective protection? We’ve written about the cloud WAF user identity problem in some detail.

Cloud firewalls also use a rule-set that is generic. Their rules are designed for all websites. That means they don’t specialize in a specific platform. The result is that they can allow through some of the best known and most basic attacks on a platform like WordPress.

Wordfence Protecting the EndpointWordfence is designed specifically for WordPress, it knows and uses user identity to make it’s decisions and it’s not possible to go around the Wordfence web application firewall because it runs directly on your WordPress website.


3. Some malware scans don’t check very much

When choosing a malware scanner for WordPress, it’s important to choose one that does a deep thorough scan of your site. Malware authors have become very creative in how and where they hide malware once they’ve compromised your website. Without a deep scan, your site may be infected and you won’t be aware of it.

iThemes Security, the second most popular security plugin for WordPress, uses Sucuri Sitecheck to perform a malware scan. You have to pay for iThemes Pro to gain access to this feature, which currently costs $48 per year.

Once you’ve paid for iThemes security and have access to the malware scan feature, you can launch a scan. A Sucuri scan using iThemes Security on my test WordPress site only performed 22 page requests. All the checks are remote, so no source code is inspected.

After doing this scan, this is what my logfile looks like. Click for a larger image.

ithemes sucuri malware scan

As you can see, it didn’t do very much.

Below we show what a typical free Wordfence scan looks like (it’s in reverse chronological order). As you can see we analyze the source code of over 4,000 files on the same site and perform a host of other checks. Click the image for a larger version in a new tab.


When choosing a malware scanner, make sure you pick one that performs a comprehensive scan of your website and doesn’t just do a cursory check. Malware can be hard to find and well hidden. Wordfence performs a deep and comprehensive scan of your site every time it runs.

4. Malware scanning takes a team, forensic work and processes

Forensic WorkHave you wondered why our Wordfence site cleaning service is is so reasonably priced, even though you get your own Wordfence analyst working closely with you to fix your hacked site?

It’s because your hacked website is an amazing source of forensic data for us. We take the footprints that a hacker left behind and add that to our malware scan.

To provide an effective malware scan, you need to perform hands-on forensic analysis of the latest attacks as they happen. That’s what our site cleaning team does.

Then you need to take that attack data and run it through a process to turn it into threat intelligence and distribute it, in real-time to a great malware scanner. That is what our Threat Defense Feed is. The TDF describes our process of gathering, analyzing and distributing threat intelligence to the Wordfence malware scanner and firewall.

I’m not currently aware of a single WordPress specific malware scanner that combines a high performance scan engine with a team and process like Wordfence does.

5. Watch out for ‘automated‘ malware removal

Some companies offer an ‘automated’ fix if they detect malware on your website. When we first heard about this we viewed the concept with deep skepticism. If malware is detected on a website, it has been compromised. The definition of a ‘compromised’ site is that someone unauthorized has gained access to the site.

Incident response is a complex field. We have certified forensic investigators on our team who have developed our site cleaning process. To get an idea of how the a typical incident response process works, you can reference NIST publication 800-61 “Computer Security Incident Handling Guide” [PDF].

In general, forensic analysts will divide incident handling into three phases:

  1. Detection and Analysis: This includes analyzing attack vectors, documenting the incident, prioritization and notification.
  2. Containment, eradication and recovery: This includes evidence gathering, identifying what has been attacked and evidence gathering.
  3. Post incident activities: In this phase forensic data is analyzed, evidence is retained and the data is used to prevent future incidents.

There are several different approaches to incident response and you can visit OWASP to learn more about how they tackle the problem.

If a site is compromised, an automated fix would leave out many of these steps. For example, it would not be able to determine how an attacker gained access and so the site may be repeatedly hacked.

We currently recommend that you avoid products that claim an automated fix is possible for a compromised website. Instead we suggest that you use a security analyst trained in incident response to help fix your hacked website. One of our human analysts would be glad to assist you.

The post 5 Things to be Aware of When Buying WordPress Security appeared first on Wordfence.


An Interview with a Wordfence Senior Security Analyst

Colette Chamberland is one of our two Senior Security Analysts who mentor and guide the rest of our team of analysts. She works closely with our site cleaning team to maintain our forensic investigation processes that ensure we deliver excellent and timely service to our customers while ensuring their data and credentials stay secure and their site is recovered and back in production as quickly as possible.

Colette is a Certified Ethical Hacker (CEH) and a Computer Hacking Forensic Investigator (CHFI). She brings many years of experience in forensic work and site remediation to the team and has worked for several notable companies and organizations prior to Wordfence including NASA.

The Wordfence Forensic Team produce much of the data that we use to improve our detection capability in Wordfence and our firewall rules. We rely on them to not only get our customer websites back up and running as fast as possible after an incident, but to produce research on an ongoing basis that informs our products and helps improve security for the whole WordPress community via the Wordfence Threat Defense Feed.

resizeccTell us about your background, how did you become a WordPress security expert?

I started off developing nTier client/server applications and websites in the mid 90s and security was always more of a hobby for me.  It wasn’t until after the early 2000s that people started getting concerned with the concept of computer and cyber security. This shift gave me a chance to turn something that I loved doing into a career. I’m the type of person though that doesn’t like the label “expert” – I feel there is always something more to learn and know. No one can ever truly be an expert in WordPress security. I know enough to know that I don’t know everything, and probably never will. There are always new ways to attack and defend and you have to continually be in learning mode.

Describe the emotional state of a typical site owner who has been hacked.

As you would expect, most site owners are frightened, scared and sometimes a bit panicky when they find out their site has been compromised and infected. They don’t think that attackers target their business or site because it’s so small.  What they don’t know is that attackers don’t just go after the big guys like Target, Home Depot and big banks – they often use the little guys as an intermediary to carry out a large scale attack. No one is safe, everyone is a target.

What makes cleaning up a hacked website difficult? Why do people turn to experts for help?

In order to be able to identify what’s bad in a site, you have to understand the technology it’s built with and what attackers commonly use to hide their malicious activity. This often involves reading code, reverse engineering obfuscated payloads, reviewing log files and sometimes even reenacting the attack using the same vector as the attacker. This is far beyond the capabilities of most website owners. They usually hire a developer and designer to create their site and once that is done, they no longer have a relationship them and no one on staff with the technical expertise required.

What makes your job rewarding?

Knowing that my knowledge can help someone get out of a tough spot and keep their business going.

With all of the advances in website security, why are hacks still happening?

I think the biggest misconception that people have about security is that once something is “secure” it’s no longer hackable. Nothing could be further from the truth. There is no guarantee in security. Security is about mitigating your risk and improving your security posture. It’s not a matter of “if” I will be hacked, it’s a matter of “when”.

To determine what to protect, you have to decide if the cost to recover is more than the cost to secure it in the first place.  I think that’s why Wordfence makes so much sense for business owners. The cost of a compromised site far exceeds the cost of Wordfence Premium.

Attacks still happen because new methods are uncovered almost every day. Once you stop one type of attack, another surfaces. The only way to completely secure your site is to take it offline – but then what good does that do you?

What trends are you seeing with infected websites lately?

The biggest trend lately has been ransomware. Attackers inject code into unsuspecting sites that redirect users to malicious sites with payloads that are then downloaded based on what they have running on their system that is outdated. Then their system gets encrypted and requires them to pay a ransom to the attackers to get their data back. This really underlines the importance of good backups.

What advice would you give to site owners who want to improve security?

I think it’s been said many times but bears repeating: Make sure you have a good host, put preventative measures in place, like Wordfence and make sure you keep your site, plugins, themes, etc. up to date. Also, don’t forget the back-end that you rarely see and forget about entirely – your hosting account and your FTP/SSH credentials. All of these passwords should be changed on a regular basis, just like your underwear. Another “biggest issue” I see with most site owners is log retention & review. Many never look at their logs; they rely on things like Google Analytics because they are only concerned about their traffic, but they should also be reviewing their logs regularly for signs of potential issues, malicious activity and threats.


We’d like to thank Colette for taking the time out of her busy schedule to participate in this interview. If you would like apply to join the Wordfence team, visit our careers page –  we’d love to hear from you. If you would like to learn more about WordPress or web security and how to spot vulnerabilities or perform your own forensic investigations into website intrusions, visit our Learning Center where you can find knowledge that we’ve shared about website security and secure application development.

If you have been hacked, visit this page to learn about how our team can help clean your site and get you back up and running.

The post An Interview with a Wordfence Senior Security Analyst appeared first on Wordfence.