Flywheel Malware Cleanup Policy

At Flywheel, we prioritize security above all else. We are constantly enhancing our security measures to safeguard our customers against numerous threats. A crucial part of this is keeping our platform, servers, and WordPress versions secure and up to date.

While we handle the updates for these core components, plugin and theme updates are managed by our customers at the site level, making them responsible for the security of these elements.

From time to time, sites may become infected with malware, though we’re here to help!

---

How to request a scan

If you suspect your site has been hacked or infected with malware while hosted on the Flywheel platform, you can open up a chat with Support via the Flywheel Dashboard to request an in-depth scan.

Simply log into the Flywheel Dashboard, open a chat from the bottom right hand corner of your browser, select “Support Chat”, “I need technical support” and then “Malware Scan”. From there, our chat bot will ask you a series of questions relating to your site before a ticket is automatically created and sent to our Happiness Engineers to initiate the scan.

Once the scan is complete, our team will reach out via ticket. Click here to view your open tickets, or check your email inbox for updates.

---

What if my site has Malware?

If our scans detect the presence of malware, there are a few required steps that we will ask you to take before we can begin the malware removal process.

1. Review all administrators on the site. Remove any that are no longer needed and update all remaining legitimate administrator’s passwords to something as secure as possible. We request that all administrators have their passwords updated as compromised users are a popular entry point for malware, especially if that username and/or password is being used elsewhere on the internet. For the most common methods on how to do so, please check out the Reset Your WordPress Password article.
2. Review the list of plugins and themes installed on the site, and if any are no longer in use or are sitting in a deactivated state, delete them. Inactive plugins with security issues in their code could still put your site at risk since at the end of the day the code still resides on the server until deleted.
3. Run all available plugin and theme updates. We suggest creating an up-to-date backup first to be on the safe side. Keeping plugins and themes updated ensures they’re running the latest version, patching any security issues that could be used to introduce malware to the site.

The two most common ways that sites become infected with malware are through insecure passwords and outdated plugins or themes. By completing the above steps proactively, you’ll help us clean up your site faster and safeguard it against reinfection. Flywheel offers Managed Plugin Updates at $8/month per site if you would like our team to take that off your plate! You can learn more about the Managed Plugin Updates Add-on.

Keep in mind that a security scan and cleaning may take 24-48 hours to complete and may require changes to your website. To protect the integrity of the server and IP address, we may also disable mail services on the site as infected sites will typically send a high volume of spam emails.

---

Can you clean my site without the required updates being made?

Before we can clean a site, we require all plugins and themes to be updated and all administrator passwords to be changed. These steps are crucial in ensuring that the site remains secure and does not become reinfected after the cleanup process.

Keeping software up-to-date addresses known vulnerabilities, while changing passwords protects against unauthorized access. This comprehensive approach is essential for maintaining the long-term security and integrity of your site.

---

I can’t get into my site to make the updates

If you’re not able to log into your site in order to complete the required updates, our team can take a preliminary look into the site to remove any malicious code that may be preventing you from logging into the site. Once we’ve unlocked wp-admin access, we’ll notify you and request that you update all plugins, themes and passwords before we continue the malware removal process.

If you encounter a ‘deceptive site ahead’ warning or similar in your browser, you may be able to bypass this warning to access your site and make the necessary updates.

---

Can you scan all of the sites in my plan for malware?

We understand there are many concerns that come up if one of your sites becomes infected by malware – however, if you have no specific indication that a site has been infected by malware, we will not be able to submit it for a deep-level scan and cleaning.

If you’re hoping to routinely scan your sites for Malware, we’d recommend installing a security plugin such as Wordfence which will examines all files on your WordPress site looking for malicious code, backdoors, and shells that hackers have installed. Keep in mind that this plugin may flag files relating to the WordPress core when sites are hosted on Flywheel. Be rest assured that these core files will always be false-posiitves.

---

All of my content has disappeared due to the infection

If your site has been compromised and all of its data—such as plugins, themes, posts, and media—has been wiped, you can attempt to restore it from an earlier backup when the content was still intact – after restoring, we would recommend updating all plugins, themes and passwords on the site to prevent reinfection.

Please note that we only keep backups for the past 30 days. If the infection occurred more than 30 days ago, there is a possibility that we may not be able to recover the lost data.

---

How can I proactively protect my site against Malware?

Along with keeping all plugins and themes up to date, we would also recommend using a strong and unique password for each site you create.

Additional preventative steps to keep your site secure include:

• Add a captcha plugin on any forms. Implementing a Captcha plugin on your website’s forms is essential for preventing automated bots from submitting spam or malicious entries. Captchas add an extra layer of verification, ensuring that only human users can interact with your forms, which reduces the risk of exploitation through form submissions.
• Hide the default WP Admin login page. Changing the default WordPress admin login URL can significantly enhance your site’s security. By hiding or renaming the login page, you make it more difficult for attackers to locate the entry point for attempting brute force attacks. This simple step can deter unauthorized access attempts and protect your admin area. The WPS Hide Login plugin is an easy way to change the default WP Admin path.
• Install a recommended security plugin on your site. Installing a robust security plugin such as Wordfence can provide comprehensive protection for your WordPress site. Security plugins offer features like firewall protection, malware scanning, and real-time threat defense. Wordfence, for instance, continuously monitors your site for suspicious activity, helps block malicious traffic, and provides alerts about potential security issues, ensuring your site remains secure from various threats.

---

Need help?

If you have any questions our Happiness Engineers are here to help!