Website security is a lot more than running a “plugin” and hoping for the best. Most of the well-known security plugins will do fine in catching the obvious malware. But keep in mind that malware is only a symptom. The underlying cause “cannot be fixed” by plugins. You’ll still need to have someone do a thorough security review to catch the real culprits and their entry points.

One time, a client called me and mentioned that he’s recently cleaned his website, but wanted a second opinion.

He has done some manual cleanup on his own and as far as he could tell, it was all fine. He has used a couple of security plugins you’ve heard and discussed in the security blogs/groups and each one gave him a clean bill of health.

Upon further review, it became pretty clear that his site was compromised through one of the six administrator accounts he’d set up previously. And while he did wonderfully well in removing the malware files within his website, and while the security plugins said all was well, the human element had been missed.

Turns out that the hacker had likewise edited the footer text using his theme’s “Footer Settings” configuration page. And because the domain names in the footer text had not been yet flagged as malicious in Google or otherwise, the robots couldn’t’ tell the difference between the bad links or the good links.

The moral of the story is that human intervention remains an essential part of fully securing a website account. Running an automation system and hoping for the best has its shortcomings and so hiring an IT Security Personnel is still the best decision we could make to avoid such great disaster.