Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Wordfence Forensic Team and Site Cleaning Officially Launches

This entry was posted in Wordfence, WordPress Security on June 1, 2016 by Mark Maunder   28 Replies

Today we are proud to officially announce the formation of the Wordfence Forensic Team and the launch of our site cleaning services. I’d like to take a moment and explain why we went into this business, the unique approach that Wordfence takes to repairing hacked sites and in conducting forensic analysis and investigation – and why this is great for Wordfence customers.

What is Wordfence Site Cleaning?

If you have a hacked WordPress website, we have a team of highly trained forensic investigators that are ready to help. The service is simple: We’re charging $179 to rapidly get your website clean and back into production. This includes:

  • Cleaning the infection.
  • Investigating how the attackers gained entry.
  • Removing any malicious code, links or other content in your posts, pages, comments and source code.
  • Providing an in-depth report of the infection removal and investigation.
  • We provide a detailed checklist to protect your site from future attacks.
  • Your site cleaning includes a 1 year Wordfence Premium license to keep you safe, worth $99.

Meet the Team

One thing I’ve learned as a CEO is that we can best serve our customers by building a team of people who are world-class at what they do. We went out and found the best forensic investigators we could and added them to the core of our team. We started by bringing on board two senior experts in the field:

resizeccColette Chamberland is one of our two Senior Security Analysts and is a Certified Hacking Forensic Investigator (CHFI) and Certified Ethical Hacker (CEH). She has over 5 years of hands-on forensic investigation experience. You’ll also recognize her name as the person who discovered one of the possible entry points in the Panama Papers breach. She brings a wealth of experience, leadership and knowledge and uses it to effectively lead and mentor our team.

Brad HaasBrad Haas is our second Senior Security Analyst and joined us from STRATCOM (United States Strategic Command). He is an ISC2 CISSP, GIAC Certified Incident Handler (GCIH) and GIAC Certified Forensic Analyst (GCFA). Brad has over 7 years of forensic investigation experience and provides strong process and technical leadership in forensic investigations for our team along with a hands-on approach.

Brad and Colette have been working hard at optimizing our site cleaning processes, policies and procedures to ensure customer data confidentiality, integrity and to get our customer sites back online and available as soon as possible.

Our site cleaning team is now seven highly trained investigators and we continue to bring in more team members as quickly as we can. To recruit, evaluate and train site cleaners quickly and effectively, we decided to turn the challenge into a software problem. We have created a job application system that automatically creates an ‘infected’ virtual machine that our forensic investigator applicants need to clean as the very first step in their job application process. We then take our applicants who have scored well through a rapid evaluation process and if they are accepted into the team, we include excellent training and mentorship from our senior analysts. If you think you might be a good fit for the team we welcome you to apply.

Why does Wordfence Clean Hacked Sites?

Our business is to protect WordPress websites from hackers. That means we need to block known and unknown attacks using the Wordfence Firewall. It also means we need to be very good at detecting if a site has been compromised using Wordfence Scan. To be good at both of these things, we need to know how sites are compromised and what indicators of compromise (IOCs) or footprints a hacker leaves behind.

The best way for us to get this data is to investigate sites that have recently been hacked. Internally we have a sophisticated process that turns the data we gather from hacked sites into what we refer to as our Threat Defense Feed or TDF. The TDF includes the firewall and scan rules that are the product of our forensic investigation efforts. This flows out to the Wordfence plugin in real-time, continually updating our scan and firewall capability to provide you the best protection available.

What this means is that when you install Wordfence, you have a growing team of forensic investigators working hard to continually update Wordfence with the newest attacks that are occurring on the ground and to protect you from those attacks. The information gained from each hacked site we investigate is used to protect all of our customers from getting hacked using the same method. Furthermore, any footprints an attacker leaves behind are used to improve our scan capability so that we can provide an early warning should the worst case scenario occur.

Early breach detection and blocking attacks on WordPress websites is what we do. With our forensic investigators constantly increasing the intelligence of Wordfence via the TDF, you have a system that provides the best WordPress protection available.

Giving Back to the Community

Most firewalls for WordPress are expensive. With Wordfence, you get the Threat Defense Feed if you’re a free or a paid customer. The only difference is that our Premium customers receive real-time updates while our free community customers are delayed by 30 days.

As our forensic investigators analyze breaches and we build more intelligence into the TDF, that data flows out to all Wordfence users eventually and does an excellent job of keeping the WordPress community safer. When you choose to have your hacked website cleaned by the Wordfence team, know that the data from your site cleaning ultimately ends up helping to protect the WordPress community.

Excellence in Customer Service

I’m constantly surprised by how much positive feedback our customer service representatives and forensic team receives. Today is our official launch but we have actually been cleaning hacked WordPress sites since April 4th.

Part of our focus at Wordfence, whether we’re providing support for our software or for forensic services, is to provide excellent customer service. Since we soft-launched our site cleaning service I’ve seen many customers who have gone from being frustrated about a hacked site to being overjoyed at how quickly and effectively our team has turned their site around.

We knew that to provide the best service available for site cleaning, we would have to find the best people – and I’m very proud of our team’s technical ability along with their ability to serve and communicate with our customers and turn an unpleasant situation into a happy customer along with data that helps protect the broader community.

Let’s Make WordPress and our Community Safer Together

If you’ve been hacked, contact us immediately by visiting this page and our team will get right on it. We look forward to working with you to get your site repaired quickly and also ensuring that the rest of our community is protected from attacks that are similar to the one you experienced.

Did you enjoy this post? Share it!

28 Comments on "Wordfence Forensic Team and Site Cleaning Officially Launches"

Veronica June 1, 2016 at 9:28 am

This sounds great, would the rate be the same for folks who already have Wordfence Premium installed? Thanks

mark June 1, 2016 at 9:38 am

Hi Veronica. It's $120 (instead of $179) for existing Wordfence premium customers. So yes, if you're existing premium, we just remove the price of the premium key we would normally include and give you a big discount for site cleaning.

TonyW June 1, 2016 at 9:30 am

I cannot thank you enough for the services you are providing for small businesses like me that is trying to start a business online. Before Wordfence I was totally over whelmed trying to keep up with all the potential issues on my sites....Much thanks for the new service you and team is now offering!

Andrew Brown June 1, 2016 at 9:35 am

Wordfence has been a lifesaver. In an ideal world, this service would never be needed because people would have word fence installed on all their sites. I learned about ti the hard way, with sites getting hacked multiple times. Now I am a happy client. Good luck with the new service, I am sure it will bring you many more satisfied customers.

Keep up the great work!

mark June 1, 2016 at 9:38 am

Thanks Andrew!

AKS June 1, 2016 at 9:42 am

I have already been hacked and hence have a couple of questions about this service, which i am definitely considering:

(1) I am also proposing to migrate to a new server, since I suspect that the hosting I have may attract miscreants. Hence, am I better off using your service after I have moved to the new server/company, or does it really make no difference?

(2) I probably have hacks on other domains too, but only one primary site/business I am focusing on right now. If I use your service to repair that one key site, is that site effectively immune from the problems on other domains on the server (or, if not, can it be firewalled off by server support)? Or do I really have to do every single WP site on every domain?

Dan Moen June 1, 2016 at 10:03 am

Hi AKS,
1. If you are worried that your current hosting service might represent a security risk then you are probably better off migrating to the new one before retaining our services.
2. If you have multiple infected sites running on the same server they either need to all be cleaned or the clean site should be moved to a separate server or instance. You'll need to work out the details of the latter with your hosting provider.

Brenda Kolasa June 1, 2016 at 9:43 am

Hi there, many times, a site will get hacked, and we have to re-install a backup because the design files are altered or ruined. Does this cost include backup restores?

Dan Moen June 1, 2016 at 10:10 am

Hi Brenda, we ask that you restore your backup prior to retaining our services. In many cases your hosting provider may help you with that.

Ron Geenen June 1, 2016 at 9:58 am

As a person of 80 years I have a non- business wordpress website. But the updates from wordfence which I receive on an weekly bases, scares me sometimes. Certain countries, who have nothing to do with the information on my site, are still trying to access even my admin.
Wordfence is a life saver. And when in need, I will happily and definitely pay you for your help.
Thank you for the protection.

Jimmy June 1, 2016 at 10:52 am

Great service from you guys.

Can a site not hacked benefits from this service?

Dan Moen June 1, 2016 at 12:43 pm

Hi Jimmy, this service is not useful if your site hasn't been compromised. You might want to check out our learning center, https://wordfence.com/learn, if you are interested in improving the security of your website.

D. Weiss June 1, 2016 at 11:25 am

I would also like to add my "cudos" to the Wordfence team!

Before installing Wordfence over a year ago, we had been hacked before it took a couple of months to get back on line because we basically had to start from scratch since the backups our web hosting service was providing was basically useless. We now use a plug-in to back up our site ourselves and store the archive locally rather that on our web hosting service. When we came back on line after the hack, we immediately installed Wordfence and shortly thereafter upgraded to the premium API on our site. Best move we ever made.

On our development sites we use the free version of Wordfence, but on our production site we use the Premium API.

I can tell you right now there have been attempts on our site on almost a daily basis since mid-May from countries such as China, Germany, U.K., Russia, France, Ukraine, Vietnam, Turkey, Norway, Netherlands, Lithuania. Non have been able to get through because the first time an attempt is made from a country outside the US, we block the country via the Country Blocking capability, which is available with the Premium API. First time they attempt I permanently block that IP and then turn on blocking for that country. If the attempted attack comes from within the U.S. we permanently block the IP. To be honest US attack attempts have been few.

We would never again consider putting up a Wordpress site without installing Wordfence!

Whether production or development site, the first thing we do is install Wordfence as soon as we move the site from our local development server to our web hosting service.

Barbara Quick June 1, 2016 at 11:44 am

I appreciate what a great asset your company is to us, even if we are using just the free version of Wordfence!

Henry June 1, 2016 at 1:12 pm

You guys are Awesome....Keep up the great work

Bart van der Mark June 1, 2016 at 1:19 pm

Great new service! I am really very happy with my premium membership and I hope I will never have to use your cleaning service ;-)

Michael June 1, 2016 at 1:38 pm

Hi

First of all congratulations - You seem to have gathered a team with skills that is second to none in the wordpress space.
One question. The description says the price is for unlimited pages on one wordpress site. What about wordpress multisite installation? Same price?

greetings

Mike

Dan Moen June 1, 2016 at 1:54 pm

Hi Mike, in the case of a multi-site installation we charge separately for each site that needs to be cleaned.

Michael June 2, 2016 at 3:07 am

Hi Dan

Thanks for getting back on my question.
but how do you define "site that needs to be cleaned"?
If, for example, I have a multisite install with 100 sites. I have plugin a and plugin b. Plugin A is activated on only one site, plugin b on all sites. plugin a has a vulnerability and someone breaks it and changes files on plugin b to build himself a backdoor.
Now all my 100 sites are affected and "need to be cleaned" which gives me a bill of $17900.
But actually because of the nature of WP multisite, plugin b is installed only once and has to be cleaned only once, so if one site out of the multisite install is cleaned, the whole installation is cleaned. (apart of the uploads directory).

So the difference between cleaning a multisite install and a single site install is the uploads directory which can be considerably larger than on a single site. But then again this doesn't have to be the case. You state "unlimited" pages on a single site which means that in fact the size of the uploads directory and the number of post entries in the DB do not matter for your pricing. Cleaning a multisite install of several small sites will be considerably less work than cleaning up a single wordpress install if it is a big site with many posts.
I understand that you would want to make a difference in pricing with multisite, but from a security point of view, if one site is compromised, you definitely need to at least examine the whole installation folder (which would then include *all* of my sites) this would render your server unaffordable. If you you need to scale your pricing to adapt to the higher workload that a bigger install brings with it, I think it would be a fairer approach to charge based on the number of plugins and themes installed and the number of items in the uploads folder / number of posts as this is what determines the amount of work, not the actual number of sites that are running on a multisite install...

just my 2cents

Mike

Dan Moen June 2, 2016 at 9:04 am

Hi Mike, great question. It really comes down to how many WordPress installs you have. If you have 100 sites running on the same WordPress install that would be 1 site cleaning. If you have 100 WordPress installs running on the same instance or server that would be 100 site cleanings. I hope that answers your question.

Michael June 2, 2016 at 11:26 am

Hi Dan

Thanks for your your answer - this is very good news!
Yes I am referring to sites in a single wordpress installation as per the Multisite feature (http://codex.wordpress.org/Glossary#Multisite).
Being a Wordfence premium customer I am really glad that even in the improbable case that I will get hacked, word fence will not let me down.
Great service!

Mike

Nurul Afsar June 1, 2016 at 10:41 pm

I appreciate your hard work. I have always wanted to see a trusted organization to help us clean our sites. Glad you got our back.

CB Bowman June 1, 2016 at 10:50 pm

Finally!! Just what I've been waiting for, something that is truly affordable to help small businesses, for something we so badly need. I am also delighted to see the discount for those of us who are Wordfence supporters!
Thank you Guys.
PS Does your service include checking a site for corroded files that may have happen prior to installing Wordfence? Files that have no visible evidence of immediate damage?

Dan Moen June 2, 2016 at 9:14 am

Hi CB, our site cleaning service is comprehensive, it doesn't matter when Wordfence was installed or whether it was installed at all. And the team is great at finding infected files, even if you are seeing no visible evidence of infection.

Michael June 1, 2016 at 11:02 pm

If there are multiple addon domains in one hosting account, often all websites will be compromised in that one hosting account.

Is this service per website domain or per cpanel account?

Dan Moen June 2, 2016 at 9:09 am

Hi Michael, the answer to your question depends on how you have the websites deployed. If they all have their own WordPress installations we would bill separately for each of them. If they are all running on the same WordPress installation we would view that as a single site cleaning.

Devin June 5, 2017 at 11:26 am

Our business website was hacked with randomly injected links selling “MLB Jerseys” and other sports related items. This had to be automated. This occurred many times over three weeks or so. We used GoDaddy’s site restore to recover. This repeated two more times… ugh.

Then we discovered WF. Since purchasing two keys and setting this up – no more hacks. We went to “plaid speed” :-) and turned up most WF settings to be aggressive (country blocking, firewall, “fake admin” login attempts etc). We also setup a free Gravity Scan and this has given us tons of info to follow up on. So a big thanks to the WF team!

Now the question came up “Why were we hacked”. Since we are a WF paid customer, we get a discount on the forensic service. Great. I see no need to attempt to see why we were hacked three weeks ago. If we ever get hacked again my management team wants to know how fast you can perform your analysis.

So WF team, if we get hacked again … how long will it take you to perform your analysis and then restore our website? They do want a hard number.
Devin

Andie La-Rosa June 6, 2017 at 7:49 am

Hi Devin,

Thanks so much for the kind words! You're very welcome and you're absolutely right: Wordfence adds a powerful multilayer of intelligent website security, but sites can still be compromised for any number of reasons outside of Wordfence's control. Glad the situation is under control for now, but if in the future you ever do need the services of the Site Security Team (SST), depending on their queue size, they usually start cleaning and analyzing your site within 24 hours of receiving access credentials and payment. Turnaround time is usually pretty quick, and sites, once started, usually take between 2-6 hours to clean depending on the size of the site and complexity of the compromise. If you'd like to learn more about the service, we have a great deal more information here. Hope that helps!


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 100 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates