Firstly, as we have previously blogged about, keeping your website up to date can really help improve your website’s SEO ranking. Fresh content is more likely to rank higher in search engine results than static or outdated content. In addition to this, new website content updates can actually encourage visitors to come back and also generate more organic traffic to your website.
Secondly, and probably more importantly, it is essential for website security.
We were recently contacted by a business, through the Fasthosts Solutions Partner programme, as they had been a target of hacking! All six language versions of their website had been compromised with a severe malware installation. Fasthosts had to suspend their website completely as to not infect their servers and potentially other client’s websites.
Regular updates patch security vulnerabilities, maintain site compatibility, and fix bugs before they compromise your data. Hackers use vulnerabilities such as outdated software and unused/abandoned plugins to gain access. Running an outdated PHP version exposes your site to unpatched security vulnerabilities, allowing hackers to easily inject malicious code, steal sensitive data, or even take full control of your server. Additionally, it can trigger severe drop in performance and compatibility errors with modern plugins causing your website to break and possibly stop working. The websites in question had not had software and plugin updates carried out for some time.
We collaborated with a third party and together we removed the malware, cleaned the website, updated all necessary software and plugins, and then informed Fasthosts so that they could check and reinstall the service. This was all done within two days and this is what we found:
The infection was extensive:
• 146 malicious files planted across the site — hidden “backdoors” that let the attacker run commands remotely, self-installing droppers, and disguised web shells (including malware hidden inside what looked like image files).
• 16 fake “plugins” with random names, silently activated, used to maintain control.
• A hidden administrator account the attacker created and concealed from the normal user list, so they kept access even if passwords were changed.
• Code injected into the website’s theme that recreated that hidden admin on every page load and ran a black-hat SEO spam operation (injecting hidden links into your pages — damaging for Google rankings and reputation).
• The site was running an outdated version of WordPress with several abandoned, vulnerable plugins.
In short: there was a full site compromise with persistent backdoors, a hidden admin account and SEO spam.
This is how we fixed things:
We rebuilt the site clean rather than just deleting the visible malware (a disinfected hack can’t be trusted):
• Replaced WordPress core with the current secure version and reinstalled every plugin fresh from the official source.
• Removed all malware — backdoors, web shells, fake plugins and droppers — and verified the site is clean.
• Cleaned the custom theme, stripping out the injected hidden-admin code and the SEO-spam injector while keeping your design intact.
• Cleaned the databases — removed the hidden admin accounts and the malicious plugin entries; confirmed your real content and legitimate users are untouched.
• Hardened the site — new security keys (which log out any attacker sessions), disabled in-dashboard file editing, blocked code execution in the uploads folder, and tightened access rules.
• Fixed two pre-existing issues found along the way: some images weren’t displaying (a settings/URL issue, now resolved) and a couple of plugins were crashing pages on the newer PHP version (which was patched).
• Built a staging copy so everything could be reviewed and approved before going live.
We helped the client change all of their login passwords, database passwords and hosting control panel passwords, plus we gave them some further instructions to implement themselves. We also installed a security plugin to monitor login attempts that also scans for malware. On this occasion we opted for Wordfence. This is a comprehensive, endpoint-based security plugin designed to protect WordPress websites from hackers, malware, and brute-force attacks.
We obviously managed to save their websites on this occasion but it cost them a larger one off fee. Regular software maintenance could have prevented this. It can also ensure the website’s speed and performance are not affected as well as keep everything safe. We offer regular monthly maintenance packages, including archived back ups, from just £20 per month, giving you peace of mind that everything is up to date and in safe hands.
IF YOUR WEBSITE NEEDS REGULAR MAINTENANCE OR HAS BEEN HACKED WE CAN HELP.
GET IN TOUCH WITH US TODAY >>