So recently a 0-day exploit was discovered in WP plugin Kaswara Modern WP Bakery Page (https://zdnet.com/article/...).

A customer's shared hosting space was taken down (about 6 websites) after this vulnerability had been exploited and although we removed the malicious code, & changed credentials the hosting company demands we update ALL Wordpress plugins to latest AND provide them a virus scan report of our local PC before putting the webspace back online??? WTF???

That just strikes me as outrageous. Thoughts?

Wow, such bullshit. Run

So you did have an infection on the website.

Depending on what the malware did, e.g. sending spam emails, that would get the IP on various blacklists so that nobody, in particular not the other customers on that shared hosting server, can send emails anymore. That's some justification for the hosting company to be strict.

Outdated plugins are the largest attack vector in WordPress installation. While this zero day could not have been prevented by timely updates, that is no argument to keep the other plugins potentially vulnerable.

The virus scan is funny, but if it's a general procedure, that addresses infections coming from a regular login from a compromised PC. In particular because cheap shared hosting usually targets hobbyists.

Btw., that Zdnet zero day article is from September 2020. There is no way to call that "recent".

"Shared hosting" is a bit of a silly solution for anything vaguely serious in 2021 IMHO - as above, bear in mind vulnerabilities in your own site can potentially affect a bunch of others as a result. If it's vaguely serious, grab a separate VM and run it on that, then at least you've got full control.

I don't find their demands that bad though. Given the appalling security track record of Wordpress plugins (how this plugin model is even still vaguely tolerated for production sites I don't know) it should be standard bloody practice to be updating them all as soon as you possibly can. The local virus scan is more odd and doesn't really show too much, but it's also trivial to do, so just attach it and let them get on with it.

@Fast-Nop @AlmondSauce

The malware injected code in the index.php & wp-settings.php files which redirected to a malicious website (already flagged as such & prohibited access by built-in browser security)

I understand the reasoning you gave in your comments, but I find it too much demanding that each step completion be proven to them and that if they request minor plugin updates (e.g. 5.4.1 -> 5.4.2), the burden for proof that this solves anything lies with them, especially when they take down your whole stack without prior notification, indefinitely.

Sidenote, if the decision were mine, I wouldn't have used WP, & I already advised the client in october 2020 (without knowing of this breach) to migrate to sth. else than shared hosting, but costs time and money ofc.

@webketje The breach was months ago, and if that customer got hacked now, it means that he doesn't care about updates at all.

It's totally reasonable to force him to first update his stuff so that he doesn't run into the next hack due to a long fixed vulnerability. And no, the burden of proof doesn't lie with them because your customer has already fucked up.

It's also reasonable to take the stack offline to avoid damage to the visitors and avoid the shared hosting server itself being flagged on such blacklists, e.g. when Google detects that dangerous site. That damage would be pretty long-term and for all on that server.

Actually, your customer should re-think his approach because he is overwhelmed with keeping a WP installation afloat himself. He should contract someone (e.g. you) for site maintenance.

@Fast-Nop haha yeah was long overdue, the last time I was in contact with him before Oct. 2020 was in 2015.

Thoughts? Yeah, fuck using Wordpress.

Refuse clients with Wordpress installations. "We don't do that here". Saves you a ton of security headaches.

As long as it's nuanced to security updates than it's ok can't force people to update modules that potentially or flat out break the site. As @Fast-Nop mentioned you where infected and they acted accordingly.

@hjk101 Actually the hoster can and should because it's not his job to review each of the potentially dozens of plugins which versions have which security holes and shit. That was the job of the customer before the hack, which he failed to do.

The customer fucked up, and now he has to update everything, that's the time efficient reaction for the hoster. They don't have to care whether some shit plugin breaks something.

If the customer wants a security review, he can do tat himself, or pay the hoster to do that, or pay a contractor. The customer has to learn that other people won't work for him for free.

And if that customer cancels the hosting contract and leaves - good riddance. These are the customers nobody needs because they cause more trouble than income.