Yesterday, as part of an odd series of stories about a malware campaign claimed to be connected to WordPress, the news outlet Make Use Of, which is included in Google News, ran a story titled “How to Defend Yourself Against the Latest WordPress Malware Attack.” It was an odd title since the original source of the claims about this has admitted they don’t know how the malware is getting on the websites. The story started this way:

As one of the most popular website builders in the world, WordPress has yet again become a target for malware. Though security researchers are still trying to work out how certain sites became infected, there are ways to check if your WordPress site is one of the victims, and to defend against any imminent attacks.

The rest of the story doesn’t address the obvious contradiction between not knowing how the attacker got malware on the websites and defending against it.

What won’t work is to use the security service c/side, which is the source of the claims here. That isn’t what they would tell you. At the top of their post about this, they wrote this (emphasis theirs), “One of our users was affected. c/side caught and stopped the attack.” Near the end they wrote this (emphasis theirs again), “The infected user ran the free tier version of c/side. You can install c/side to protect your site in minutes to this and similar attacks.” So they were using service and it didn’t work, but it will protect you?

Any time a WordPress website is hacked, the critical question is how was it hacked. Trying to figure that out is a basic part of properly addressing a hacked website. If you don’t figure that out, then the website could be hacked again. If it is a wider unaddressed issue then figuring that out could help to prevent other website from being hacked. Figuring is a not a positive for security providers who profit off of websites being hacked instead of improving security, which might help to explain why they so often don’t try to figure that out.

Trying to figure how the website was hacked out involves reviewing the log files and other information on the website. That didn’t happen here, as c/side simply looked for common denominators: “It’s still unclear how the scripts entered the sites. So far, we haven’t identified a common denominator, and our investigation is ongoing.”

Despite having no idea how the hack happened, they were then giving out advice to protect against it. Journalists then repeated that information despite the obvious problem with that. What no one suggested is getting someone to do a proper cleanup of the websites and figuring out how they were hacked.

Considering how popular WordPress is, it is entirely possible the cause of the hack had nothing to do with WordPress.