Hi @isaac2k2
I hope you’re well today!
I understand your concerns and I’m really sorry to hear that this happened to you.
However, there are some important things to mention:
1. to be efficient, Defender not only needs to be installed and configured but also you do need to run periodic (the more often the better) malware scans and act accordingly.
If such infection came through some sort of existing vulnerability within the site itself (may it be WordPress core or some plugin) then even if Defender reports it, you need to decide what to do next – remove the file or repair it, ignore the reported issue or (in some cases) if there’s a need to perform clean up.
The actual injection “as it happens” can in many cases be stopped/prevented but this requires a real WAF (Web Application Firewall) which is outside the site – meaning at least a server-level solution or, better yet, a “gateway” type solution that acts before given request even hits the actual server.
This isn’t due to “flaw” in Defender but rather the fact that – same as any other security plugin – it’s a plugin, which means it works “inside targeted website”.
Also, even if you run regular scans, Defender will not automatically decide what to do with identified issues and will not do anything “on its own” – that’s why it’s utterly important to run regular scans and keep an eye on those reports.
2. There are also many ways that wouldn’t be detected: some of unknown yet (as in – not yet publicly reported) vulnerabilities may not be reported but, more importantly, it may not really have anything do to with the site directly too. For example – it may be some insecurity of file-system level access to files (like vulnerable (S)FTP service on server or passwords used are already leaked) or even too “loose” file/folder permissions.
Since you are on shared server, it’s quite possible also that infection may simply “crawl” from another site (sometimes there are “abandoned” or “forgotten” sites installed on the same account or live/staging sites but not kept protected and updated) or even via some specific vulnerability of particular host.
My point here is that security plugin (such as Defender or any other, for that matter) is always only a part of the defense line, is always limited by the fact it works inside attacked site (imagine “fighting the attacker who didn’t get into your house yet but is already on the property” vs “heavily guarding entire property with outside security systems and security guards”), often requires action from site admin and cannot take care of some other security aspects that are beyond its reach (like server/environment level aspects).
—-
Just by the look at the injected code, it’s quite difficult to say how the infection came in, I’m afraid, but getting back to Defender itself – did you run malware scans regularly?
What did the most recent scan report (can you share scan results) and if it did report anything – what was the action taken (if any)?
I’m asking because this may help find out why/how the infection happened.
Also, would you mind sharing insights of current Defender configuration so we can check if it is correctly configured?
To do so simply go to “Defender -> Settings -> Configs” page and click on “Save New” button. In popup give this config a name (e.g. “current config”) and click save.
You would see it on the list so just click on the “down arrow” next to it and take the screenshot of that summary that it shows and share the image with us (it doesn’t contain any “fragile” data). Based on this we may later ask additional questions about configuration – which may help in tightening Defender setting for security.
Kind regards,
Adam
