We would like to introduce a case in which malware infection led to a lawsuit by a client who requested us to investigate the status of malware infection.
Why did a malware infection of a WordPress site lead to a lawsuit?
The client was a company that operated multiple WordPress sites and had contracted with another company to maintain the WordPress sites.
*When we asked **** Corporation to investigate the cause of the problem and take countermeasures, **** Corporation (hereinafter referred to as “the defendant”) claimed that “there was no problem with the website itself because an online scan provided by ***** (a well-known virus scanning software company) did not find anything wrong with it. Therefore, there is no problem with the website itself, so it is not our responsibility,” and no measures were taken.
As a result, our company’s credibility was severely damaged and sales decreased significantly.
Because of the above circumstances, we consulted a lawyer and decided to file a lawsuit, which is still pending.
(*The contents are excerpts, and companies that can be identified and the timing of the lawsuit have been withheld.
We were asked to investigate and report on whether any malware was found on the site, and as a result, we found several pieces of malware.
Afterwards, the defendant, a web production company, claimed that the malware infection was caused by a period of time when the malware was stored on a virtual server built on a PC using XAMP.
*Wordpress malware infection occurs by exploiting a vulnerability via the Internet and then transmitting malware code, so it is unlikely that malware infection could have occurred on a local XAMP.
There is a limit to the malware an online scan can detect.
The page display of a WordPress site is the result of the execution of a complex program. For this reason, online scanning, which detects malware from the HTML code of the displayed results, cannot detect malware that has infected the program source code.
In addition, malware that infects websites is an extremely new field, and even well-known virus scanning companies have low detection rates for WordPress malware scans.
For this reason
>Online scans have been performed, but no abnormalities were found.
The reality of malware infection of WordPress sites is that you cannot rest assured that there is nothing wrong with your site.
Please use the [Free] WordPress:Malware Scan & Security Plug-in [Malware and Virus Detection and Removal], which can comprehensively scan your WordPress site for malware from the source code.
To prevent WordPress malware infections from leading to lawsuits
In this client’s case, the maintenance contract for the WordPress site would not have led to a lawsuit if the company had clearly defined the scope of the maintenance contract. Also, the client may have been at fault in assuming that there was no malware infection just because no malware was detected in the online scan.
Website operators (owners) need to be concerned about security measures, even if they have a website maintenance contract (web production companies often lack this knowledge and skill), and if symptoms of malware infection appear, the malware may cause the site to not be found in searches or to not be browsed. If the site is infected with malware, users may not be able to search for the malware, or they may be redirected to a different site, which may cause a loss of trust in the company.
