In our dealing with the continued poor state of web security, which seems to be a microcosm of the poor state of security in general, what we see is that there are many different pieces that all come together to get to the current situation. The really terrible shape of the security industry probably couldn’t exist without the public helping them out in numerous ways. One of those ways is that you have a lot of people that don’t really seem to be paying much attention before handing over money to unscrupulous security companies.
We recently had someone contact us looking for help with a hacked website. They hadn’t provided any details as to how they thought the website was hacked and considering that many people come to us that think a website has been hacked when it hasn’t, we first went to look at the website to see if we noticed any issues. We noticed one issue and we then responded asking if that was what was at issue or if there something more. They responded that they already were a paying customer and had sent several message to support that they hoped we would address. Neither of those things sounded like us, especially since we charge after we have completed a cleanup, not before. It turned out that they had confused us with another company named Sucuri.
What was odder about that was that the person said they had seen Sucuri mentioned on our website and decided to give them a try. Considering that we have repeatedly written about problems caused by Sucuri, particularly involving hack cleanups, it doesn’t seem they could have been paying almost any attention to what we had written about that company.
That ties in to understanding something else that they mentioned, which is that Sucuri told them they provide a 30 day money back guarantee. They didn’t look into the details on that, which they should have.
We were curious to see what Sucuri’s refund policy actually was and found that they are inconsistent in what they claiming to provide. More importantly there are some huge caveats, so the guarantee would be of no value in a lot of cases.
On the homepage they advertise it this way:
You have 30 days to request a refund according to our Terms of Service.
Looking at the terms of service they first state:
You will have thirty (30) days from the Service Commencement Date or any Renewal Commencement Date to cancel the Service (the “Cancellation Period”), in which case the Company will refund your Service Subscription Fee for the applicable Service Term provided that you have not submitted a Malware Removal Request during the Cancellation Period.
Based on that if you sign up for their service and request a cleanup you can’t get a refund, so if they don’t properly clean things up (as they won’t) you are left paying for something that wasn’t done right.
In listing their various levels of service they make a big point of response time, so it seems pretty likely that they expect that many of their customers are coming to them looking for a cleanup:
So it seems like their refund offer would probably be immediately null for many of their customers. It also seems like if they were interested in be honest with their potential customers they would be upfront about that limitation, instead of burying that important limitation in a long legal document.
Later in the terms of service page they say something different:
If at any time during the Service Term, you submit a Malware Removal Request for a Covered Website that Company determines is infected, Company will use reasonable commercial efforts to clean the infected Covered Website. In the event that Company is unable, for any reason, to clean the infected Covered Website, Company will, as its sole and exclusive remedy, refund to you the annual fee you paid to the Company for the clean up of that Covered Website.
That would sound significant if we haven’t see what can actually happen when Sucuri is supposed to be dealing with a hacked website.
In April of last year we discussed a situation that we were brought in where Sucuri’s service had been purchased and they had claimed to have cleaned a website. When the original issue, credit cards being used on the website were being compromised, continued, the person running the website contacted Sucuri about that and Sucuri told them that the website was clean, despite it being very likely it wasn’t. This person wasn’t looking for a refund, just for them to clean things up, which considering Sucuri’s service is marketed as providing “Unlimited Malware & Hack Cleanup”, shouldn’t have been an issue. They instead had to hire us to get things properly cleaned up.
On Sucuri’s page about cancelling an account they have the following Refund section:
Refunds are only available within 30 days of purchase and will only be issued in case a manual malware removal was not completed. On all other cases, you can cancel the account, but a refund will not be provided.
That doesn’t match what is written in the terms of service, so who knows what is going on there. But if that is to be believed all they are actually offering is a refund if they don’t “complete” a manual malware removal. Considering that based on everything we have Sucuri doesn’t even really attempt to do complete cleanups, that doesn’t seem meaningful.
Right below that section is a Guarantee section:
We guarantee our work, so if your site gets reinfected we will clean it up again until it is 100% clean. But you also have to do your part and keep your sites updated, change passwords and follow our recommendations.
If you do not follow our recommendations, we will not clean it up again until they are done.
As situation we were brought in to clean up after Sucuri in March shows, even when Sucuri is willing to clean things up again it doesn’t mean the website is ever going to get fully cleaned as the website in that situation was repeatedly incompletely cleaned up by Sucuri. What was happening is that Sucuri repeatedly removed parts of the hack, but since they didn’t remove the others, what they were removing just came back over and over.
One of things that would have stopped that cycle would have been if Sucuri had done one of the three pieces of a proper clean up, which is trying to determine how the website was hacked, as reviewing the logging as part of that would have identified where the remaining malicious code was.
Sucuri not only fails to do that piece of a proper clean up, but they fail to do another one, which involves getting the website secure as possible. That usually mainly consists of getting any software on the website up to date. Based on that guarantee language they even try to push that off to the customer.
In fact while they sell their service as website security service, the guarantee seems to indicate they don’t do anything that will actually secure the website. What it looks like is that you are paying them an ongoing fee for them to be on call to improperly clean up your website.
If your website hasn’t been hacked you would be better off spending your time and money on doing the basics of securitye, as doing those things will greatly reduce the chances of the website being hacked. If your website has been hacked you would better off hiring someone like us that will actually clean the website up properly and fully stands behind their work instead of providing you with a misleading “guarantee”.