When Sucuri Doesn’t Really Protect Your Website It Shouldn’t Be Surprising Their Cleanups Cause Problems As Well

We recently had someone contact us who was looking for a service that would protect their website from being hacked and clean up the website if it did get hacked. There is what seems to be us to be an obvious issue with that, which is that cleaning up hacks wouldn’t be necessary if the website was being successfully protected from being hacked. It also seems like a bad idea to expect that if a company is providing a service where half of it doesn’t work that the other half will actually work well. When it comes to services that offer both of those things, our experience is that their providers usually are not just bad at both, but don’t even attempt to do the work that would be needed to do them properly.

As a case in point, we were contacted by someone last week that was using Sucuri’s service that provides both of those. The service failed to protect the website from getting infected with malware. Sucuri’s first clean up failed to stop it from getting infected again (or didn’t fully clean it up), which is not all surprising based on lots of previous instances we have been brought in to re-clean things after they failed to even attempt to do things properly.

After the second cleanup the website was broken. Once Sucuri fixed that issue, it was broken in another way, at which point the owner of the website contacted us.

There really isn’t any reason that anyone should be relying on Sucuri at this point (which was equally true years ago as well). They have shown they lack an even basic understanding of security and their own marketing material indicates they are not focused on providing effective protection. They fail to properly deal with hacked websites with even the most serious hacking issues or high profile websites (we were recently hired to re-clean a hacked website they failed to clean, for which the hack was being investigated by the FBI).

GoDaddy Says That Version of PHP for Which Support Ended 3 Years Ago Meets Their Stability and Security Requirements

You would think that if a web host owned a security company they would be better than other web hosts when it comes to security. With GoDaddy that isn’t the case, though that might be explained by the fact that the security company they own Sucuri, seems to be completely incompetent. As yet another example of the security issues with GoDaddy, while dealing with a support issue on a website hosted with them we found that they were making this claim about PHP 5.4 on the Programming Languages page of their control panel on the website we were working on:

PHP version 5.4 is available and meets our stability and security requirements.

Support for PHP 5.4 ended in September of 2015.

To make thing more confusing if you click the question mark icon next to radio selector to use that version of PHP on the page a message box appears that states:

Version 5.4 is no longer actively supported.

So is the first claim inaccurate or do they have really low standards for “stability and security”?

GoDaddy’s Idea of Securing Websites Actually Involves Leaving Them Insecure and Trying to Deal with the After Effects of That

Yesterday we discussed GoDaddy’s usage of misleading claims to try to sell overpriced SSL certificates. Based on that it probably wouldn’t be surprising to hear that they would mislead people in other ways about security and that is exactly what we ran across while looking into things while working on that previous post.  When we clicked on the “Add to Cart” button for one of their SSL certificates, at the bottom of the page we were taken to, there was a “malware scan and removal” service offered to “Secure your site”:

The description of that is:

Defend your site against hackers and malware with automatic daily scans and guaranteed cleanup.

It shouldn’t be too complicated to understand what is wrong with that, though as we mentioned earlier today there seems to be a lot of confusion when it comes to what security services and products do.

If a website is secure it wouldn’t have malware or some other hack on it to detect or remove, so either GoDaddy doesn’t understand what they are providing or they are lying about.

The problem we see so often with this sort of service is that people will fail to do the things that will actually keep websites secure because they believe a service like this will actually keep a website secure.

Trying to deal with the after effects of having a website hacked instead of actually securing it introduces a lot of issues. One of those being that if a hacker uses the hack to exfiltrate customer data stored on the website a cleanup isn’t going to undo that.

What is a lot more important to note is that everything we have seen from the underlying provider of GoDaddy’s security services, Sucuri, is that they are not good at detecting and cleaning up hacks of websites. Their scanner seems, to put it politely, incredibly crude. Their employees seem to lack a basic capability to understand evidence that a website is hacked. And in what is most relevant to this specific service, we recently we brought in on a situation where their scanner had failed to detect that a website was hacked and then they repeatedly incompletely cleaned up the website, leaving it in a hacked state for a while. It was only after we were brought in to clean things up properly (which Sucuri doesn’t appear to even attempt to do) that it was finally cleaned and stayed that way.

Sucuri’s 30 Day Guarantee Guarantees That They Won’t Properly Clean Up Your Website

In our dealing with the continued poor state of web security, which seems to be a microcosm of the poor state of security in general, what we see is that there are many different pieces that all come together to get to the current situation. The really terrible shape of the security industry probably couldn’t exist without the public helping them out in numerous ways. One of those ways is that you have a lot of people that don’t really seem to be paying much attention before handing over money to unscrupulous security companies.

We recently had someone contact us looking for help with a hacked website. They hadn’t provided any details as to how they thought the website was hacked and considering that many people come to us that think a website has been hacked when it hasn’t, we first went to look at the website to see if we noticed any issues. We noticed one issue and we then responded asking if that was what was at issue or if there something more. They responded that they already were a paying customer and had sent several message to support that they hoped we would address. Neither of those things sounded like us, especially since we charge after we have completed a cleanup, not before. It turned out that they had confused us with another company named Sucuri.

What was odder about that was that the person said they had seen Sucuri mentioned on our website and decided to give them a try. Considering that we have repeatedly written about problems caused by Sucuri, particularly involving hack cleanups, it doesn’t seem they could have been paying almost any attention to what we had written about that company.

That ties in to understanding something else that they mentioned, which is that Sucuri told them they provide a 30 day money back guarantee. They didn’t look into the details on that, which they should have.

We were curious to see what Sucuri’s refund policy actually was and found that they are inconsistent in what they claiming to provide. More importantly there are some huge caveats, so the guarantee would be of no value in a lot of cases.

On the homepage they advertise it this way:

30-Day Guarantee

You have 30 days to request a refund according to our Terms of Service.

Looking at the terms of service they first state:

You will have thirty (30) days from the Service Commencement Date or any Renewal Commencement Date to cancel the Service (the “Cancellation Period”), in which case the Company will refund your Service Subscription Fee for the applicable Service Term provided that you have not submitted a Malware Removal Request during the Cancellation Period.

Based on that if you sign up for their service and request a cleanup you can’t get a refund, so if they don’t properly clean things up (as they won’t) you are left paying for something that wasn’t done right.

In listing their various levels of service they make a big point of response time, so it seems pretty likely that they expect that many of their customers are coming to them looking for a cleanup:

So it seems like their refund offer would probably be immediately null for many of their customers. It also seems like if they were interested in be honest with their potential customers they would be upfront about that limitation, instead of burying that important limitation in a long legal document.

Later in the terms of service page they say something different:

If at any time during the Service Term, you submit a Malware Removal Request for a Covered Website that Company determines is infected, Company will use reasonable commercial efforts to clean the infected Covered Website. In the event that Company is unable, for any reason, to clean the infected Covered Website, Company will, as its sole and exclusive remedy, refund to you the annual fee you paid to the Company for the clean up of that Covered Website.

That would sound significant if we haven’t see what can actually happen when Sucuri is supposed to be dealing with a hacked website.

In April of last year we discussed a situation that we were brought in where Sucuri’s service had been purchased and they had claimed to have cleaned a website. When the original issue, credit cards being used on the website were being compromised, continued, the person running the website contacted Sucuri about that and Sucuri told them that the website was clean, despite it being very likely it wasn’t. This person wasn’t looking for a refund, just for them to clean things up, which considering Sucuri’s service is marketed as providing “Unlimited Malware & Hack Cleanup”, shouldn’t have been an issue. They instead had to hire us to get things properly cleaned up.

On Sucuri’s page about cancelling an account they have the following Refund section:

Refunds

Refunds are only available within 30 days of purchase and will only be issued in case a manual malware removal was not completed. On all other cases, you can cancel the account, but a refund will not be provided.

That doesn’t match what is written in the terms of service, so who knows what is going on there. But if that is to be believed all they are actually offering is a refund if they don’t “complete” a manual malware removal. Considering that based on everything we have Sucuri doesn’t even really attempt to do complete cleanups, that doesn’t seem meaningful.

Right below that section is a Guarantee section:

Guarantee

We guarantee our work, so if your site gets reinfected we will clean it up again until it is 100% clean. But you also have to do your part and keep your sites updated, change passwords and follow our recommendations.

If you do not follow our recommendations, we will not clean it up again until they are done.

As situation we were brought in to clean up after Sucuri in March shows, even when Sucuri is willing to clean things up again it doesn’t mean the website is ever going to get fully cleaned as the website in that situation was repeatedly incompletely cleaned up by Sucuri. What was happening is that Sucuri repeatedly removed parts of the hack, but since they didn’t remove the others, what they were removing just came back over and over.

One of things that would have stopped that cycle would have been if Sucuri had done one of the three pieces of a proper clean up, which is trying to determine how the website was hacked, as reviewing the logging as part of that would have identified where the remaining malicious code was.

Sucuri not only fails to do that piece of a proper clean up, but they fail to do another one, which involves getting the website secure as possible. That usually mainly consists of getting any software on the website up to date. Based on that guarantee language they even try to push that off to the customer.

In fact while they sell their service as website security service, the guarantee seems to indicate they don’t do anything that will actually secure the website. What it looks like is that you are paying them an ongoing fee for them to be on call to improperly clean up your website.

If your website hasn’t been hacked you would be better off spending your time and money on doing the basics of security, as doing those things will greatly reduce the chances of the website being hacked. If your website has been hacked you would better off hiring someone like us that will actually clean the website up properly and fully stands behind their work instead of providing you with a misleading “guarantee”.

Does Sucuri Believe That There Are Unreal People Working At Other Website Security Companies?

Recently we have been taking a closer look at how website security services are marketed and how they provide what seem like they should be warning signs as to the reality that the services don’t actually provide real security. We ran into another example involving Sucuri, which also involves an odd tag line.

Here was an ad form that showed up in search results while we were looking into for some information for another recent post on this blog:

The tagline there is “Real People, Real Security”. The first part of that is odd, do they believe other website security companies employ unreal people? The second part of that though is more problematic, since Sucuri doesn’t provide real security. That is something that is hinted at by what else is mentioned in the ad. If they could provide real security then websites using their services wouldn’t be getting malware on them that needs to be cleaned, much less repeatedly, and yet one of the things they are touting in that ad is that they provide “Unlimited Malware Cleanup”.

As we noted recently, Sucuri doesn’t present evidence, much less from evidence from independent testing, that their service is actually effective at protecting websites. So it would seem either they don’t know if they provide real security or they know they don’t provide real security, as we assume if they were actually measuring or testing to see if they provide real security they would tout the results if they were good.

There is plenty of reason to believe they don’t provide real security since as we also noted recently, it can be incredibly easy to bypass a critical piece of Sucuri’s offering, their website application firewall (WAF).

As we also noted recently, getting unlimited cleanups from Sucuri isn’t necessarily all that useful since we were recently brought in to deal with a website where Sucuri was repeatedly doing incomplete cleanups that didn’t resolve a hack.

It also worth noting that while Sucuri has real people (again, who wouldn’t?), what is important is if they competent and what we have seen doesn’t point in that direction. For example, just about a year ago SiteLock was telling one of their customers that their website was clean when it seems to us that someone that hasn’t basic competency in the field would have realized that wasn’t true and the employee(s) failed to spot malicious code that we easily found on the website.

SiteLock and Sucuri Inaccurately Portray Hidden Spammy Content on Website as Malware

We frequently have people contacting us for a second opinion on claims from the security company SiteLock that their websites have been hacked. To be able to provide that we ask for the evidence being presented by SiteLock to back that claim up. An important reason for doing that is that SiteLock appears to refer to anything they detect as possibly being an indication of a hack as malware, even if it isn’t malware.

Malware is short for malicious software and can accurately refer to one of two things when it comes to websites. The first being malicious code being served from a website and the second being malicious code located in a website’s files or database.

One reason why they might refer to any indication of a hack as being malware is to make the issue sound more serious than it really is and make you more likely to pay them for some security service. As an example of that, in one instance where we were contacted about a claim of theirs, what they were claiming was “critical” severity malware was just a link to another website. What was even supposed a problem with the link, which was included with a comment on a blog post, wasn’t clear since the domain name of the website being linked wasn’t registered anymore, but saying there is an issue with a link would sound a lot less concerning than “malware”.

Someone that they recently contacted with a claim that their website contained malware, had also been told by the SiteLock representative that called them that Google would “shut down” their website due to the issue. In reality Google doesn’t shut down websites and since the issue wasn’t actually malware they wouldn’t even block access to the website if they had detected the issue.

That person had then run the website through the Sucuri SiteCheck scanner, which also claimed the website contained malware. Sucuri also goes the over top in making issues seem as bad as possible to sell their service:

The small text there states:

Your site appears to be hacked. Hacked sites can lose nearly 95% of your traffic in as little as 24 to 48 hours if not fixed immediately – losing your organic rankings and being blocked by Google, Bing and many other blacklists. Hacked sites can also expose your customers and readers private and financial information, and turn your site into a host for dangerous malware and illicit material, creating massive liability. Secure your site now with Sucuri.

What they actual identified there is what we would describe as hidden spammy content, which is a less serious issue than malware. It also didn’t contain any code, JavaScript or otherwise, despite Sucuri labeling it as “Known javascript malware” and stating that “Malicious Code Detected”.

While Google might penalize a website for that hidden spammy content like that, it isn’t going to do any harm to people visiting the website.

If you visit the link they provide for the details of that type of issue, http://labs.sucuri.net/db/malware/spam-seo.hidden_content?24, the description doesn’t mention “malware”, but does mention “hiding spammy content”:

Hiding spammy content (links, spammy texts, etc) on legitimate web pages is a common black hat SEO trick. It helps use existing site pages in black hat SEO schemes while keeping it invisible to site visitors and webmaster.

There are many techniques that help hide certain parts of a web pages. Most of them include either CSS or JavaScript. The simples is placing spammy content inside a div tag with the display:none; style.

Another interesting similarity between those two companies, which seems like it ties in to the overstated impact of the real issue on this website, is that security services provided by both SiteLock and Sucuri don’t seem to be focused on actually securing websites. Instead they seem to be more focused on trying to deal with after effects of the website having been hacked after having left the websites insecure. That all could be an indication the companies don’t have a good understanding of what they claim to have expertise in or that they are just interested in trying to get as much money out of people instead of being focused on improving security.

Sucuri’s Website Application Firewall (WAF) Makes Improving Websites’ Security Harder, While Being Easily Bypassable

When cleaning up a hacked website there are three main components to doing that properly. We often find that security companies don’t do two of those. One of them being trying to determine how the website was hacked. The other being getting the website secure as possible, which usually involves getting the software on the website up to date. If a company isn’t able to make sure the software is up to date, it seems likely they also are not familiar enough with the software that they should be dealing with hacked websites running it.

One well known company that usually skips doing those things is Sucuri. They promote as alternative to doing that securing, that you can rely on the virtual patching provided by their website application firewall (WAF). There are a number of reasons why that is bad idea, including that they don’t present any evidence, much less from independent testing, that their virtual patching is effective (they also don’t present any evidence that their service is effective at protecting websites in general). Probably the largest problem with relying on that though, is that it can be incredibly easy to go completely around their WAF, leaving websites that haven’t been properly secured wide open to being hacked.

Before we get in to that, what lead to us writing this post was our recent experience with their WAF making it harder to get a website secured.

We were recently brought in to upgrade a Joomla installation on a website that Sucuri cleaned but had failed to upgrade the software on it. When we went to do that upgrade we ran into an error, “ERROR: AJAX Loading Error: Forbidden”:

That error message doesn’t provide much information on what was going wrong and we would guess that others that run into it might get stuck at that point. In debugging that we found that when an AJAX request was made to  /administrator/components/com_joomlaupdate/restore.php the response being received was this page:

Access Denied - Sucuri Website Firewall If you are the site owner (or you manage this site), please whitelist your IP or if you think this block is an error please open a support ticket and make sure to include the block details (displayed in the box below), so we can assist you in troubleshooting the issue.

At that point we could have contacted the person we were dealing with from the website and get them to try to whitelist our IP address, but there was a far quicker solution, simply bypassing Sucuri’s WAF, which can be incredibly easy to do.

Here’s is how Sucuri explains how their WAF works:

The reality is that all HTTP/HTTPS traffic does not have to begin where they show it beginning in that graphic, instead, if you know the IP address of the Original Host you can connect directly to it, bypassing the WAF entirely.

While in something we will get to in a moment, Sucuri refers to this IP address as being “hidden”, in reality it often isn’t hidden at all. In the case of the website we dealing with we just pulled up the DNS records for the website and the second IP address (after the Sucuri one) was the Original Host’s IP address (there was another equally easy method available as well). By simply associating that IP address with the domain name in a computer’s host file the Sucuri WAF can be bypassed.

From previous real world experience we can say that people will in fact rely on Sucuri’s WAF to keep them safe instead of keeping software up to date, which can leave people wide open to attack if someone just takes time to bypass the WAF. What makes that particularly problematic is that a website could appear to be secure for a long time, leading to people claiming that Sucuri’s solution is effective, and only later it becomes clear that things were not as how they seemed.

Here’s what makes this even more troubling, Sucuri is aware of the ability to bypass their WAF, but they either don’t understand that their attempt solution to stop that doesn’t resolve the issue or they don’t care that that what they are providing is fundamentally insecure.

The page Prevent Sucuri Firewall Bypass on Sucuri’s website begins:

If someone knows your hidden Hosting IP address, they can bypass our Firewall and try to access your site directly. It is not common or easy to do so, but for additional extra security, we recommend only allowing HTTP access from our Firewall.

The best way to prevent hackers from bypassing our Firewall is limiting their access to your web server. To do this, all you have to do is add restrictions to your .htaccess file so that only our Firewall’s IP will be able to access your web server.

As we already noted, the IP address isn’t necessarily hidden at all. Calling attempting to prevent the easy bypass as “additional extra security” as opposed to being essential, doesn’t provide much assurance that they actual are concerned about the security of websites using their service.

The larger issue here is that trying to restrict what IP address can access the Original Host directly isn’t very effective. That is because all someone has to bypass that restriction is to spoof a permitted IP address, which involves making it seem a request came from a different IP address than it really did. Either Sucuri doesn’t understand that or doesn’t care that their WAF is fundamentally insecure, neither of which should be true about a security company.

Their a major limitation with spoofing an IP address that is important to note though, which is that any response would not be sent back to the system sending the spoofed requests since the response would be sent back to the spoofed IP address. But with the kind of vulnerabilities we see actually being exploited on websites that often wouldn’t be an issue since the hacker doesn’t need to receive a response to gain further access to the website. Oncee they have access they could remove the IP address restriction or send any responses they need in way they can still access (say writing them to a file accessible through the website).

While we wouldn’t recommend using Sucuri’s WAF (or their services in general), if you are using it, restricting IP addresses as suggested in that previously mentioned article would provide better security when using their WAF.

Sucuri’s Comparison to Other Security Services Doesn’t Present Evidence They Provide Real Security

Earlier this week we looked at how the website security company SiteLock compared itself to competitors. What stood out in that is their idea of security isn’t focused on securing websites, but on instead leaving them vulnerable to being hacked and then trying to incompletely deal with the result of that. That is a good way for them to make money, but it is bad for everyone else. They are not alone in doing that though, as the comparison page for another company, Sucuri, shows.

The main portion of the page is a comparison chart, but before that is text that seems more important in terms of understanding what Sucuri is actually doing and not doing. It starts:

Our constant research keeps us ahead of competitors.

The unique insights shared by Sucuri Labs and the Sucuri Blog have earned us press and media mentions from top news outlets, industry blogs, and cybersecurity journalists.

The reality here is that their postings seems to be focused on getting press coverage instead of actually keeping ahead of competitors in terms of protecting websites. If you look at their blogs they are focused on the after effects of websites being hacked instead of on how they are getting hacked in the first place. That isn’t a good sign for their ability to protect websites, since what is important is how they got hacked, not what was done after that. Since not only do you need to know how they are hacked to effectively protect against those things, but if you are protecting them, the after effects of hack don’t matter since they won’t have happened.

When they have actually discussed how websites are hacked it actually shows they are way behind. In one recent instance of that they were notified of a vulnerability involving two WordPress plugins weeks after it had been discussed on the blog of our Plugin Vulnerabilities service and weeks after the free companion plugin for that service had started warning people about the vulnerable versions of the plugins. So Sucuri isn’t even able to stay ahead of people just following that service’s blog, much less competitors that actually do the research they claim to do.

Next up is this:

A safe internet is our mission, so we offer free tools.

We maintain a free website scanner and guides to help you fix or prevent website hacks. Sucuri is recommended by customers and web professionals in over 60 case studies.

As we have discussed in the past, their website scanner is to put it politely, incredibly crude. For example, as of year ago it was falsely claiming our website had been defaced on the basis of a page on it being named “Hacked Website Cleanup”. Where that gets much worse and seems to dispute their claim that the “a safe Internet is their mission”, is that instead of presenting the questionable results of that scanner in a neutral fashion they go in to full scare mode at detection of a possible issue. It seems their real mission is to take as much money from people without a concern if that involves falsely claiming that websites are hacked. Doing that goes against two of their four claimed values:

Helpful

When a website is hacked or under attack, a website owner is at their most vulnerable state. We will be the calm in the virtual storm, standing by to restore peace of mind.

Trust

The security space is filled with snake-oil and unnecessary FUD (fear, uncertainty, and doubt). We are committed to building services in the best interest of website owners.

In reality they are taking advantage of people when they are at their most vulnerable and spreading the FUD they claim they are against.

Looking at one of their guides it shows a good indication about their lack on focus on securing websites. In the guide for dealing with a hacked WordPress website, there are numerous ads for their service, but there is no mention of one of the three basic components of a proper hack cleanup. That being, trying to determine how the website was hacked. Websites don’t just get hacked, something has to go wrong, so if you don’t figure out what went wrong, you can’t be sure you have fixed that.

There seems to be a good reason for information on determining how websites are hacked being missing, from everything we have seen Sucuri usually doesn’t do that when cleaning up websites (and when we have seen them doing that, they didn’t seem to have a basic grasp of how it should be done). For a company that is supposed to be protecting websites from being hacked, that is fairly big issue since it would severely limit their ability to protect other websites from being hacked, which might explain how they market the service, which we will get to in a bit.

Getting to the main portion of the page, which is a chart that compares Sucuri to other services, just a quick glance shows that it contains false information. In the chart they claim they offer “Complete” hack and malware cleanups:

The reality is that they don’t do two of three basic components of a proper cleanup. Those being securing the website (which usually involves getting the software brought up to date) and the previously mentioned trying to determine how the website was hacked.

Right before the comparison chart is paragraph that begins:

We encourage you to research your options, read online reviews, chat with our team, and make an informed decision about who to trust with your website, reputation, and business.

What is completely missing from that page (or Sucuri’s website in general) is any evidence, much less from independent testing, that their service is actually effective at protecting websites. You can’t possibly make an informed decision on a security service when the most important piece of information is missing. There are two possible reasons why that is missing. The first being that they don’t actually have any idea is their service is effective, which based on everything else we have seen about them wouldn’t surprise us. The second is that they know it isn’t effective, but they realized they can get away with that.

(Reading online reviews is not a good way to make an informed decision since, for example, you can find reviews praising services despite the service failing to properly clean up hacks repeatedly.)

What makes that lack of evidence more striking is that on their homepage they provide several other measures of their service:

Touting how many websites they clean up seems like it could be a good indication that the service isn’t actually effective at protecting websites, since if they could do that that should be the thing they tout and they shouldn’t be doing many cleanups (other than for new customers).

The fact that on the homepage they twice tout that their services that are supposed to protect websites, includes “unlimited” cleanups also seem like a good indication of that:

If websites were actually being protected they wouldn’t be hacked and therefore need to be cleaned up repeatedly.

Everything we have seen and heard, including people frequently contacting us looking for a security service that works after using one that didn’t, indicates that security service like Sucuri provides do not do a good job of protecting website. If you actually want to do something that will protect your websites, doing security basics will actually protect your website from most hacks.

If your website has been hacked you want to make sure to get it properly cleaned up, which involves removing anything the hacker added to the website, securing the website (which usually involves upgrading the software on it), and trying to determine how the website was hacked and fixing that. Many companies, including Sucuri, cut corners. So simply going with a well known company doesn’t mean that you are going to get a good result, in fact what we have seen is that the biggest names are usually very bad at security (lying about things has been effective method to make security companies popular, but it doesn’t help to make them good at security).

Cleaning Up After StudioPress Sites and Sucuri Didn’t Protect or Properly Clean a Website

Two weeks ago we wrote about how StudioPress Sites and Sucuri hadn’t properly dealt with a hacked website, leading it to being hacked again. Subsequent to that we were hired to re-clean the website, which allowed us to see more of what had and hadn’t happened. The results, which we will get to in a moment, are not just a reminder that a security company being well known, as Sucuri is, doesn’t mean that they have any business being involved with security, but also the limits of automated security solutions in general.

Probably the most striking thing that we found, is that based on evidence we ran across in an error log file, the hack had been going on for more than year.

We often find that when we are brought in to clean up hacked websites the hack goes back much further then the website’s owner was aware of. That could be a good reason to use a service that is designed to detect the presence of malicious code on website, if used in conjunction with doing security basics, as that could give you better assurance that the website is secure. The problem with that is we have yet to see evidence presented that solutions that attempt to do that are all that effective. The one time we ran across a security company claiming that independent testing had been done, the result was that their product was 100% effective. That sounded unbelievable to us. One of the important questions as to validity of that was how the samples tested were chosen. It turned out the security company had provided the malicious code that was used to test their service against. That meant it wasn’t independent testing and also made it meaningless that they detected 100% of it, since they could choose things they knew the service could detect.

One of the most worrisome indications of the quality of services to detect malicious code on websites is that we have seen companies providing them having marketed them as if they will protect website from being hacked in the first place, which obviously isn’t remotely possible since they only come in to play after the website is hacked. Either the developers don’t understand really basic elements of what they are providing or they are rather blatantly lying, neither of which seems like something that should be true about a company that has anything to do with security.

In the case of this website that type of detection was supposed to be happening:

Finally, we partner with Sucuri for continuous malware monitoring, scanning and remediation. If malware is found we take the responsibility of removing it so you don’t have to worry about it. Additionally, we also scan for advanced threats, including conditional malware and the latest cyber intrusions.

But it wasn’t, as neither StudioPress Site nor Sucuri were the ones that finally detected the issue, instead person managing the website noticed the issue.

As we mentioned in the previous post, how the StudioPress Sites service is promoted though made it strange that detection and cleanup would even be needed to be provide with the service, because it was claimed that service would protect websites from being hacked in the first place:

Our “always on” proprietary intrusion prevention technology works continuously to keep your WordPress install safe from vulnerabilities, intrusions, and exploits. Our years of experience, plus audit input from multiple third parties, allows us to create configurations and settings that keep the bad guys away without handcuffing your working style.

Clearly it didn’t.

While re-cleaning the website we saw a several issues with what looks to be an automated cleanup done by Sucuri.

The first was a much less serious issue, but it was rather annoying for us, as Sucuri had left numerous empty files all over the website. It looks like if they remove all the code in the file because it is all malicious they don’t then remove the file. That created a couple of issues. The first being that when we did file comparisons to identify any changes made by the hack we had all of these empty files coming up in addition to files that still contained malicious code. The second being that when we started reviewing the log files to see how the hacker was able to continue to access the website, it looked at first glance that they were successfully able to access quite a few files, that actually were empty, that increased the time it took to find the logging of successful requests to malicious files that still existed.

Along those same lines we found that in other instances while Sucuri looks to have removed malicious code they left other content that had been added by the hacker, including comments that had been before or after malicious code. Those all then needed to be checked over during file comparisons, slowing down getting to the serious issues.

Those things then tie it the much more serious issue. We were able to easily find the files that were being missed by Sucuri’s automated tools, which were allowing additional malicious files to return that they were able to catch (and then remove again and again). Simply doing some file comparisons, some quick checking over the files in some directories, and looking at the logging, allowed us quickly find what Sucuri’s tools were missing. None of those things are by any means advance solutions (it isn’t the first time simply solutions used by us have caught things they missed).

Takeaways

First and foremost, this situation should be a reminder that claims made about security whether by security companies or other companies should be viewed with great skepticism. If there isn’t evidence backing a claim there is good chance that, at best, it is being made without any idea if it is true or not.

Second, relying on a service that will try to detect and remove the result of a hack instead of making sure you are doing the security basics, which will prevent many hacks, is not a good idea since you can run into a situation like this where the hack goes on and on.

Third, any company that is offering to do cleanups with just automatic tools is probably a company you don’t want having anything to do with cleaning them up since they either don’t understand what they are doing or they are providing a service that they know can’t get the job done.

Finally, if your website is hacked, you want to make sure you hire someone that will properly clean it up. The three components of that are cleaning up the malicious code and anything else the hacker added, securing the website (which usually means getting the software on it up to date), and trying to determine how the website was hacked (which not only helps to prevent it happening again, but as we have found repeatedly, helps to make sure that the hack is fully cleaned up). One simple way to insure you are hiring someone that does that is to hire us, since we have always done those things throughout the many years we have been dealing with hacked websites.

StudioPress Sites And Sucuri Didn’t Properly Deal With a Hacked Website

Recently we have gotten quite a few questions related to web hosts that include a security service with their hosting service. Considering that web hosts seem to have problems handling the basics of their own security this type of offering seems like it might not be a great idea. Furthermore, most of what needs to be done to keep websites secure isn’t best handled by a security service.

Another issue is that we haven’t seen evidence presented that those types of services are effective at protecting websites and plenty that they are not. One of the pieces of evidence that we have seen that they are not effective is that companies that provide those services often don’t do an important part of properly cleaning up hacked websites. One of the basic components of a proper cleanup is trying to determine how the website has been hacked. If you don’t do that, it leaves open the possibility that the vulnerability is still on the website and can be exploited again. If you are a service that is supposed to protect websites and you don’t even know how they are hacked, you unlikely to do a good job of protecting them.

Security companies can often get away with all of that because the public doesn’t have a good understanding of security and when it comes to the lack of protection, people will often say that such services have been successfully protecting them because they assume that if the website hasn’t been hacked that means the service worked. In reality most websites don’t get hacked, so a service can get credit for providing protection when it does little to nothing to protect websites.

One prominent web security company that all of that would apply to is Sucuri. From what we have seen over the years they don’t seem to have even a basic understanding of security (amazingly one time they warned people to beware of companies that don’t have that). They fail to even handle even more basics elements of cleaning up hacked websites than determining how the website was hacked.

Those kinds of things haven’t stopped the web hosting service StudioPress Sites (previously known as Synthesis) from partnering with them, which they promote in this way:

Finally, we partner with Sucuri for continuous malware monitoring, scanning and remediation. If malware is found we take the responsibility of removing it so you don’t have to worry about it. Additionally, we also scan for advanced threats, including conditional malware and the latest cyber intrusions.

Right before that in their marketing they make this claim:

Our “always on” proprietary intrusion prevention technology works continuously to keep your WordPress install safe from vulnerabilities, intrusions, and exploits. Our years of experience, plus audit input from multiple third parties, allows us to create configurations and settings that keep the bad guys away without handcuffing your working style.

If they were actually able to keep the bad guys out, why would what Sucuri is supposed to be providing be needed? The reality is that when it comes to WordPress, while you see everybody and their brother making claims about their great security, our Plugin Vulnerabilities service seems to be out there alone in catching the kind of serious vulnerabilities in WordPress plugins that would be exploited before there is evidence that they have been exploited (we disclosed two of those just in the last few days). Considering those are a major source of WordPress based websites being hacked, it seems to be a good indications that others are not really do much when it comes to protecting WordPress sites.

We became aware of the partnership between those two companies when someone recently contacted us about a hacked website and mentioned that the website been hacked again after having using Sucuri’s service to clean it up by way of StudioPress Sites. In a situation like that, the first thing we always ask is if the previous company that did the cleanup determined how the website was hacked, since if the source hasn’t been determined and fixed it could explain why the website got hacked again. They responded that they got some generic security advice, but no information about how the website had been hacked or any indication there was an attempt to do that. So it really isn’t all that surprising that it got hacked again.

Out of line with how that hosting is promoted, neither the web host nor Sucuri had been the ones that spotted the hack in the first place. That really isn’t all that surprising since it seems that Sucuri’s scanner is to put it politely, incredibly simplistic, which we base in part on the terrible false positives we have seen it produce.

A Better Cleanup

When we do a hack cleanup of a WordPress website not only do we do it properly, but we also include a free lifetime subscription to Plugin Vulnerabilities service, which will warn you if any of the plugins you use have disclosed vulnerabilities. We will also review all of your installed plugins for serious vulnerabilities using the same technique that we have used to catch numerous serious vulnerabilities in other plugins.