We are frequently brought in to re-clean hacked websites after another company had cleaned it and then it got hacked again. While the re-hacking\u00a0is not always the fault of whoever did the first cleanup, we have found that companies doing those cleanups are cutting corners. The first thing that we ask after\u00a0it is brought up that someone previously cleaned up the website, is if they determined how the website was hacked and gotten that fixed. If that hasn’t happened it obviously leaves open the possibility of the website being hacked again. The answer is almost universally that doing that never even came up. It shouldn’t be that way since trying to determine\u00a0that is one of the three basic parts of a proper cleanup.\u00a0So either these companies (we have heard it about a lot of different companies over the years) don’t know what they are doing or are intentionally cutting corners.<\/p>\n
We recently ran across a reminder that the web security company SiteLock either doesn’t understand the importance of doing that or doesn’t want to have to do the work required to things properly, as they didn’t tell truth about needing to do this. In a thread<\/a> on the WordPress support forum, which came up in our monitoring for discussions of vulnerabilities in WordPress plugins that we do for our Plugin Vulnerabilities service<\/a>, a SiteLock customer had been notified their website had been hacked:<\/p>\n We signed up for SiteLock which was helpful and told us this morning that we had a malware warning for \u201cdefaced pages\u201d \u2013 sure enough, the list they provided was full of similar material to the last one. This time it said \u201cjust for fun\u201d and \u201chacked by GeNeRaL.\u201d Since we\u2019re on the latest version of WP, and we had updated our password to one of the long, random, extra-complex ones that WP suggests, I don\u2019t know what to do to prevent this. I deleted all of the blog posts, but is there anything better we should be doing?<\/p><\/blockquote>\n There are a lot of things that could be focused on there. The fact that they received a malware warning for “defaced pages”, despite that not being a malware issue (that lack of clarity is even more problematic when they are falsely claiming that a website has an issue identified by their scanner<\/a>). The fact their customer either is not be able to or not feeling they can get in touch with the people they are paying to protect their website about a concern they have. But will\u00a0focus on the claim that SiteLock was helpful despite clearly leaving this person unaware of what caused the issue, which is in fact the most important part here.<\/p>\n Before we get to that though, we have to mention an example of the poor quality responses from moderators when you post about security issues on the WordPress Support Forum in this thread. As is often the case this person did not get relevant advice from a moderator:<\/p>\n Take a deep breath and carefully follow this guide<\/a>. When you\u2019re done, you may want to implement some (if not all) of the recommended security measures<\/a>.<\/p>\n If you\u2019re unable to clean your site(s) successfully, there are reputable organizations that can clean your sites for you. Sucuri and Wordfence are a couple.<\/p><\/blockquote>\n Not only did they not address the specifics of the poster question, they promoted two security companies. Neither of those companies are ones that we would refer to as reputable. We just had a post on Sucuri claiming one of their customers website that had malicious code to compromise credit card info entered on it was clean<\/a> and recently had one on their scanner producing a rather bad false positive that lead to them claiming our website was defaced<\/a> (we also frequently see moderator pointing to people to their poor quality scanner). With\u00a0Wordfence, they don’t seem to understand the basics of security<\/a> and spreads falsehoods about the security of WordPress<\/a>. Why someone\u00a0connected with WordPress would be promoting a company spreading falsehoods about the security of WordPress is as baffling as it is troubling.<\/p>\n The response from someone at SiteLock in the thread didn’t raise the need to\u00a0determine how the website was hacked, instead they stated:<\/p>\n The bottom line is that you\u2019re most likely in the clear regarding that particular incursion, but continuing to run malware scans on an ongoing basis is your best way to be certain.<\/p><\/blockquote>\n Even if a malware scanner is good at what it does\u00a0(and SiteLock’s doesn’t seem to be<\/a>) from a technical perspective it simply cannot detect everything. Of course doing things right would\u00a0increase SiteLock’s costs, whereas telling someone to continuing to use their service to have scans continue would make them more money.<\/p>\n The thread went on for a bit and ended with the person not being able to get in touch with someone at SiteLock that would actually determine how the website was hacked:<\/p>\n I tried to ask for you when I called, but it sounds like they couldn\u2019t find you at the time. The rep I spoke with checked the site in question and said there are only 95 pages. Do you think it\u2019s an issue with SiteLock not noticing it, or is it more likely that this more recent hack cropped up as a result of some other vulnerability (a plugin, theme, something else)?<\/p><\/blockquote>\n Despite the service not doing what should be done they thought they had been helpful and were open to possibly giving more money to SiteLock:<\/p>\n We\u2019ll most likely want to add on several other domains to this account and possibly upgrade. Thanks for your help!<\/p><\/blockquote>\n Every time someone does something like that it hurts everybody because it helps bad security companies like SiteLock spread, which means that he needed improvements to security are less likely to happen because those companies keep pushing people away from focusing on the things that would actually improve security.<\/p>\n","protected":false},"excerpt":{"rendered":" We are frequently brought in to re-clean hacked websites after another company had cleaned it and then it got hacked again. While the re-hacking\u00a0is not always the fault of whoever did the first cleanup, we have found that companies doing those cleanups are cutting corners. The first thing that we ask after\u00a0it is brought up … Continue reading “A Security Service That Doesn’t Determine How a Hack Happened Isn’t Actually That Helpful”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,27],"tags":[39],"class_list":["post-3419","post","type-post","status-publish","format-standard","hentry","category-bad-security","category-website-hacked","tag-sitelock"],"_links":{"self":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/3419","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/comments?post=3419"}],"version-history":[{"count":6,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/3419\/revisions"}],"predecessor-version":[{"id":3441,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/3419\/revisions\/3441"}],"wp:attachment":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/media?parent=3419"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/categories?post=3419"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/tags?post=3419"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}