Yesterday we noted that a report by Sucuri showed that they don’t know how websites are being hacked, but others citing the same report would tell you otherwise. Here was Paul Gilzow over at WPCampus mentioning the same report:

As in previous years, plugins/themes continue to be the main avenue for compromise.

But that isn’t actually what Sucuri said. Instead they said this (emphasis ours):

The leading cause of the infections, anecdotally, came from poorly configured plugins, modules, and extensions inside some of the more common CMSs; abused access control credentials; poorly configured applications and servers; and a lack of knowledge around security best practices. These issues continue to be the leading causes of today’s website hacks.

That shouldn’t be something that they only know anecdotally as trying to determine how websites are hacked is a basic part of hack cleanups and that report is supposed to be based on Sucuri cleaning up hacked websites. So what is going there? The answer is that they don’t properly clean up websites. We know that well because we are frequently brought in over at our main business to re-clean websites after they failed to properly clean them.

Among the problems with them doing that is that it makes everyone less secure, because if a website is being exploited through a zero-day vulnerability, which is one that is being exploited before the developer is aware of it, the sooner you figure that out the sooner that can be fixed. (That makes the moderators of WordPress Support Forum repeatedly violating the guidelines they are supposed to be enforcing to promote hiring Sucuri to clean up hacked websites seem even worse.)

If you want to consider the worst case scenario, Sucuri might not be trying to figure out how websites are hacked so that websites are less secure and that means more business for them, not just from cleanups, but also selling people security services that are not actually expected to work since people don’t even know how websites are getting hacked and therefore don’t know what actually needs to be done to protect them.

The best case scenario seems to be that that Sucuri, a major security company, is just incompetent.

Making any option more concerning, the lead for the WordPress Core Security Team is funded by Sucuri’s parent company GoDaddy, which seems like an issue in multiple different directions.