Last year GoDaddy disclosed a massive security breach of their managed WordPress hosting service, which according to them, impacted 1.2 million of their current and previous customers. They also claimed that customers’ passwords were compromised:

•The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords.

•For active customers, sFTP and database usernames and passwords were exposed. We reset both passwords.

That shouldn’t have been possible, as passwords should only be stored in hashed form. As that is one-way encryption, there wouldn’t be an ability to access the actual password. So GoDaddy was also admitting that as of 2021 they were failing to handle a basic aspect of security correctly.

While that situation got attention at the time, what was ignored by news outlets at the time was that GoDaddy owns a major web security provider, Sucuri. How would it have been acceptable to Sucuri and their employees for GoDaddy to have such bad security? One explanation from looking over Sucuri’s blog is that they don’t really care about security.

Last week Sucuri put out yet another post involving one of their customers’ WordPress websites being hacked. That is odd considering their service is supposed to protect websites from being hacked. Here is how they advertise that on their home page:

While it could be a new customer, so they were not previously supposed to be protected by Sucuri, like plenty of previous similar posts, there isn’t any mention that they are a new customer. That would seem to be an obvious thing to mention if they really believed their service protected websites from being hacked.

Even if it was a new customer, you would expect a different focus than they had with this hack. To protect websites, you need to know how they are being hacked, but Sucuri didn’t even try to figure that out. The beginning of the post would suggest otherwise:

In this post, we’ll reveal how attackers compromised a website and tampered with the existing Wordfence plugin to plant malicious website backdoors and evade detection.

But reading through the rest of the post, Sucuri never reveals how the attacker compromised the website or even suggests they tried to figure that out. Despite that, they have a whole section telling you how to prevent the attack:

How to prevent Wordfence evasion malware

For WordPress environments we previously published a helpful guide on hardening WordPress environments.

Some of the more notable suggestions include:

• Use 2FA on your administrator panel
• Use additional wp-config.php security implementations such as disallow_file_edit and disallow_file_mods
• Keep your website software up to date and fully patched
• Employ a website firewall to shield the website from attacks

Additionally, with this particular malware, it would be helpful to have a file integrity monitoring service that resides mostly outside of the environment itself, like our server side scanning solution. This way, it’s possible to see if any website files have been tampered with.

Some of that isn’t good advice. They suggest doing something that would make it harder to keep software up to date and then suggest keeping software up to date.

Other parts of it read like an ad for their service.

There are ways that a website could have been hacked, which wouldn’t be prevented by those suggestions.

By not figuring out how the website was hacked in the first place, it not only leaves that website at risk of getting hack through the same issue again, but possibly leaves other WordPress websites being open to being hacked. That isn’t necessarily bad for Sucuri, since if more websites get hacked, those are more potential customers for them.

GoDaddy heavily promotes itself to the WordPress community, while as this shows, it is not being helpful toward improving the security of WordPress websites.

The situation also doesn’t say great things about the security industry, as the author of the post claims to have been in the industry for at least 9 years, but doesn’t seem to have a grasp of how to properly deal with a hacked website:

is a security analyst and researcher who joined the company in 2013. Ben’s main responsibilities include finding new undetected malware, identifying trends in the website security world, and, of course, cleaning websites. His professional experience covers more than eight years of working with infected websites, writing blog posts, and taking escalated tickets.