The headline of the most recent post on the blog of GoDaddy’s security service, Sucuri, blares “Massive Campaign Uses Hacked WordPress Sites as Platform for Black Hat Ad Network”, which was written by Denis Sinegubko. How massive? Not massive at all, as they claim that it only involved 5,600 websites:

PublicWWW results show over 5,600 websites impacted by this malware at the time of writing

So it isn’t massive, but what’s the connection to WordPress that warranted it being mentioned in the headline? Looking at the few listed impacted websites, we found that one of them was powered by OpenCart, not WordPress (possibly there is a WordPress install on the website as well). Others were running WordPress, which doesn’t necessarily mean that anything WordPress related was the cause of this, as WordPress’ popularity makes it more likely than other software to have websites powered by the software to be hacked.

Sucuri’s service is supposed to protect websites from being hacked, which makes it odd that they keep writing post after post like this, which involves the after effects of hacks that they didn’t stop. Even if the websites were hacked before using Sucuri’s service, trying to figure out how they are hacked is an important part of properly cleaning them up. It is also important to make sure to figure that out if you are going to provide protection service actually provides protection. Yet Sucuri has an unconvincing explanation for how they were hacked:

Unfortunately, we can’t tell you which vulnerability hackers used to break into your site. The reason is this campaign exploits a wide range of vulnerabilities in WordPress themes and plugins, including but not limited to the plugin vulns from our latest WordPress Vulnerability Roundup.

If they know what they are, which they claim to, they could tell people, but they didn’t. Also, if you look at their latest WordPress Vulnerability Roundup and have some level of security expertise, you would realize that the vast majority of the vulnerabilities listed there couldn’t be the source of the type of hack they are describing. So it sounds like they don’t know how the hackings are happening, but are blaming WordPress anyway, and assuming they can get away with it.

GoDaddy Isn’t Supporting the WordPress Community

The reality is that Sucuri can not only get away with it, but they can get promotion for themselves, as they have done here, which seems to be the point of a post like this.

GoDaddy markets themselves as a “proud supporter of the WordPress community”, but they keep promoting Sucuri by spreading fear, uncertainty, and doubt (FUD) about the security of WordPress websites. If they truly want to support the WordPress community, they could support an effort to better address the very real security problems that there are with WordPress instead of what they are doing now.