Login

Tag Archives: Sucuri

14 Jan 2025

Journalists Once Again Focus on WordPress While Ignoring That Sucuri Failed to Protect and Secure Their Customers’ Websites

While WordPress has very real security problems, often news coverage related to hacked WordPress websites involves a focus on WordPress, while ignoring the more pertinent problem, security companies are scamming their customers. Yesterday, a story ran in one security “news outlet” titled “WordPress Skimmers Evade Detection by Injecting Themselves into Database Tables.” Again, that was yesterday. For those familiar with hacked WordPress websites or hacked website using other software, this is a bizarre headline. Malware stored in a database isn’t a new phenomenon, nor was what they are describing something that should evade detection. Several other “news outlets” included in Google News ran similar stories. The sole source for all those stories was a blog post by Sucuri.

It was fairly standard for Sucuri, they once again admitting that one of their customers got hacked. That is despite claiming that their service protects websites from being hacked: [Read more]

27 Apr 2023

Bleeping Computer’s Bill Toulas Falsely Blames WordPress Plugin When Sucuri Fails to Protect Their Customers

As we have noted in the past, the GoDaddy owned security provider Sucuri keeps writing blog posts about what has happened to their customers’ websites after they have been hacked. They seem uninterested in how those websites were hacked, despite the importance of figuring that out as part of properly cleaning up a website. And, more importantly, they are uninterested in that despite being a service that is supposed to protect websites from being hacked. At best, these are new customers, but they don’t mention that, which would seem like an obvious thing to mention when you are a service that is supposed to avoid that situation. If you look at reviews of Sucuri, there are plenty of customers mentioning they were hacked despite already using the service (some of them with a positive view of the company, despite that).

You would reasonably think that journalists writing stories that cite those posts would be in the context of raising questions about Sucuri, but they don’t. In a recent instance, the WordPress Plugin Directory was being criticized instead. [Read more]

17 Mar 2023

These Jetpack Security Features Won’t Protect Against the Unfixed SQL Injection Vulnerability They Disclosed

Yesterday, we wrote about how Automattic’s Jetpack has been telling people an authenticated SQL injection vulnerability had been fixed in a WordPress plugin, while the vulnerability still exists. In their post, they recommended that people update the plugin despite that not addressing the issue, but also to have an “established security solution” on their website:

We strongly recommend that you update affected plugins to their respective latest version, and have an established security solution on your site, such as Jetpack Security. [Read more]

25 Jan 2023

GoDaddy/Sucuri’s FUD About New “Massive Campaign” Claimed to Involve Hacked WordPress Websites

The headline of the most recent post on the blog of GoDaddy’s security service, Sucuri, blares “Massive Campaign Uses Hacked WordPress Sites as Platform for Black Hat Ad Network”, which was written by Denis Sinegubko. How massive? Not massive at all, as they claim that it only involved 5,600 websites:

PublicWWW results show over 5,600 websites impacted by this malware at the time of writing [Read more]

25 Oct 2022

Sucuri Doesn’t Seem Concerned Their Customers’ Websites Keep Getting Hacked

Last year GoDaddy disclosed a massive security breach of their managed WordPress hosting service, which according to them, impacted 1.2 million of their current and previous customers. They also claimed that customers’ passwords were compromised:

•The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, we reset those passwords. [Read more]

23 Dec 2021

GoDaddy (Though Sucuri) Spreads Misinformation About Recently Fixed Vulnerabilities in All in One SEO

A month ago, GoDaddy was in the news after announcing a data breach of information for customers using their managed WordPress hosting service. What was lacking in the coverage of that is that GoDaddy owns a major web security provider, Sucuri. It seems like if a web host owns a major security provider they should have a good handle on security, not fail to handle the basics, as the breach showed.

For those knowledgeable about security, the apparent incongruity really wasn’t surprising, since Sucuri has always been run by people that don’t seem to have much grasp on security. That could be seen again in a post earlier this week about vulnerabilities recently fixed in a popular WordPress plugin, All in One SEO. [Read more]

22 Dec 2021

Wordfence Security and Wordfence Premium Fail to Provide Protection Against Possibly Exploited Plugin Vulnerability

The Wordfence Security plugin is promoted with the claim that its firewall stops websites from getting hacked:

Powered by the constantly updated Threat Defense Feed, Wordfence Firewall stops you from getting hacked. [Read more]

5 Jul 2019

Sucuri, WPScan, and Others Incorrectly Claim Persistent XSS Vulnerability in WordPress Plugin with 500,000+ Installs Has Been Fixed

Two days ago the web security company Sucuri disclosed a vulnerability in the very popular WordPress plugin, WP Statistics, which has 500,000+ active installations, and claimed it had been fixed. The post is fairly hard to follow and seems to mostly make a case that firewalls can introduce additional security risk, which is odd argument for a provider of a firewall to make.

Considering Sucuri’s recent track record of getting basic details wrong when it comes to WordPress plugin vulnerabilities, including claiming that vulnerability existed that didn’t and trashing a developer falsely, you can’t take their claims at face value. There post makes it hard to follow what exactly the issue is, but more importantly it neither provides a proof of concept or provides an explanation of how the vulnerability was supposed to have been fixed, so without doing additional work it isn’t possible to confirm if what they claimed is correct. [Read more]

22 May 2019

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Slimstat Analytics

Yesterday we detailed a persistent cross-site scripting (XSS) vulnerability in the plugin Slimstat Analytics and about the same time the discoverer of the vulnerability Sucuri had released a post with similar details, but notably silent about how the vulnerability was fixed. We are not sure why they didn’t include that, but it is important since the fix was less than ideal as instead of using the relevant WordPress escaping function the developer used code that did a more limited version of that function (yesterday we notified the developer that could be better handled). It is always a good idea to not to roll your own security code when you don’t need to, so what happened there might be a sign that the developer doesn’t have the best handle on dealing with the security of WordPress plugins.

That is further backed up by a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability we found in the plugin, which we noticed by chance while figuring out what versions were impacted by the other vulnerability so that we could let them know if versions of the plugin used on their websites were impacted. We noticed part of that vulnerability while looking at a fairly old version, so we suspected it would have been noticed and fixed by now considering the plugin has 100,000+ active installations according to wordpress.org, but that isn’t the case. [Read more]

16 May 2019

Why Doesn’t Sucuri Know That Attacks Can Be Automated Even if They Require Authentication?

In trying to improve security one of the things that is a big impediment is the shear amount of misleading and false information out there, which gets in the way of addressing what actually needs to be addressed to fix the problems with security. A lot of that comes from security journalists repeating claims made by security companies that are not accurate, instead of the journalists realizing that they are indications that security companies don’t understand things they should. In Bleeping Computer’s coverage of a vulnerability in the plugin  WP Live Chat Support (which is only one of multiple in it), discovered by Sucuri, they state this:

Without having to authenticate on the target website, hackers can automate their attacks to cover a larger number of victims. [Read more]