Sucuri

2 May 2019

Did Sucuri Lie About a Claimed SQL Injection Vulnerability or Unnecessarily Frighten People Due to Not Doing Basic Testing?

Yesterday we wrote about the web security company Sucuri overstating the impact of a SQL injection vulnerability, which they had re-discovered a year and half after we had discussed it. That was one of two claimed SQL injection vulnerabilities they disclosed recently and the post on the other, claimed to be in the plugin Advance Contact Form 7 DB, manages to be worse.

Their post starts by making a claim that doesn’t seem to make sense: [Read more]

1 May 2019

Sucuri’s Idea of Safe Harbor Against Tomorrow’s Threats is Warning About a Vulnerability in a WordPress Plugin a Year and Half Behind Us

When it comes to the very poor state of the security industry one thing that continually stands out to us is how often it is that security companies don’t make it that hard to realize they are not in fact doing the things they claim. Unfortunately security journalists and others continually ignore that, which is making the security of every website worse off with no positive benefit for anyone other than security companies cutting corners.

Take the security company Sucuri, which makes claims like this: [Read more]

30 Apr 2019

Sucuri Seems To Be Falsely Trashing the Developer of a WordPress Plugin

A week ago we disclosed an arbitrary file upload vulnerability in the plugin WooCommerce Checkout Manager. On Friday the plugin was closed on the Plugin Directory. Early on Saturday the developer submitted a fixed version of the plugin to the Subversion repository that underlies the WordPress Plugin Directory. On Sunday the plugin was reopened on the Plugin Directory.

If you believe a post put out by Sucuri yesterday you would believe something very different. In part they write: [Read more]

29 Apr 2019

Sucuri Doesn’t Care That WordPress Plugin with Unfixed Vulnerability They Believe Is Being Exploited Is Still in the Plugin Directory

When it comes to our full disclosures of vulnerabilities as a protest of the continued inappropriate behavior of the WordPress Support Forum moderators, we are certainly not above criticism, but it is incredible to us that other security companies escape any criticism despite repeatedly doing things that seems out of line with them actually caring about keeping websites secure. In a post earlier today we noted how a security journalist didn’t link to our post about a vulnerability we full disclosed, apparently due to including a proof of concept for confirming that vulnerability exists, while linking to a post from the web security company Sucuri providing payloads for how hackers were trying to exploit vulnerabilities. That seems hypocritical, but looking at Sucuri’s post we noticed something else, they seemed to be unconcerned that a plugin with an unfixed vulnerability that they believed was being exploited was still in the Plugin Directory.

In their post they provide this information: [Read more]

29 Apr 2019

Security Journalists Odd Treatment of Proof of Concepts for WordPress Plugin Vulnerabilities

We think that good security journalism is something that could greatly help to improve the poor state of not just the security surrounding WordPress plugins, but security in general. Unfortunately what we have found is that security journalists seem to almost uniformly seem to do a very bad job. As a less serious example of that, recently we have seen odd responses from security journalists to us including proof of concepts with vulnerabilities we are disclosing.

Some of that seems like it could originating with the security company behind the Wordfence Security plugin, Defiant, who make claims like this (while waiting until after vulnerabilities are widely exploited to warn people that they are using plugins likely to be exploited, which is too late): [Read more]

19 Mar 2019

Sucuri Doesn’t Actually Know How Websites are Being Hacked Because They Don’t Properly Clean Up Hacked Websites

Yesterday we noted that a report by Sucuri showed that they don’t know how websites are being hacked, but others citing the same report would tell you otherwise. Here was Paul Gilzow over at WPCampus mentioning the same report:

As in previous years, plugins/themes continue to be the main avenue for compromise. [Read more]

18 Mar 2019

No, 90 Percent of Hacked Websites in 2018 Were Not Running WordPress

Back in January we noted that that a good rule of thumb is that security statistics are probably not accurate, we were quickly proved right about the particular stat that caused that observation. Here is another stat that you are likely to be seeing a lot of despite not being accurate:

But it’s also the most hacked, with a report from security firm Sucuri earlier this month revealing that 90% of compromised sites in 2018 were powered by the platform. [Read more]

23 Oct 2018

Sucuri (sucuri.net) Won’t Effectively Protect Your Website

Last week we mentioned our recommendation that “if you are looking for a security product or service that will provide protection we would recommend finding one that provides evidence, preferably from independent testing, that it is effective”. That isn’t something we are aware of them providing and we have seen plenty of evidence to the contrary for many of those over the years. Take the service Sucuri as an example. Right in their marketing materials on their homepage they emphasize something that doesn’t match up with their service providing effective protection, which is that they include unlimited hack and malware cleanups:

[Read more]

25 Sep 2018

WordPress Support Forum Moderators Stop People from Getting Help So They Can Promote Favored Security Companies

One of the ways that we keep track of vulnerabilities in WordPress plugins for our service is by monitoring the WordPress Support Forum for related topics. What we have seen is that unfortunately that often isn’t place where people with security issues can get real help, instead it used by the moderators of the forum to promote hiring certain security companies. Occasionally we have attempted to provide some help, but that has been severely hampered by the moderators (a situation that apparently has occurred for others as well).

As an example of that was a thread was started last week with the following: [Read more]

21 Sep 2018

Threatpost Fails to Properly Vet Sources, Leading to Spreading Inaccurate Information about Vulnerability Created by Duplicator

On Monday we discussed how the security company Sucuri showed that they lack an even basic understanding of security through a post they had written about a vulnerability created by the WordPress plugin Duplicator, which they clearly didn’t understand. What we also noted is that while their lack of security knowledge isn’t some new development, it is something that doesn’t appear to be well known. Part of the reason for that is that security journalists don’t seem to be interested in doing actual journalism and instead often act as stenographers for terrible security companies, so instead of shedding light on the bad practices of Sucuri and other similar companies (there are lots of them), they are often promoting them. Shortly after we posted that, a Google alert notified us of an article by Threatpost discussing the vulnerability, which was sourced to none other than Sucuri. That article is titled “Old WordPress Plugin Being Exploited in RCE Attacks”.

What seems to be the most problematic with the Threatpost’s article is this claim, which is repeated from Sucuri: [Read more]

Plugin Vulnerabilities

A service to protect your site against vulnerabilities in WordPress plugins.

Tag Archives: Sucuri