Bad Security

Sucuri’s Lie of Omission Involving Their Ownership by GoDaddy

Last week we touched on a continued lie from the makers of the Wordfence Security plugin and mentioned the general problem of lying within the security industry. Not every lie involving the security industry involves something that is said, it can also be something not said.

As an example take what we noticed in a recent post by the web security company Sucuri promoting their partnership program for web hosts. What they neglect to mention despite being rather important, as we will get to, is that they are in fact owned by the web hosting company GoDaddy.

But before we get to that, the whole post is cringe worthy if you have followed our posts on the web security company SiteLock, whose business seems to largely built around partnerships with web hosts. Many of those web hosts are run by the majority owners of SiteLock, which might have given GoDaddy the idea to move from a partnership with SiteLock to do the same on their own.

At one of point in the Sucuri’s post they write the following:

We have found that doing active scans of your user base’s websites on a continual basis and doing outreach to help them better understand their security status is helpful in educating customers all while helping gain a better understanding of the overall health of accounts in the environment.

In the case of SiteLock, because SiteLock’s scanner isn’t very good that sort of thing has led to lots of people falsely being told that their websites have been hacked and then offered overpriced services to fix the non-issues. Sucuri’s scanner has also been bad for years, the most recent example of that we documented involved them claiming that Washington Post’s website contained malware. We noticed that while looking into a situation where someone was contacted by their web host with Sucuri’s results falsely claiming that their website hacked, much like they had falsely, but hilariously, claimed of ours not too long ago.

Elsewhere in Sucuri’s post they write:

They want a site that is fully secure and stays that way. From our experience, they don’t care about, or understand ambiguous services and up-sells. If it gets hacked, they want someone else to deal with it now, at an affordable cost. Once cleaned, they don’t want to be hacked ever again.

That isn’t what you are get with Sucuri, if one person that came to us after having Sucuri failed to take care of a credit card compromise on their website. Not only did Sucuri fail to detect an easy spot piece of malicious code, but kept telling them the website was clean despite the person telling Sucuri that credit cards were still being comprised on the website.

That ties in with something in the post:

A good website security provider also requires a customer-first approach that prioritizes time to resolution with respect to each customer’s level of technical ability. As an example, Sucuri is recommended by web professionals for our commitment to providing users with cutting-edge technology and excellent customer service.

Clearly the customer service was terrible in that situation. But the other striking element of this is that we were able to identify the issue without using any “cutting-edge technology”. Also, when it comes to security services, web professional are not necessarily who you would want a recommendation from, since they don’t necessarily have a good idea about security. Certainly any of them recommending Sucuri, based on what we have seen, would be someone that shouldn’t be providing that type of recommendation.

If what another recent example of poor security from Sucuri and GoDaddy take this recent example of Sucuri’s web application firewall (WAF) being bypassed by simply encoding a character as reported by ZDNet. That is an indication that the product is rather poor at what it is supposed to be doing, which isn’t surprising based on everything we have seen from this company (they don’t even seem to understand security basics). This also looks like another situation where they are not being honest, as the article states that:

For its part, GoDaddy said it patched the bug within a day of the security researcher’s private disclosure to the company.

But a quote from the company neglects to mention that it was fixed after they were notified of the issue

“In reviewing this situation, it appears someone was able to find a vulnerable website and manipulate their requests to temporarily bypass our WAF,” said Daniel Cid, GoDaddy’s vice-president of engineering.

“Within less than a day, our systems were able to pick up this attempt and put a stop to it,” he said.

What isn’t mentioned anywhere in the post is that SiteLock is owned by GoDaddy and therefore web host partnering are really partnering with a competitor and possible providing them with sensitive information.

That also isn’t mention on the linked to Sucuri Partner Program page.

What is mentioned there is that this is way for web hosts to make a lot of money:

As we have seen with SiteLock, that doesn’t lead to good things.

You also won’t find mention of the ownership on the about page on Sucuri’s website which states:

Sucuri, Inc. is a Delaware Corporation, with a globally-
distributed team spread over a dozen countries around
the world.

Beyond the fact that web hosts might not want to be partnering with a competitor in this way, there is the issue that GoDaddy has a bad reputation when it comes to security.

One element of that is obliquely mentioned in the Sucuri post when the write:

For example, cross-contamination over multiple shared hosting accounts used to be a major problem for large website hosting providers, but this isn’t really a huge threat today.

One such provider that happened with was GoDaddy, which had ignored attempts by people we were helping to deal those hacks, to get them to do something about it before it became a major issue. GoDaddy then made ever changing claims as to the source of, but notable didn’t blame themselves.

In more recent times there have been issues with them distributing outdated and insecure software to their customers, using outdated and insecure software on their servers, being unable to properly control FTP access to websites, not providing a basic security feature with their managed WordPress hosting, and worst of all, screwing up the security of databases that lead to website that otherwise would not have been hacked, being hacked.

It isn’t really surprising with that type of track record that they would have bought a security company that inadvertently made a good case that you should avoid them. But that all would be a good reason why other web hosts would probably want to avoid getting involved in this if they truly care about their customers and that might be why it goes unmentioned.

Comodo and Melih Abdulhayoglu don’t secure their own websites, why would trust them to secure yours?

We were recently contacted by Comodo about some sort of a partnership with their cWatch service. From the homepage of that service, things immediately seemed questionable. They are offering “Free Instant Malware Removal”:

To properly remove malware or some other hacking issue, you can’t do it instantly. If you do it properly it will take some time and it will cost somebody money, so at best they were offering this as a loss leader to sell their other service and more likely they were not doing it right (like it is true of so many companies based on how many people come to us to re-clean websites). The instant claim would seem to indicate that they are using an automated method to do that, which based on plenty of experience seeing the poor results of that, it doesn’t work all that well. Why they would think we would partner with them when they are at best offering to do what we do for free, we didn’t understand.

Looking a little further, things didn’t seem better. They one post on their blog, How to Clean a Hacked Joomla! Site, which is more an ad for their services than any actual information on the subject.

What will be relevant in a second is that at the end of the post it says:

Prevention is better than cure.

One of the preventative measures they list before that is:

Update the Joomla! software and all its components including core files and extensions.

From there we got to a post on blog of the CEO of Comodo, Melih Abdulhayoglu, Free Hacked Website Repair & Malware Removal. Before we get to the details of that, what is worth noting is that this blog is running an outdated and insecure version of WordPress as can be seen from the source code of the page:

That version was superseded by version 4.7.3 on March 6, 2017. So the WordPress version is eight months out of date. That shouldn’t be the case because normally the automatic background updates feature of WordPress would have updated it shortly after the new version was released. So either that feature has been disabled or there is some incompatibility between the feature and hosting environment of the website. If it was the latter that would be something that Comodo could work with WordPress to fix it for everyone.

What continues to stun us is that we keep finding securing companies that are running outdated and insecure versions of WordPress despite the automatic updates that manages to work for the average website and the fact that security companies should know better than anyone else about the need to keep software updated. In just the last year we have already mentioned on this blog that we have run into this same situation with the following security companies: Checkmarx, Cloudbric, Trend Micro (who got hacked because of it), and PacketSled. We ran into all of those without going out and looking for companies with this situation, so they are likely to be more than that.

Version 4.7.3 was a security update. So were versions 4.7.5, 4.7.6, and 4.7.7.

Also from the source code you can see that website is running version 4.2.8 of the plugin Captcha:

That version is also eight months out of date and contains a reflected cross-site scripting (XSS) vulnerability that we and at least two other entities discovered. That is a type of vulnerability that isn’t likely to be exploited on the average website, but seem like a more likely target in the case of a security company run by people that don’t seem to care much about security. If Comodo was using our Plugin Vulnerabilities service they would have been alerted to that fact back in April.

The outdated WordPress install is also an issue on the Comodo blog:

You also have to wonder if they use their own service or if works at all, as one of the features is “Daily Malware & Vulnerability Scan”, which should being warning about those vulnerabilities:

Seeing as Comodo doesn’t take their own advice on keeping software up to date, they seem like a good example of terrible state of the security industry. If you look at controversies section of the Wikipedia page about the company there have been a lot of other problems with the company.

Another item that seems worth noting for its questionable nature is this row of major company logos on the homepage, which isn’t explained but we would guess that Comodo would want you to assume they use the service (which at least most of them probably are not):

Improper Cleanups

The CEO of the company is also listed as its “Chief Security Architect” and claims to be an “Internet security expert”.

Getting back to the post he wrote, it is cringe worthy, as it starts:

We are in web sites where we were in 90s for computers!

It was a new concept to protect your PC with antivirus products in the 90s. Now its the norm.

Websites and webhosting is where computers were in 90s…still unprotected….still getting hacked and infected….

PC’s are still getting hacked and infected despite antivirus software. The reason that websites get hacked and infected isn’t because they don’t have antivirus software, it is because of various security issues. The solution is to fix those, not to try to poorly detect attempts to exploit those.

One of the ways websites get hacked is when login credentials for the website are compromised on a PC through malware on it, which still happens despite antivirus being “the norm”.

Next up is this:

Today there is a healthy market of selling “malware cleaning” or “hack repair” for website owners. At a hefty price!

This is not the solution! The malware will come back no matter how many times you clean it.

The business model of “Profiting from Website Malware Cleaning” must STOP!

The need for cleaning malware from your website is not going away, but “Profiting from it” is!

If you properly clean up malware, as we do, it doesn’t come back, because part of proper cleanup is figuring how the website got hacked and fixing that. If a new vulnerability is being exploited then the person doing a proper cleanup can then work with the vulnerable solution to try to get that fixed to prevent others website from getting hacked.

Based on that it isn’t surprising that Comodo can offer their service for free, since they are explicitly cutting corners, and you really are getting what you pay for there.

Then a few lines down, the post explains why they are providing free cleanups:

We build innovation to keep you safe, protect you from hacks and malware. The very people who need our Protection is the very people who are hacked and have malware on their websites.

So, by cleaning their site for Free, we hope to gain their trust so that when they choose to protect their site, assumption is that they will, having gone thru the experience of having your site hacked, choose us.

And there is more reason why they should be choosing us. Because there simply is no other technology that can deliver what we can.

We have the world’s very first Website Protection that has a full blown SIEM, Managed WAF, CSOC (Comodo Security Operation Center) staffed by amazing security professionals available instantly 24/7/365 and running on a CDN!

Don’t even think about comparing this amazing technology to legacy “malware scanning” tools out there who are charging website owners an arm and a leg to remove malware.

There simply is no comparison in terms of what CWatch technology can do vs what’s out there!

What you will notice there is that no evidence is provided that their service is effective at all. Offering free cleanups doesn’t mean they can effectively protect websites from being hacked, especially when you don’t do that properly. But they are not alone in this, we have yet to see any company providing such a service like theirs (and there are plenty of them) that provides evidence, much less evidence from independent testing, that they are effective at protecting websites (we did recently run across a security company admitting that they lie when promoting their product with an unqualified statement that it “stops you from getting hacked“).

We have had plenty of people that come to us after having used a service like Comodo’s that ended up failing to protect the website, so without evidence from independent testing that proves that a service is effective we would recommend you avoid it. Instead if you make sure you are doing the basics you are unlikely to be hacked. One of those basics is keeping your software up to date, which Comodo has failed to do with their WordPress installs on the CEO’s blog and their main blog. Why would you possibly trust your security to a company that doesn’t manage to do the basics themselves?

Also notable, is that they are saying you shouldn’t compare them to others, that is probably because as we already mentioned there are plenty of services just like theirs. Humorously one of the thing they tout that they are first to have is “CSOC (Comodo Security Operation Center)”, why would another company have a Comodo branded part of their service?

Wordfence Employee Admits the Company Knows Wordfence Security Won’t Stop All Hacks as They Continue To Claim Otherwise

What we have been noticing more and more is how much lying is done by the security industry. Considering that trust is an important part of security and you often have to rely on their claims about what protection their products and services might provide, that is a big issue.

One glaring example of this when it comes to WordPress related security, is a prominent claim made about the most popular security plugin, Wordfence Security. The second sentence of the description on its page on wordpress.org is:

Powered by the constantly updated Threat Defense Feed, our Web Application Firewall stops you from getting hacked.

Could a WordPress security plugin stop some hacks? Sure. Can it stop all them, as this unqualified statement by the makers of the plugin would lead to you believe? No.

People do believe that claim though, as we were recently reminded by a topic on the WordPress Support Forum that we ran across while doing monitoring for our Plugin Vulnerabilities service. The topic is titled “Hacked anyway!” and the message reads:

Well.
I installed Wordfence, and got hacked anyway.
Not sure whether or not to trust it anymore.
A defacement hack by the look of it.
Yet, when I run a full scan, it tells me all is OK.
WTF?
Any suggetions?

The reply from a Wordfence employee reads in part:

Often when we see sites get hacked despite having Wordfence, or we see them getting hacked repeatedly it’s because of a vulnerability on the server.

So they know how they promote the plugin isn’t accurate, but they continue to market it that way anyway. This is far from the only lie that we have seen from the company behind Wordfence Security. We wonder if and when the public will realize that the company behind it isn’t trustworthy?

The other thing worth noting about this situation is that it is also a reminder that Wordfence Security isn’t all that great at detecting that websites are hacked, which is also contrary to what people have been lead to believe. If it was better at that, someone could try to make an argument that while the plugin can’t stop a number of types of hack, it could provide effective mitigation against the damage caused by those hacks.

The SiteLock Platform Digest Looks Like Another SiteLock Scam

Back in August we ran across a Forbes article about what appeared to new element of the web security company SiteLock’s scamming people, their Risk Assessment Score. That is supposed to be a score based on:

a predictive model that analyses over 500 variables to determine a website’s likelihood of attack. The Risk Assessment is designed to score a website on a scale of low, medium or high.

In the case of the writer of the Forbes article, they were told that there website was at “medium risk” despite being a “single-page static website with just a handful of files and no CMS or other editing software”. When they asked how the website could be compromised they didn’t get an answer:

a representative initially said they would work with their engineering team to send me some examples of how such a site could be compromised, but later said they would not be commenting further and did not respond to two subsequent requests for additional comment.

What also seemed rather odd considering there were supposed to be “over 500 variables” that were used to calculate this, it didn’t include a couple of possible sources of compromise that were possible with that type of website:

The SiteLock representatives clarified that they do not check for or consider either password security or server vulnerabilities in their assessment and that their risk score is based exclusively on the characteristics of the site itself.

The lack of the latter seems like it might have something to do with the fact that most of SiteLock’s business comes through partnerships with web hosts (many of them run by the majority owners of SiteLock).

A couple of weeks later we were contacted by someone that had gotten told by their web host 123 Reg, which is a GoDaddy brand, that their website “high risk” based on SiteLock assessment. That further pointed to this assessment not being legitimate as this website was very similar to the previously mentioned one. Once again it was a static website, though it did contain multiple pages.

At the end of September we ran across what seemed to be an example of what it might take to get “low risk”, which was having a website that didn’t exist. In that instance the score came from something we had not heard of before, the SiteLock Platform Digest.

We have recently been contacted by more people that have been getting this and it looks like so much of what SiteLock does, scammy.

This is sent out as an email with the subject, “SiteLock Weekly Risk Score and Website Scanning Results”.

As example of what this involves here is one recent one that one of the people that contacted us received:

Not only were they told that they were at “high risk”, but they also were told that they had 37 issues found. To find out what these supposed issues were they would have to sign up for a $150/year “premium scan” service, which was promoted as also including a firewall service (one that SiteLock lies about who actually is behind). Making a claim that the website is at risk and then not providing the details doesn’t exactly make this or SiteLock seem like they are legitimate.

For someone else that contacted us, they were given some information on what was supposed to be the cause of their website being at “high risk”, but it was clearly wrong. They were told the issue was that their WordPress installation and plugins were out of date. The problem with that was that SiteLock was claiming they were using WordPress 4.7.2, which would be out of date, when they were running WordPress 4.8.2, which isn’t out of date. When they brought that up with SiteLock representative they were told that this most recent data they had. Considering this is supposed to be done weekly that seems odd considering that usually minor WordPress updates happen automatically and WordPress 4.7.3 was released in March, so that would seem likely to be a rather old result (if it was even a result for this website). Curiously with another website where they have a SiteLock service the score “is always good”.

What we also found interesting was what is written on the page that those emails link to find out more information on these emails.

One of things that we noticed on that page is that there scores don’t consider that a website could be less likely to be compromised than the average website:

Low Risk Score — Your website is as likely or 1x more likely, to be compromised than the average website based on complexity, composition and popularity.

That doesn’t make sense as for there to be an average when it comes to likelihood of compromise, it would follow that there would be some that were less likely as well as those that were more likely.

The other scores also don’t make sense as the “medium risk” is supposed to involve websites that are “6x more likely to be compromised” and the “high risk” is supposed to involve “12x more likely to be compromised”. How is possible that all websites would be 1x, 6x, or 12x more as likely to be comprised than the average website. Surely there would be ones that would fall between and below those if this was legitimate, which it doesn’t seem to be.

Another element that seems off in this whole thing is that these scores are supposed to involve “over 500 variables”, but based on the following question and answer state it also doesn’t consider security solutions being used:

Q: How can my website be High Risk if I’m using SiteLock?

A: This is because your risk score and security solutions are independent of one another. Typically, the more complex and feature-rich a website is, the higher the risk score will be. Knowing your risk score can help you take the appropriate proactive measure to securing your site.

You really have to wonder what variables, if any, are actually supposed to be used to come up with the score.

Ignoring the SiteLock Platform Digest

The best advice we can give in general is to ignore the results of this report since everything we have seen so far makes it seem the intent of it is to scare you in to purchasing SiteLock security services and not to provide you any useful information.

When it comes to SiteLock services that are supposed to protect your website we have yet to see them provide any evidence, much less any based from independent testing, that they actually are effective (that is equally true for other providers). So buying services based of this report of that score is unlikely to provide you much, if any, protection. You are much better off making sure you are doing the basics that will actually help to protect your website.

It also important to note that even SiteLock isn’t claiming that the score or their count of issues is actually an indication that the website has been hacked, as some people that have contacted us have believed.

SiteLock’s Poor Cleanup Leads to Website Being Down Long After It Should Have Been Back Up

We continued to be troubled by companies and other entities that would get involved with the web security company SiteLock, as even a quick check would show how they are taking advantage of their customers. Unfortunately you have far too many web hosts and WordPress that continue to do that. Is the money SiteLock is providing them really worth the damage they are helping to cause?

We recently ran into yet another example of the mess they cause not just for those that unfortunately hire them, but for the public as they their action in this situation would lead to website remaining hacked (and leading to more of the negative impact the hack causes) after it should have been fixed.

We were recently contacted by someone that said that multiple websites in an account they had with the web host Bluehost had been shut down due to malware and they were looking for some sort of help.

It wasn’t clear what clear what kind of help they were looking for as the message just said “Help!” after mentioning that the websites had been taken down. That isn’t much to go on, so we first asked them what evidence Bluehost had presented that the websites were hacked, seeing as we have seen some rather bad false positives coming from Bluehost in particular, and in general from SiteLock partnered web hosts. That being said, these days the majority of websites we are contacted about in this type of situation are in fact hacked. Usually Bluehost and other web hosting brands of the Endurance International Group (EIG) (which is run by the majority owners of SiteLock) will provide a list of files that are impacted or some example files or URLs that have been impacted along with the email informing the customer that their account has been disabled. For someone that knows what they are doing, that evidence is usually enough to determine if the claim is legitimate or not.

The response we got didn’t answer our question. Instead the person that contacted us responded that they were having the websites transferred to another hosting provider because they felt like the deal between Bluehost and SiteLock was a scam. We then explained that if the websites were hacked that it would not be a good idea to do that, as it could make it harder to properly clean up the websites, since transferring the websites could cause both data on the files (most importantly the last modified date) and the logging for the website during the time of the hack to no longer be available. That information can sometimes be important to make sure all of the files have been cleaned and is very important to determine how the website was hacked and therefore what needs to be done to fix it and make sure it doesn’t happen again.

After notifying them of that as well as mentioning that assuming this was a scam was not a good idea, since the majority of time in this type of situation we have been seeing that they websites were hacked, they told us they thought the websites were hacked. So they were moving websites they thought were hacked to get around their web host having taken an action to protect the public (though also possibly to get people more likely to hire SiteLock as well).

What they also mentioned was that they had in fact tried to get the website cleaned before doing that. The problem is they hired SiteLock and not surprisingly based on everything we have seen over multiple years, the website wasn’t actually cleaned up properly. Instead of SiteLock working to get things properly resolved here after they failed the first, they wanted more money, $200 a month to manually clean out malware. The fact that SiteLock is offering a service that will continually remove malware, is on its own a good indication that they don’t properly clean up hacked websites, as when done properly the website shouldn’t need to be continually cleaned up.

After that we told them again that moving the websites was not a good idea and that it likely would take longer to get them backup by doing that, which they said was their main concern, than getting them properly cleaned up. At that point they said they would take their chances.

Taking their chances on that turned out to be a bad bet. We usually are able to clean up hacked websites in a few hours and while there is some variability in how long it then take Bluehost and EIG brands to then restore access, it would usually be done within 24 hours (and possible happen in much sooner than that). When went to take a look the next day to see what had happened so far, we found that the website was still being hosted by Bluehost and not accessible. Another day later we took another look and the result was the same.

Properly Handling Such a Situation

As if there was another reminder needed, this situation is good example of why everyone should avoid SiteLock. At best you might get lucky their poor cleanups don’t lead to your website being hacked again right away, but you are going to greatly overpay for what you are getting. On top of that SiteLock often tries to lock in to people in to unneeded ongoing services that people have variety of problems trying to cancel later on.

If you are contacted by a SiteLock partnered web host with a claim that your website is infected with malware or is otherwise hacked, we would recommend that first get a second opinion as to the whether the website is in fact hacked. For someone to be able to do that, you should first get any evidence that the web host and or SiteLock will provide, which usually is something that should have already been provided to you. We are always happy to provide that second opinion for free and we would hope that others would as well.

If the website is hacked then what we would recommend, if you can afford it, is to hire someone that properly cleans up hacked website to do that for you. A proper cleanup involves three basic components: removing anything added by the hacker, security the website (which usually mainly involves getting the software up date), and trying to determine how the website was hacked. In a lot of cases it actually costs less to hire us to properly clean up a website than it would to hire SiteLock for their improper hack cleanup.

We have repeatedly seen that people try to instead clean it up themselves and cause themselves more problems, as they often don’t even know how or what to clean up (we recently have had a lot of people contact who have incorrectly just deleted the example files their web host listed). That often leads to continue problems which are then exacerbated by them purchasing security products and services that claim they will protect websites from being hacked, but don’t live up to that (which isn’t surprising since we have yet to run across one that is promoted with evidence much less evidence from an independent testing, that it is effective). At that point they are bringing us in to clean things, which if they had just done that in the first placed would have lead to the issue being quickly resolved and them spending less money.

SiteLock Report Leads to False Claims About the Security of WordPress Websites

One of the problems when it comes to improving security is there is so little accurate information out there. Often times security companies are putting out misleading or outright false claims. When their information is repeated by security journalists the quality of it usually degrades from the already often low quality. As example of what happens when security journalists repeat security companies’ claims was something we recently ran across related to SiteLock.

In an article on CISO MAG the following claim was made that seem unlikely to be true:

SiteLock’s analysis also showed that a website’s content management system had an impact on overall security. Forty-four percent of websites using WordPress CMS had not been updated for over a year at the time of filing this report.

We went to look into that because that because it seemed like it would be a good example of SiteLock getting stuff wrong, but in looking at the report what SiteLock actually claim was very different. What they said hasn’t been updated in a year are plugins in the Plugin Directory:

44% of plugins in the WordPress repository have not been updated in over a year

It is important to note that doesn’t mean that those plugins are somehow insecure, though if plugins are not at least being updated to list them being compatible with newer versions of WordPress there is a greater chance that if there is a security vulnerability found that it will not be fixed promptly or at all (though in reporting many vulnerabilities to WordPress plugin developers through our Plugin Vulnerabilities service even very recently updated plugins are not always fixed in a timely manner or at all).

Making that incorrect claim seem odder is the beginning of the next paragraph of the CISO MAG article:

Nearly seven in 10 infected WordPress websites had the latest security patches installed, but were compromised because of vulnerable plugins.

If “nearly 7 in 10 had the latest security patches” then it wouldn’t make much sense that 44 percent of them hadn’t been updated in the last year.

The claim that the website “compromised because of vulnerable plugins” is also not what the report says. Instead it says:

69% of infected WordPress websites were running the latest security patches for WordPress core at the time of compromise.

This data illustrates that even when running a version of WordPress with all of the latest security patches, a vulnerable plugin or theme can just as easily lead to a compromise.

Looking at the rest of the report there were a couple of other WordPress related items that stood out. The first thing is a mention of “publications” that “inaccurately implied that WordPress websites which aren’t running the newest version of WordPress are insecure”:

NOTE: Many publications have inaccurately implied that WordPress websites which aren’t running the newest version of WordPress are insecure. As of the end of Q2 2017, the WordPress community actively provided security fixes for all versions of WordPress from v3.7 to the current v4.8. Our research takes into account each security patch release for every version of WordPress in Q2 2017. For example, WordPress v3.7.21 contains all of the same security fixes implemented in the current version, v4.8. In theory, this makes v3.7.21 as safe as v4.8.

We are not sure what publications they are referring to, but one security company comes to mind, SiteLock, which has been falsely claiming that websites are insecure when running the latest version of older versions of WordPress. We first noticed this back in September of last year and SiteLock was clearly aware of that post, but as of at least June they were still doing this.

Another element of the report repeats a WordPress related falsehood from SiteLock that we debunked in April:

Fake Plugins: Trend Maricopa

In what SiteLock Research would call an “oldie but a baddie,” we saw a trend in the first week of April that centered on the return of an old trick targeting WordPress websites where malware disguised itself as a legitimate forum plugin in the WordPress plugin directory. This ruse, while easily dispatched by specialized malware detection systems, would just as easily escape the concern of an untrained eye. Fake plugin malware iterations continue to be developed and deployed because, quite simply, most people don’t notice them. In a world where the majority of website owners don’t take a proactive approach to malware prevention or remediation, persistent infections continue to be common.

The reality is the supposed legitimate plugin, WordPress SEO Tools, has never existed, whether in the Plugin Directory or otherwise. We don’t understand why SiteLock is continuing to peddle that falsehood when it is so easy to confirm it to be false.

Deleting Files Your Web Host Identified as Malicious is Not a Proper Hack Cleanup

Websites don’t just happen to get hacked, something has to have gone wrong for that to happen. Far too often we see that original problem is compounded by improperly cleaning up the website from the hack, which if properly done involves trying to determine how the website was hacked so the source of the hack can be determined and fixed. If you don’t do that then the website can get hacked again. You might get lucky and the hacker doesn’t come back, but if they do, it can lead to repeated issues if not resolved (which is the point where we are often brought in to clean things up).

For whatever reason we recently have been contacted by a lot of people coming to us through information we have written about the web security company SiteLock, who have, instead of doing or getting a proper cleanup done, decided just to delete files that their web host has indicated contain malicious code. In some cases they contact us because they then continue to have problems and in others they are looking for security solutions that won’t actually resolve the possibility of being re-hacked to try to deal with the possibility of that occurring.

It isn’t that no one has suggested doing something other than what they have done, as an example, one of the people that contacted in this type of situation, forwarded us a file with a list of malicious files their web host, Bluehost, had provided. Right above the list was the following information:

Files may have false positives. Please review each file to make sure each file actually contains malware. Please note that we are not a security company
The Content listed below may not be a complete list of malicious content on your account.
You are ultimately responsible for all of your content.
This is just what we have found that appears to be malicious.
These files appear to contain malicious code.
You will want to review the files and remove the injected code from important files and/or remove unused or invalid files.

Bluehost usually also sends out an email like the following when they are notifying someone that their hosting account is being deactivated, which includes some example files:

Your [redacted] account has been deactivated due to the detection of malware. The infected files need to be cleaned or replaced with clean copies from your backups before your account can be reactivated.

Examples: /[redacted]/public_html/tracking/include/pclzip.lib.php
/[redacted]/public_html/calltrack/include/pclzip.lib.php

To thoroughly secure your account, please review the following:

* Remove unfamiliar or unused files, and repair files that have been modified.
* Update all scripts, programs, plugins, and themes to the latest version.
* Research the scripts, programs, plugins, and themes you are using and remove any with known, unresolved security vulnerabilities.
* Update the passwords for your hosting login, FTP accounts, and all scripts/programs you are using. If you need assistance creating secure passwords, please refer to this knowledge base article: https://my.bluehost.com/hosting/help/418
* Remove unused FTP accounts and all cron jobs.
* Secure the PHP configuration settings in your php.ini file.
* Update the file permissions of your files and folders to prevent unauthorized changes.
* Secure your home computer by using an up-to-date anti-virus program. If you’re already using one, try another program that scans for different issues.

You may want to consider a security service, such as SiteLock, to scan
your website files and alert you if malicious content is found. Some
packages will also monitor your account for file changes and actively
remove malware if detected. Click here to see the packages we offer:
https://my.bluehost.com/cgi/sitelock

Please remove all malware and thoroughly secure your account before contacting the Terms of Service Department to reactivate your account.

In the case of that message, it is rather explicit that those are just examples, not all of the files, but we have people contacting us that just deleted those files.

Bluehost is one of many brands that the Endurance International Group (EIG) does business under, which is one of SiteLock’s largest partners (and also run by SiteLock’s owners). Their other brands include A Small Orange, FatCow, HostGator, iPage, IPOWER, JustHost, and quite a few others. Many of those who have contacted after just deleting those files have been at their various brands, so they likely would have received a similar message.

Proper Cleanup

In both types of message shown above it is suggested to not just delete files. That is important because hackers often add malicious code to existing files, so just deleting the files could cause the website to no longer function if they are needed for normal usage of the website.

If you just remove malicious code that was on the website that will not resolve the issue, as the code had to get their somehow. That is why in addition to making sure you have removed all of the malicious content, you need to secure the website (which usually mainly consists of updating the software) and try to determine how it hacked in the first place, so that issue can resolved and the hacker can’t get back in.

If you can afford it, your best bet to get all this done is to hire someone that provides a service that does all those things, which as far as we aware is not a service that SiteLock provides.

Going Forward

Once the website has been properly cleaned up the best solution is to make sure you are taking steps to keep the website secure going forward. We have people coming to us that instead of being interested in doing those things are looking for a scanning service or a protection service. We have yet to see any service like that were evidence, much less evidence from independent testing, is being provided that they are effective at doing those types of services. We have had plenty of people that are using those types of services that have come to us because they didn’t provide the type of protection that was claimed (often after the websites has been hacked again), so they don’t seem like a good use of money unless you can find one that provides evidence of its effectiveness.

OneHourSiteFix’s Crazy Claims About WordPress Websites Being Hacked

Recently we got a spam comment on one of our posts that was meant to provide a link to onehoursitefix.com. The name given with the comment was “how to fix a hacked site” and the comment, which was irrelevant to the post, was:

You might be scratching your head at this point because you are
certainly not sure what tattoo. It is also a classical technique, which started out
for the dancers to seem weightless. s always preferable to let someone
know your location going and which route you.

It probably doesn’t say great things about that website, OneHourSiteFix, that they appear to need to promote themselves in that way, but that turns out to be much less concerning than the blog post we noticed linked to from their homepage.

The title of the post in the title HTML tag is “WordPress Website Defaced ? Due To A Well Known Security Company ?” and the on page title is “WORDPRESS PLUGIN VULNERABILITY MEANS MILLIONS FIND THEIR WORDPRESS WEBSITE DEFACED BY HACKERS”. The post is listed as being put out on June 26, 2017.

The first paragraph seems to be written by someone who has absolutely no idea what they are talking about:

Free open-source website and blog creation tool ‘WordPress’ has left millions of pages defaced, due to a remote code execution (RCE) feature being added to the package. This feature has allowed hackers to take control of pages using WordPress plugins allowing attackers control over editorial features in order to vandalize pages or even worse execute malicious payloads. Plugins are those great bits of extra software you can add to your WordPress site to do everything from show a map of visitors to show a fancy photo gallery. Plugins however, have always been a l known and documented ‘attack vector’ for hackers. An attack vector being ‘a way in’ or path into a website. The end result is millions of site owners have found their WordPress website defaced by hackers.

What it sounds like this person might referring to is a vulnerability that had existed in WordPress 4.7.0 and 4.7.1 that allowed attackers to change the content of posts and was fixed in January. It wasn’t a “remote code execution (RCE) feature” and there hasn’t been something like that added to WordPress. The vulnerability could have had more serious consequences if certain plugins that allow PHP code to be run in posts, which might be what the reference to plugins there is trying to refer to. There was nothing that could remotely be what is described there that happened in June, what did happen in January also doesn’t appear to have impacted millions of websites.

That explanation seems more likely based on the next paragraph (though it again doesn’t make much sense as written):

A well known security firm released a statement saying they had detected multiple hackers seizing control of sites. A backdoor in the protocol allows attackers to inject ads, spam and affiliate links. The security firm expects many more attacks to follow and even advised users to disable the plugins due to attackers using these them to insert malware into any affected website More often than not the old, ‘Hacked By GeNErAL’ ! types of defacement are being replaced by monetising hacks with compromised sites being used to make money for the hacker via the use of paid ads (selling everything from viagra, research chemicals to fake crypto currency exchanges) or redirect them to an ‘online pharmacy’

The fourth paragraph claims, which is below, would seem to confusedly reference what happened as well. As the exploitation only started after it was disclosed that WordPress 4.7.2 had included a fix for the vulnerability a week after that version was released.

What is also interesting is that before the security company released the details of the hack, very few WordPress websites had actually been compromised. The timeline in which the hack was detected, details released and then the fix released – does arouse suspicions amongst the conspiracy theorists amongst us.

The third paragraph makes a claim that seems crazy:

In March alone, over 45 million of WordPress websites were defaced and infectd. Many websites are still affected with many of their users not even realising that hidden within their blog there is a page that is selling some seedy pharmaceutical product . Often these hacked website pages are only found by using very specific search terms in google so blog owners are blissfully unaware that their sweet and innocent cupcake blog is actually harbouring a deep secret within the blog pages…

If it were true that 45 million WordPress website had been “defaced and infected” in just that month that would likely mean that a majority of WordPress had that happen to them. While the numbers seem to be a bit of an estimate, there are figures out there for the total number of WordPress websites at figures like 75 million according to a Forbes article from December. Clearly over half of WordPress websites were not hit during that month.

Another Very Odd Claim

In looking at their service there is another element that makes it sound like something is very amiss. One part of their service is cleaning up hacked websites and the other is a web application firewall (WAF) that is supposed to stop them from being hacked again. What is missing is the thing that should tie those together, determining how they website got hacked. If you don’t do that you can insure the vulnerability that was exploited has been fixed and the website won’t get hit again. That would also seem important to make a WAF effective.

Instead of doing what would actually prevent the website from being hacked again they make a claim that doesn’t sound believable:

IN ADDITION – our security experts manually analyse EVERY element of your site – every row in your database and every line of your files is checked and cleaned. This layered approach ensures we don’t just throw the hackers off a site – we slam the door on them as well.

That would take a very long time to do on most websites, yet somehow they are also going to fix the website in an hour, and it would likely be very ineffective since the sheer amount of information being reviewed would make it less likely that someone would spot a real issue among everything else.

On the page about their cleanup service there was a linked review that while giving them five-stars and seemed positive, indicated that this person’s websites have been repeatedly hacked:

Always quick, always clean.

OneHourSiteFix staff goes above and beyond everytime we’ve had an issue. Quick service, speedy cleaning, and even making sure sites like Google rank you site as safe again. We can’t thank them enough for keeping our servers from getting shut down by our service provider due to infections/spam. Top notch, our go to company for website cleaning everytime! Need help, look no further!

Which isn’t surprising based on what else we saw.

Sucuri’s Scare Tactics on Display with Their Claim That the Washington Post’s Website Contains Malware

Back in March we put out a post about the, now GoDaddy owned, website security company Sucuri’s SiteCheck scanner falsely claiming that our website was “defaced” and that “malicious code was detected”. That claim was based on a page on our website being named “Hacked Website Cleanup – White Fir Design”.

We recently had someone contact us that ran across our post after having Sucuri make a similar false claim about their website. In their case they were contacted by their web host SiteGround with the Sucuri results. In looking in to what was going on we found a post on SiteGround’s blog from March announcing they were going to start doing that. What they say about Sucuri is disconcerting:

There are several reasons to change our scan partner from Armorize to Sucuri. First, Sucuri is one of the most respected companies in the website security field. In addition, we have been working in partnership with them for several years. We have relied on their expertise for solving numerous complex security issues. And last, but not least, many of our clients’ websites have also been cleaned by Sucuri from malicious code over the years. That is why it was only natural that we extend this already successful partnership and make it cover the daily site scans too.

If they are truly one of the most respected companies in the website security field, that doesn’t same much about the field. Not only has their scanner been quite bad for years, but what we have seen with their clean up of hacked website hasn’t been good either, an example of that involved a website they claimed clean despite compromising credit info entered on it. They also don’t seem to understand the basics of security. And about a year ago they accidentally made a good case for avoiding themselves.

But let’s get back to their scanner, which SiteGround is now helping to cause more people to interact with the results of.

Scare Tactics

If you go to the web page for Sucuri’s Scanner you will notice that just below where you enter an address to have it scanned, it states:

Disclaimer: Sucuri SiteCheck is a free & remote scanner. Although we do our best to provide the best results, 100% accuracy is not realistic, and not guaranteed.

That sound reasonable, the problem is that it doesn’t in any way match how they present results from it. Here is what it looks like when they think a web page contains malware, as can be seen with a page from the Washington Post’s website, which we happened to submit to test out something related to the false defacement claims:

Among the very scary sounding things they have on their are:

Warning: Malicious Code Detected on This Website!

Status: Infected With Malware. Immediate Action is Required.

Malware Detected Critical GET YOUR SITE CLEANED

Get Immediate Clean Up CLEAN UP MY SITE

Your site appears to be hacked. Hacked sites can lose nearly 95% of your traffic in as little as 24 to 48 hours if not fixed immediately – losing your organic rankings and being blocked by Google, Bing and many other blacklists. Hacked sites can also expose your customers and readers private and financial information, and turn your site into a host for dangerous malware and illicit material, creating massive liability. Secure your site now with Sucuri.

Though looking at the evidence presented to back that all up they seem a lot less sure there is even an issue as it is stated that “Anomaly behavior detected (possible malware)”.

When looking at the malware definition given, MW:ANOMALY:SP8, things are also unclear, as first they refer to what it detects as being “suspicious” and “possibly malicious”:

A suspicious block of javascript or iframe code was identified. It loads a (possibly malicious) code from external web sites that was detected by our anomaly behaviour engine. Those types of code are often used to distribute malware from external web sites while not being visible to the user.

But then states their “engine found it to be malicious”:

This is not a signature-based rule, but looks at anomaly behaviors on how the web site is being loaded. Our engine found it to be malicious (related to remote includes).

It isn’t reassuring that on one page they both claim detecting this would mean that something is malicious and that it is only possibly malicious.

Get a Second Opinion

We would strongly recommend that web hosts don’t do what SiteGround is doing here and further spreading Sucuri’s inaccurate results. It would probably be best to avoid any web host that does something like this as well, since it doesn’t show they have an interest in best helping their customers or that they are doing proper due diligence.

If you do get sent results by your web host that claim your website is hacked, whether they come from Sucuri or another company, we would recommend that you get a second opinion as to their veracity from a more trustworthy company that does hack cleanups. We are always happy to do that for free and we would hope that others would too.

If Wordfence Security Doesn’t Find Any Malicious Files on Your Website It Doesn’t Mean That It Isn’t Hacked

When it comes to WordPress security plugins, one is by far the most popular. That plugin being Wordfence Security, which has over 2+ million active installs according to wordpress.org (the next most popular one has 800,00+ active installs). At least some of its popularity is based on people believing that the plugins is much more capable than it really is.

Some of that belief is based on the company behind the plugins simply lying about its capabilities. For example, here is the second sentence of their description of the plugin on wordpress.org:

Powered by the constantly updated Threat Defense Feed, our Web Application Firewall stops you from getting hacked.

Would it be possible for the plugin to stop some hacks? Sure, but it can’t possibly stop all hacks. For example, if the website is hacked through a compromise of the FTP login details or a server level breach, that is occurring below the level the plugin is operating, so it can’t stop that. While a security plugin could try to detect a change made by that hack, the hacker would also likely have the ability to remove, disable, or modify the plugin with the access they have as well. It isn’t hard to understand why Wordfence would lie about this, since people will believe it and other false claims they make.

Even in situations where the plugin might be able to provide protection, unless you are paying for their premium service, they will leave you vulnerable for 30 days or more after they add protection (their ability to do that would require them knowing about the vulnerability, which isn’t a given), so Wordfence knows that a blanket claim that the plugin will stop you from being hacked isn’t true.

The claims being made don’t always come from the makers of Wordfence. For example, last year we noted an instance when someone posted on the wordpress.org support forum looking for help with hacked website they were told by two people that Wordfence Security would fix it, despite the person looking for help having already said that they had tried to use it to fix the website.

The latest incident of a belief that Wordfence Security is more capable than it really is, involved someone who came to us looking for advice on a claim from their web host that their website had been hacked. They believed that their web host’s claim was false in part because Wordfence Security couldn’t find any malicious files on the website.

Our experience from people presenting us results from numerous different automated tools for detecting malicious code over the years, is that they miss a lot of malicious code and can produce some bad false positives. So you can’t rely on them to determine that a website isn’t hacked. Due to the false positives you can’t totally trust them to determine that a website is hacked, though we would have more confidence of a claim that a website is hacked than it isn’t based on their results.

In this case what the website’s owner hadn’t done was to ask the web host for evidence to back up their claim that the website was hacked. Instead of looking to Wordfence Security or another plugin/service to try to determine if a website is hacked in this type of situation that should be the first thing done. Once you have that evidence, if you are unable to determine if the evidence backs up the claim we would recommend that you get a second opinion from a company that deals with hacked websites. We are always happy to do that for free and we would hope that other would as well.

When we were sent one of the files from the website, we not only immediately recognized it contained malicious code, but it was something that would have been picked by our partially automated scanning for malicious code (a human reviews all the results this scanning produces to determine if the code is actually malicious code). So the website was actually hacked and Wordfence Security had just missed malicious files, despite containing fairly common malicious code.

Since Wordfence Security couldn’t even detect the malicious code, it also wouldn’t have been able to clean it up, a further reminder that Wordfence Security’s ability to clean up hacked websites is also limited.