Sucuri and MalCare Don’t Address the Source of Hacked Websites, Leading to Results Like This

Earlier in the week, we were mentioning that many hack cleanup providers don’t do the essential work of trying to figure out how websites were hacked. If you hire one of them, you might get lucky, and that doesn’t matter because the hacker hit the website once and moved on, but with more persistent hackers, that isn’t going to work out. Here is a fresh example of that involving two of those providers, Sucuri and MalCare:

A WordPress site I work for hosted on WPEngine has suffered from a malware attack. The attack was noticed when a consent management pop up started appearing on the home page. WPEngine’s security team from Sucuri hasn’t been much help as they’ve scanned and “removed” the problem 5 times now. I’ve also used a premium service from MalCare which did basically what Sucuri did, scanned said “it’s fixed” and then it came back.

That person tried a lot of things to deal with this:

I have enabled a number of security features including disabling enumeration, 2FA, custom wp login url, automatic password lockout after 2 tries, changing file permissions on certain files, enabled automatic alerts on file changing or file addition, deleted non essential users, changed passwords to all current users multiple times…

What they really need is to bring someone in who will work through trying to figure out how the hacking is continuing, addressing that, and trying to figure out how it started.

If you are in need of someone who will actually do that work, we do that for WordPress websites and other types of website.

MalCare Customer Indirectly Warns It Fails to Protect Websites From Being Hacked

We recently were contacted with a strange request. Someone was asking us for a refund for a hack cleanup plan. We don’t have any such plans. We provide onetime cleanups and we only charge after the hack cleanup is completed. It turned out that the person had somehow run across a two-year-old post of ours warning about a provider named Malcare, titled MalCare Review: It’s Obvious They Are Taking Advantage of Their Customers, and then contacted us as if we were Malcare.

The request for a refund mentioned things that were in line with what we were warning about two years ago. They wrote this in part:

 Your plan was not working out as planned. I am still cleaning up a lot of damage since my site was hacked, I had to resort to a different plan.

And this:

Looking at the backup you had on your site, the database was filled with numerous users, of which I did not know. I had to clean up my database manually.

After dealing with that, we were curious to see if other of their customers have been complaining about their service recently. What we saw was that people are still being misled by them in to believing that their service offers things it doesn’t, while another of their customers who are not criticizing the service refuted that.

Here is part of one recent customer review:

Definitely a game-changer for our websites. Full removal of hacks and complete protection from current and future attempts.

The customer obviously doesn’t know that it will actually offer complete protection from future hacking attempts. The service can’t do that, but everything we have seen it won’t even do a good job of the protection it could possibly offer. Don’t take our word for that. Here was part of another recent positive customer review:

MalCare and the team behind it have gone above and beyond their stated service to help me restore my website from malicious hacks of my WordPress website. On more than one occasion they were able to scan and clean my site of infected files. Anyone who has a website knows how horrible it feels to learn that your site has been hacked.

Based on that, their website has been hacked at least once while using MalCare’s service. If that wasn’t the case, they wouldn’t have been cleaning it up multiple times, unless they failed to properly clean it up the first time.

MalCare Review: It’s Obvious They Are Taking Advantage of Their Customers

If you deal with security, as we do, it often isn’t hard to tell that companies are taking advantage of their customers, but most of them at least try to hide it to some degree. That isn’t the case with a provider named MalCare. Here, for example, is the interstitial we got shown on their homepage when we recently visited it:

Is your website safe? Are you sure? Get your FREE Malware scan now No Credit Card Required | No Upfront Charges Yes, Scan My Website Now No Thanks, I will let my site be hacked :(

In small text at the bottom it says, “No Thanks, I will let my site be hacked :(“. That makes no sense. A malware scan would show if a website is already hacked, it won’t actually do anything to stop a website from being hacked. Either they don’t understand what they are doing at all, or they have no problem lying to their potential customers.

Getting past that, the first message shown on their homepage was this:

 The Only WordPress Security Plugin with Instant WordPress Malware Removal Our Auto-Clean Feature Cleans Your Website Without Waiting for Hours or Days!

Scrolling down a bit, you get more of the same:

 Fix a Hacked Website Instantly in <60 Seconds. MalCare’s fully automated malware removal lets you get rid of all virus and backdoor forever. The Best part? Do it instantly without waiting for hours or days.

That all sounds great, but it again makes no sense if you have a basic understanding of security. Before we explain why, it’s worth noting that not only doesn’t this make any sense, but MalCare contradicts the claims being made there, right on their website. For example, while the above claims “MalCare’s fully automated malware removal lets you get rid of all virus and backdoor forever”, the pricing page touts one of the features being “Unlimited Automatic Malware Removal”:

If they are removed forever, then you wouldn’t need “unlimited” malware removals.

Also, there is a big contradiction in that at the top of their website they highlight an “Emergency Hack Cleanup” service, where they claim the website is cleaned up within 12 hours:

If their instant cleaning service actually properly cleaned up hacked websites, why would anyone need another service that takes up to 12 hours?

That page also includes this incredible customer testimonial, which ties back to the claims MalCare makes not making sense:

I scanned a client site using MalCare and found 35 hacked files. Cleaned it up within just 2 minutes! Saves me many hours each month.

If you are spending hours each month cleaning up malware on your clients’ websites, that means those website are being hacked repeatedly and are still not being properly secured. Who would publicly admit to that? Cleaning up those files doesn’t address the security issue that is leading to them being hacked, so it isn’t surprising that there would continue to be issues.

To properly deal with a hacked website, there are three key components:

  • Clean up the hack.
  • Get the website secured as possible (which usually involves getting Drupal, contributed modules, and themes on the website up to date).
  • Try to determine how the website was hacked and fix that.

The MalCare service doesn’t even claim to address latter two of those, which means that the websites using the service can get hacked over and over. Hence the “unlimited” malware removals.

Based on years of real world experience, things are likely worse than that. What we have found is that automated tools for cleaning up malware, which are actually used by many providers (contrary to how multiple providers claim to be the only ones), don’t produce great results. They both miss plenty of malicious files, but also produce plenty of false positives. That MalCare provides a manual service would indicate that they know this to be the case, while also claiming otherwise. What we have also found repeatedly, is that security companies that don’t try to determine how websites have been hacked miss malicious files that they would have otherwise found. So automated malware removal is quick, but it isn’t good, hence again, why MalCare itself provides a manual cleanup service.

MalCare Thinks Cleaning a Website Doesn’t Involve Making Sure it Works

In looking around more about MalCare we found this odd situation where the reviews of their WordPress plugins are mostly unrelated to the plugin. One of them seems rather informative as to how little you get when you pay for their manual service.

The reviewer wrote this:

I purchased the expensive pro version of this and it did not solve the issue and broke my site.

I bought with confidence because it says on their site :
“Guaranteed 100% WordPress Malware Removal. Without breaking your website.”
and
“Get 3X your money back if we cannot remove your malware.”

I have contacted them many times and they refuse to refund my money. It says get 3x your money back but you will not even get it back 1x time
I also asked them to close my account and delete my credit card informations which the also refuse to do.

The substantive part of the response from MalCare is this:

The website was broken because of the changes that you had done to the website via FTP. This detail was mentioned & conveyed by you on the email thread. You had also mentioned that because we were not able to recover the data & make the website look like before, you’re requesting a refund.

But unfortunately, we have no control over plugin & theme data that is on the website which was lost because of the malware attack. At best, we can assist you with cleaning the site which our team has.

We cannot process a refund because our refund policy clearly states that a refund can be processed only if we are unable to clean the website. But in this case, we did clean all the malware from the site.

As a company that has been doing cleanups of hacked WordPress websites for over a decade, we have never left a website broken after a cleanup. We wouldn’t even consider doing that. If data was truly gone, then we couldn’t restore it, obviously, but we would have determined that before starting the process instead of making a promise, we couldn’t keep. We also charge after the work is done, not before, which we have always felt is better a guarantee.

Numbers Never Lie

When looking at the websites of services like this one, one thing that is easy to check to see if they look legitimate is the stats they show. Not surprisingly, like the others, they don’t point to any independent testing of their services effectiveness, but they do claim to be compatible with 5,000+ web hosts:

 MalCare in Numbers 200,000+ Sites Scanned and counting 330GB Largest site Scanned 5000+ Webhosts Compatibility 70+ Incredible NPS Score

We can safely say they couldn’t even name 5,000 web hosts, much less have they determined if they were compatible with that many.