As we have noted in the past, the GoDaddy owned security provider Sucuri keeps writing blog posts about what has happened to their customers’ websites after they have been hacked. They seem uninterested in how those websites were hacked, despite the importance of figuring that out as part of properly cleaning up a website. And, more importantly, they are uninterested in that despite being a service that is supposed to protect websites from being hacked. At best, these are new customers, but they don’t mention that, which would seem like an obvious thing to mention when you are a service that is supposed to avoid that situation. If you look at reviews of Sucuri, there are plenty of customers mentioning they were hacked despite already using the service (some of them with a positive view of the company, despite that).

You would reasonably think that journalists writing stories that cite those posts would be in the context of raising questions about Sucuri, but they don’t. In a recent instance, the WordPress Plugin Directory was being criticized instead.

Last week, the Bleeping Computer’s Bill Toulas, who we last mentioned when he was getting a basic detail of a story wrong and not fixing it, claimed that WordPress websites were compromised though a WordPress plugin based on one of Sucuri’s posts:

Attackers are using Eval PHP, an outdated legitimate WordPress plugin, to compromise websites by injecting stealthy backdoors.

Among the issues with that, the plugin wasn’t outdated, it simply hadn’t been updated in years. Another is that the websites were not compromised through the plugin. Instead, Sucuri’s customers were hacked through a method they didn’t know or stop and then the plugin was installed. Here is how the author of Sucuri’s post, Ben Martin, explained that:

In checking logs from environments affected by these backdoors, so far all of them seemed like the attackers already had established administrator access to the websites which allowed them to install the evalphp plugin within the environments.

If a hacker has administrative access and can install plugins, then they have already compromised the website. Once they have that access, they can do basically whatever they want. Despite that, Bill Toulas finishes his story by criticizing WordPress in a way that doesn’t make sense:

Sucuri highlights the need to delist old and unmaintained plugins that threat actors can easily abuse for malicious purposes and points out that Eval PHP isn’t the only risky case.

Until those responsible for managing the WordPress plugin repository decide to take action, website owners are recommended to take action to secure their admin panels, keep their WordPress installation up to date, and use a web application firewall.

Among the problems with that, is that hackers can just as easily abuse plugins that are not old or unmaintained as well. That isn’t a theoretical issue. For example, hackers install and use a popular file manager plugin as well.

Another problem with that advice is that Sucuri provides a web application firewall (WAF), which doesn’t do a good job of protecting websites, which can be seen by Sucuri customers getting hacked again and again.

Calling Bill Toulas a journalist is probably a big overstatement. His story largely just repeating claims made in Sucuri’s post. Getting an additional source could have pointed out problems with it. Worse still, the author of Sucuri’s post, Ben Martin, who has a track record of saying things that are not true when it comes to WordPress. So he shouldn’t be a source for this type of story, much less the only one.