While WordPress has very real security problems, often news coverage related to hacked WordPress websites involves a focus on WordPress, while ignoring the more pertinent problem, security companies are scamming their customers. Yesterday, a story ran in one security “news outlet” titled “WordPress Skimmers Evade Detection by Injecting Themselves into Database Tables.” Again, that was yesterday. For those familiar with hacked WordPress websites or hacked website using other software, this is a bizarre headline. Malware stored in a database isn’t a new phenomenon, nor was what they are describing something that should evade detection. Several other “news outlets” included in Google News ran similar stories. The sole source for all those stories was a blog post by Sucuri.

It was fairly standard for Sucuri, they once again admitting that one of their customers got hacked. That is despite claiming that their service protects websites from being hacked:

Let’s assume that this was a new customer of their service and they forgot to mention that. Their post makes no mention of even trying to figure out how the website was hacked, despite that being a basic part of a proper hack cleanup. The post doesn’t address that issue at all.

Curiously, they then provided a series of mitigation steps, despite having no idea how the website was hacked. One of those mitigation steps made no sense for database stored malware:

File Integrity Monitoring: Implement file integrity monitoring to detect any unauthorized changes to your website files. This serves as an early warning system for rapid response to potential threats.

Sucuri offers file integrity monitoring, which certainly explains why they suggest that as a mitigation step despite not being relevant.

They also twice suggested using a firewall to protect against it:

Alternatively, deploy a Web Application Firewall (WAF) for virtual patching.

Web Application Firewall: A website firewall can effectively block malicious traffic and prevent hacking attempts from reaching your server.

Not coincidentally, Sucuri offers that as well.

For a firewall to effectively block malicious traffic, you have to know what malicious traffic would include, which is going to be a problem when you don’t know how websites are being hacked.

Figuring out how WordPress websites have been hacked is important to limit other WordPress websites from being hacked. For Sucuri, though, it would require actually doing the work they are being paid for and would cut down on the number of people hiring them in the first place. This is the sort of thing where WordPress having functioning security and marketing teams would be useful, as they could take on security companies harming the WordPress community.