Login

Tag Archives: Sucuri Security

Plugin Security Scorecard Grade for Sucuri Security

Checked on November 12, 2024
C

See issues causing the plugin to get less than A+ grade

18 Jan 2024

Malcare’s Review of Wordfence Recommends Malcare Instead Without Disclosing They Make It

Those looking for useful security advice for WordPress websites are often running across biased information, where the bias isn’t disclosed. While looking for some information for a post we were writing, we ran across what was claimed to be a review of the Wordfence Security plugin. It was from a competitor, Malcare. That was never disclosed in the review. You only have to get to the fourth paragraph before they are recommending Malcare instead already:

WordFence’s free version is a really good security plugin for website owners with zero budget for security. However, there are a bunch of downsides, including some security lacuna. I strongly recommend MalCare, which is far more reliable and effective at blocking threats and protecting your site against malware. [Read more]

18 Jan 2024

Sucuri Security vs Wordfence Security

In looking at lists of the best WordPress security plugins recently, the Sucuri Security plugin has been repeatedly listed first. That is not because it is the best security plugin and doesn’t even have anything to do with the plugin. Instead, it is listed as the best because the company behind it offers affiliate revenue for those who get people to sign up for an unrelated service they offer. If you look at reviews of Sucuri’s service, there are a lot of people warning about how bad the service is. That isn’t surprising when the developer keeps admitting that they are failing to protect their customers. But what about the protection their plugin offers versus the most popular security-only plugin for WordPress, Wordfence Security?

Since 2021, we have done 16 tests of a large group of WordPress security plugins to see if they would protect against real vulnerabilities that had existed in other plugins. In those tests, Sucuri Security provided no protection in any of the tests. Wordfence Security did somewhat better, providing protection in six. The reason why Sucuri Security doesn’t provide any protection is that the plugin doesn’t contain a firewall. Recommendations of it would make you think otherwise. [Read more]

18 Jan 2024

Awesome Motive Is Claiming That Sucuri Is the Best WordPress Security in 2024 Based on Features It Doesn’t Contain

While doing research for a post, we found that the much maligned Awesome Motive was giving out, no surprise, highly misleading advice to make money for themselves. On one of their websites, they claimed that the Sucuri plugin is the best WordPress security plugin in 2024. In justifying that, they started this way:

Many small businesses consider Sucuri to be the best WordPress plugin for improving your site’s security in 2024, and for good reasons. The Sucuri WordPress plugin has all the security features you need to audit and keep your site protected against malware, brute force login attacks, DDoS, and any other security threats. [Read more]

2 Jan 2024

Five WordPress Security Plugins Prevented Exploitation of Serious Vulnerability in Another Security Plugin

One of the things that should have long ago raised a lot of alarm about the state of the WordPress security industry is how often security plugins are found to contain vulnerabilities. Instead, it has been treated as evidence that it is normal for plugins to be insecure, not that there is something very wrong with security providers. That is quite unfortunate because it means that the good providers are not getting the support they deserve and security is suffering for it.

In June 2022, we did a large-scale test to see if WordPress security plugins would have stopped a vulnerability of a type, persistent cross-site scripting (XSS), that hackers are known to widely exploit, which was found in the security plugin WP Cerber Security. The results were not good. Only two of 31 plugins provided protection against the vulnerability itself. Last year, another vulnerability of that type was disclosed in the plugin. So we were curious to see how many plugins protected against that one. [Read more]

26 Sep 2023

Sucuri Security and Solid Security Plugins Won’t Stop Websites From Being Hacked

While looking into some information for a post we were preparing recently, we ran across a promoted testimonial for a security provider named MalCare, coming from the person behind WPCrafter, which is marketed as WordPress tutorials for non-techies. The testimonial begins:

I had been running iThemes, WordFence & Sucuri, but they kept getting hacked. [Read more]

30 Jun 2023

NinjaFirewall and Plugin Vulnerabilities Firewall Are Only WordPress Security Plugins That Protected Against Recent Zero Day

Among the common, but inaccurate, security advice you will hear is that WordPress won’t get hacked if you take basic security measures, including keeping plugins up to date. While doing the basics is really important, the reality is that keeping plugins up to date does nothing to stop a zero-day, a vulnerability being exploited before the developer is aware of it. That is an area where a security plugin could provide additional protection. But just because they could, it doesn’t mean they will. More problematically, WordPress security plugin developers have for years claimed to provide zero-day protection when they don’t. The solution is to do testing to see which plugins really provide protection against zero-days.

Recently, a zero-day role change vulnerability in the 200,000+ install WordPress plugin Ultimate Member was spotted being exploited by the web host Tiger Technologies. That vulnerability was being exploited to create a new WordPress user and then change the user’s role to Administrator, which gives them full access to the website. [Read more]

13 Mar 2023

Only 25% of WordPress Security Plugins Protected Against Widely Exploited Plugin Vulnerability

In late January, an unfixed vulnerability in a WordPress plugin with 40,000+ installs started to receive widespread exploitation attempts and many websites were hacked. The hacking was in part caused by multiple WordPress security providers, including Wordfence, WPScan, and Patchstack, who all claim to have teams of experts reviewing vulnerabilities in WordPress plugins, claiming that the vulnerability had been fixed three months before that. The moderators of the WordPress Support Forum made the situation worse by deleting an early indication of the problem in the form a message complaining about a website being hacked because of the plugin.

The developer of the plugin promptly fixed the vulnerability once we advised them that it still existed. They then went further than other plugin developers usually do when a plugin has had an exploited vulnerability and got a security review done to ensure the plugin was now properly secured. [Read more]

6 Mar 2023

Here Are the 4 WordPress Security Plugins That Protected Against a Vulnerability Wordfence Failed to Protect Against Despite Having Discovered It

Last week, Wordfence disclosed the details of an authenticated persistent cross-site scripting (XSS) vulnerability they had found in a popular WordPress plugin with 3+ million installs (as well as something else that wasn’t really a vulnerability). There were some things they said in their post that are rather problematic.

One of them was that they were claiming to have responsibly disclosed the vulnerability, while also contradicting that. According to their post, the day before they notified the developer of the plugin about the vulnerability, they were already selling access to information about exploiting the vulnerability through their Wordfence Premium service. That isn’t responsible disclosure and any hacker willing to pay for the service could have started exploiting this before the developer was even notified about it. Wordfence’s paying customers would have been protected from it at the time, but others would not without having some other security in place. [Read more]

8 Feb 2023

WordPress Security Plugins Don’t Prevent Disclosure of One-Time Password Through Exploited Plugin Vulnerability

A month ago, we saw a hacker looking to exploit a vulnerability that had recently been fixed in the WordPress plugin User Verification. That vulnerability discovered by Lana Codes involved the plugin’s functionality to email a one-time password for logging in to WordPress. The problem with the functionality is that it didn’t just email the password, it also sent it back as part of the response from the request to have it emailed. So an attacker could submit the request to have that emailed for a WordPress user’s account, get the password that was only supposed to be emailed, and then log in to that account.

Trying to prevent an information disclosure issue like this would be difficult for a WordPress security plugin without being aware of the particular vulnerability, as it would have to realize that something that shouldn’t be disclosed is being disclosed, so it would be unlikely that a security plugin would provide protection. Our own firewall plugin, Plugin Vulnerabilities Firewall, doesn’t have protection against such a situation, but we are always looking to see how we might be able to expand its protection, so we were curious to see if any other plugins provided protection. [Read more]

26 Oct 2022

Only Four WordPress Security Plugins Protected Against Exploitation of Serious Vulnerability in Plugin From WordPress

Earlier this month we spotted a serious vulnerability being introduced in to a WordPress plugin that comes directly from WordPress. It turned out that vulnerability had been introduced in to it by an employee of the company closely associated with WordPress, Automattic. The vulnerability would have allowed attackers to upload arbitrary files to the website, which is a type of vulnerability where it isn’t a question of if it would be exploited, but when. Usually a hacker would use that to upload PHP files and then from there they could do whatever else they want, as that would give them the ability to run arbitrary code on the website. That is a type of scenario WordPress security plugins could and should have a capability to protect against.

Whether WordPress security plugins actually provide protection against it is another story. While you can find lots of review of WordPress security plugins, the ones we run across don’t involve testing to see if they provide protection against real threats, making the reviews of limited value. Instead, the reviews focus on other things, meaning that developers of those plugins don’t necessarily have incentive to focus on security. When we did a test of a similar vulnerability six years ago, only three security plugins provided protection against the same scenario. [Read more]