Support » Plugin: Sucuri Security - Auditing, Malware Scanner and Security Hardening » data being sent third parties? What? When?

  • Resolved djsteveb

    (@djsteveb)


    Given the multitude of “ssl connect errors” that I have seen with different installs in all kinds of situations, I think it is very important that sucuri post prominently about data being sent to third party servers, and perhaps this plugin should be removed from the wp-repo until there are clear details about this.

    I am not 100% sure – but it seems that entering the admin dashboard area and making any changes is causing the sucuri plugin to send data to third party servers; given the amount of errors that popup on occasion eg – Sucuri: (1456617115) Send_log: SSL connect error.

    I have the “audit log statistics” disabled in settings, as it says” charts are generated with a limited number of logs stored in the remote API server”

    There should be a giant warning somewhere that says data is collected and shared with third parties when this plugin is activated – and there should be bigger warning and details about each setting and what data sharing would be enabled with each option.

    Info about any third party data siphoning that may occur when the “ad bar” is not set to “hide this” – would be nice as well.

    Can someone post a list of third party servers that this plugin connects to upon activation with defaults, and where it sends data to when it’s running, and what data is being sent?

    If installing a plugin pings google or youtube or vimeo for ads or videos or even fonts – I would choose not to install it.

    If data is being collected by and stored with sucuri for admin things and not web site visitors, that is one thing to consider, however if sucuri is also collecting data on page visits, then we would need to re-write our privacy policies, and notify our clients of possible hipaa violations caused by this plugin.

    Someone please clear up this confusion.

    https://wordpress.org/plugins/sucuri-scanner/

Viewing 1 replies (of 1 total)
  • There is a message in the modal container that appears when your are going to generate the API key, and a highlighted note in the settings page with this text:

    Generating an API key implies that you agree to send the information collected by the plugin to the Sucuri API service which is a remote server where the information for the audit logs is stored, this is to prevent malicious users to delete the logs during an attack which may affect an investigation if you suspect that your website was hacked. We also use this information to display statistics and try to use the data in an anonymous way as we are concerned about your privacy too. Please do not generate an API key if you do not agree with this, you can keep using the plugin without it anyway.

    The data that you see in the “Audit Logs” panel located in the plugin’ dashboard is the data that is being sent to the API service which is located here [1]. Additionally, we use some of that data anonymously to build this page [2] with statistics of how WordPress is being attacked in the wild.

    You can go to the “API Service” panel located in the plugin’ settings page and disable the communication between the plugin and the API service, this will force the plugin to stop sending data to 3rd-party servers if you disagree with that.

    I do not plan to change nor remove this feature from the code that has been there for years. I do not know who manages the removal of plugins from the WordPress directory but I am sure you will find some names and emails here [2] I suppose you can send this ticket to one or more of them and wait to see if they remove the plugin or not; thanks for the report.

    [1] https://wordpress.sucuri.net/api/
    [2] https://sucuri.net/security-reports/brute-force/
    [3] https://wordpress.org/about/

Viewing 1 replies (of 1 total)
  • The topic ‘data being sent third parties? What? When?’ is closed to new replies.