• I install this plugin and weeks later one of the sites I manage gets hacked and random text is entered on pages… Nothing else.

    1. The Sucuri plugin (and all others) stayed untouched, not been deactivated, not been deleted, what an ethical hacker…
    2. The IP of the login was not hidden, it came from Wenzhou China (yeah right…).
    3. The hack was logged and recorded… the hacker didn’t even bother to delete his traces, with the exact pages that were affected. For someone who brute force attacked the server for weeks in a row (and still trying as I type this review)… this hack is just insanely fake.
    4. Only admin got hacked, nobody else… and admin is not even called admin. How could the hacker know the exact username of admin?
    5. This site is part of a whole WordPress network with about 10 well visited sites in it, the hacker could and SHOULD have added his spam to the whole network if he really was in there to put spam.

    Here is the list of every IP address that is trying to attack… do you get a similar list? Please let me know if you do.

Viewing 12 replies - 1 through 12 (of 12 total)
  • I install this plugin and weeks later my site gets hacked… just very coincidently some random text is entered on pages… exactly what the premium version of Sucuri would fix for me. Nothing else happened

    Pretty strong accusation, but I think you are making a flawed leap here between your attack and the security plugin as:

    a) all plugin code is audited before inclusion here in the WordPress repository
    b) the plugin code is open-source and so anyone, including you, can examine it
    c) Sucuri is a well established and respected security company which is hardly likely to risk its reputation to try and collect a few more paying customers
    d) hackers have a range of motivations, and not all choose to hide their tracks/deactivate plugins/deface/spam/attack all sites on the network
    e) there are multiple routes for a hacker to locate your admin name and password (username enumeration, compromised server, insecure credentials’ storage on a local machine, weak username/password combinations, insecure use of FTP, use of third party plugins, etc.etc.)

    I would advise you to consider the points raised in (e) and look into the hardening of your installation.

    Not an accusation… more a finding instead because it really is just that. Thanks for your advice! I will look into it.

    Accusation of an accusation retracted 🙂

    The hardening WordPress guidance is excellent, and if you’re into .htaccess you can also consider the 5G blacklist, which plays well with most wordpress security plugins.

    Good luck!

    Thanks Barnez! I will check that one out too. 🙂

    I am not using the aforementioned plug-in but have had hackers hit my sites from some of the same IP addresses you listed. I have recently started keeping a blacklist of my own (http://www.removepcvirus.com/blacklist.html) to help spread the word.

    One pattern I have noticed is that hackers will try to gain access to WordPress sites using whatever usernames appear on posts on the target website. Using a screen name (nickname) for posts, which is different from the user login name, is advisable.

    The plugin is one piece of a security system, consider adding Sucuri’s firewall or Cloudflare / equivalent.

    Install Jetpack and enable the Login protection. The username could of been accessed from the RSS / meta tags, and then the password brute forced (where script guess hundreds of passwords). Enable ‘Brute force’ notifications in Sucuri’s alert settings to get email when this happens, be warned the frequency can be alarming if your site is under attack.

    Delete any plugins / themes you aren’t using, the less code the better.

    Hope that helps!

    Today, I discovered Google finds my site malicious, Firefox calls it an “attack site”, and there is malware somewhere. I have Sucuri Security plugin – did a scan from the dashboard – no malware found.

    However, if I go to Sucuri’s SiteCheck (https://sitecheck.sucuri.net//) and put in my site I get:

    Status: Infected With Malware. Immediate Action is Required.
    Web Trust: Blacklisted (10 Blacklists Checked): Indicates that a major security company (such as Google, McAfee, Norton, etc) is blocking access to your website for security reasons. Please see our recommendation below to fix this issue and restore your traffic.

    What is up with that?

    Needless to say, I’ve open a ticket with the Sucuri support desk.

    Do you have the paid version of Sucuri? You pay about (old pricing about $200 year for four or five sites – ah the first one was $99 and others are $20/year after that). In that case Sucuri does a deep scan and usually finds the problem pretty quickly.

    Afterwards, you’ll want to get a plugin which blocks logins. Shield Firewall does that for free. Sucuri logs hacking attempts but doesn’t block it as they’d like to sell you an expensive firewall service instead.

    Once malware is anywhere in your site, everything is suspect. If you don’t want to pay for professional cleaning, if you’re prepared to delete your full site, your theme and your plugins to reinstall from scratch as well as change the passwords for all admins and run the your database through an import export procedure, you can do the clean up yourself. Don’t forget to change the hosting account and even server level passwords to which you have access.

    The worst part is that you have to do this all at the same time as the malicious code could be anywhere, with several backup access points if you cut one entrance out.

    Have fun!

    It’s possible for any anti-malware software to miss something. Review all the plugin options and settings to be sure that your system is appropriately configured.

    See these resources:

    If you don’t feel comfortable with the technical level of the articles above, you might consider getting some outside technical assistance.

    Andrew Nevins


    WCLDN 2018 Contributor | Volunteer support

    @inetplanet, Thanks for all of your support on the forums. I just have to ask you not to link to your site for resources. The Codex documentation is very thorough and if it’s missing some important information then feel free to add it – it’s a community resource that you can log in to.

    I had the same idea. I traced some ip’s I saw and they were just coming from websites.

    We’ve removed Sucuri from all our sites as lately it’s just become salesware and installed Shield (Simple Firewall) as Shield has protection built into the free version.

    We still have a legacy Sucuri account for malware cleanup. The service (not sure if they still sell it) is useful.

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘good plugin but…’ is closed to new replies.