Support » Plugin: Sucuri Security - Auditing, Malware Scanner and Security Hardening » Sucuri – don't install, they don't provide security

  • Bad experience with this plugin. A client had it installed and yet their website was corrupted. In the logs showed that this plugin had altered the .htaccess file with bad code that resulted in showing a white page instead of the front page. The log showed that the only thing that was changed was the Sucuri plugin. Strange for a plugin that offers to protect a site, corrupts the site instead.

Viewing 9 replies - 1 through 9 (of 9 total)
  • Dear @elza

    Please, feel free not to use our free plugin. I also highly encourage you not to use any of our products. You apparently have a firm grasp on your security needs, and we’re obviously missing the boat.

    Also, while I gather you have crossed the line of being constructive and focused on being malicious socially, allow me to clarify…

    Those articles have absolutely nothing to do with the issue you experienced or this ability of this plugin, they are inflammatory and now you’re crossing into the line of social harassment unnecessarily. It’s a shame, seeing your social presence that you’d stoop so low. They are also inaccurate and completely out of context. What you suffered was a fundamental lack of understanding, and that’s ok; that is unfortunately the reality that we as an organization have to subscribe to when trying to help.

    I do encourage you though, being your intimate familiarity with security and development, to build or maybe contribute some code to help the rest of the community. That is in fact the open-source way.

    All the best,

    Tony

    Aren’t you being a bit over-emotional here Tony?

    The plugin does not provide security. period.

    This week, with the plugin activated, a site was hacked.
    Now how does that provide security?

    And you call yourself a CEO Tony?

    A good CEO will always be open for customer experience with his product(s).

    A bad CEO will try to intimidate a customer because he is not open for any criticism.

    Its totally clear that something is pretty wrong with the plugin so better you find out what it is. Your reaction here on the topic is bad for the company you work for.

    And don’t worry I also will not use the plugin and advice everyone strongly to stay far away from it.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Side note not related to this review:

    @elza I’ve redacted the links in your review. It’s not because I agree or disagree with your review. It’s that you didn’t leave one as much as just posted 3 links.

    That’s not what the review section is for. You can leave a review

    • about your experience
    • about the code
    • about what you like
    • what you dislike
    • what you think can be improved
    • what you would change
    • and what your recommendation is to people reading this review

    Just leaving 3 links isn’t a review. Please feel free to use this link to update your review with real text and information about your experience.

    https://wordpress.org/support/view/plugin-reviews/sucuri-scanner#postform

    But leave out the links. Make this your post here an actual review and keep it in these forums.

    Hi @errol

    Thanks for the feedback. Unfortunately my response is out of context with the original post being modified. Rest assured though, the original post offered no feedback, but rather was an attempt to smear our name by posting unrelated information.

    I assure you, a good CEO will always defend his developers and the products they build, especially when it’s free. I do appreciate your candor, and hope you will do the same for mine.

    Hi @elza

    Not understanding how something works, doesn’t mean it doesn’t work. The site was hacked not because the plugin was activated, but because it was likely improperly maintained.

    The Security Plugin Ecosystem: https://blog.sucuri.net/2014/09/understanding-the-wordpress-security-plugin-ecosystem.html

    The plugin itself is not a preventive security tool, it’s a utility tool designed to help you harden and provide better visibility into what is happening. This is how we describe it in the notes.

    Security is a complex domain, so much so I have written an article that will hopefully explain how so:

    Website Security is Not an Absolute

    I have a wide range of security related articles you might be interested here: https://perezbox.com/category/security/

    So to your points:

    The plugin does not provide security. period.

    It does provide security, it’s just different than your interpretation of what “security” should be.

    This week, with the plugin activated, a site was hacked.
    Now how does that provide security?

    It’s difficult to say without more context, but a few ways it would have contributed to your security posture:

    1 – As you referenced in your various other posts, the tool was notifying you that someone was trying to repeatedly log into your environment. This is called a brute force attack, something I talk about here: https://blog.sucuri.net/2014/03/understanding-denial-of-service-and-brute-force-attacks-wordpress-joomla-drupal-vbulletin.html

    2 – If the attacker abused a vulnerability in the code and modified core files, it wold have alerted to you that issue via integrity issues.

    3 – If the attacker made changes to posts and pages and other configuration changes the tracking feature would have notified you.

    4 – The tool would also have assisted you in the post-compromise process as well, via those features.

    5 – The tool has a section specific for hardening. In fact, we keep the hardening simple and practical intentionally, because in our experience it’s they are the most effective.

    So again, not understanding a domain or how a tool works, doesn’t mean something doesn’t work.

    Thanks

    Tony

    Hi @elza

    Being your original post was modified and it now reads:

    Bad experience with this plugin. A client had it installed and yet their website was corrupted. In the logs showed that this plugin had altered the .htaccess file with bad code that resulted in showing a white page instead of the front page. The log showed that the only thing that was changed was the Sucuri plugin. Strange for a plugin that offers to protect a site, corrupts the site instead.

    I’d like to learn more about this client. Do you have the access and error logs we can take a look at?

    While conflicts can occur, they are rare. I’m wondering if the hardening was applied, in instances where there is a white screen that is usually attributed to killing PHP execution somewhere in the directory structure. I would bet money that is what contributed to the issue. That being said, I’d like to learn more on the specifics of the configuration.

    Plugin Author Daniel Cid

    (@ddsucurinet)

    Hey @elza,

    Thanks for the feedback. Sorry you didn’t like what the plugin offered.

    As I replied on another thread, the code is open & free, so I high welcome anyone and everyone to help us get better. That’s the beauty of open source.

    You also have many other alternatives in the repo, so try the others.

    If anyone ever have any issues or questions about the plugin, you are always welcome to email me directly: dcid@sucuri.net as we try to engage and make things better.

    thanks!

    Probably @elza did something wrong. I´ve used this plugin for several years in almost all of our website clients and we had never suffered any attack or had any problem.

    This plugin as most plugins is a free plugin, you are not obligated to use. Leave the website with no protection, maybe you would have 10x more problems…

    Anyways, it is also good to see that the CEO is here and answering the questions, didn´t understand why @errol said that …

    Well, all I can say is: Tony, thanks for creating such a good, free and important plugin.

    I can also vouch for the excellent quality of this plugin. (I’m also a plugin developer and deal heavily in cybersecurity.) Sucuri security is one of the most well thought-out and executed security plugins for WordPress. We used to recommend only two all-in-one security plugins to our clients, this and one other. Now we’ve reduced that down to only one all-in-one security plugin that we recommend…this one. There will always be additional areas of a site to harden, and one should never rely solely on one plugin, since there are so many ways to attack a site. However this gives users and excellent start, and is a powerful tool for increasing WordPress site security.

    @tony: You absolutely should stand up for your product and your crew. I see nothing wrong with what you said.

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Sucuri – don't install, they don't provide security’ is closed to new replies.