yorman

I didn’t intend to start a popularity contest here

It’s not about popularity, it’s about how many websites will require an update.

I’ll subscribe to the other thread where you posted your bug report, and will wait for their comments. I personally don’t have a problem modifying Sucuri’s plugin code, but the less people we bother with an update the better.

Thank you.

Why was the ability to block certain admin accounts […] removed from the plugin?

The option was misleading.

Many people complained to me last year about how the plugin was unable to block someone from accessing their website even though they blocked them using this option. The original idea was to reduce the number of “failed logins”, not to block the user, but people understood it differently.

I didn’t have enough time to keep maintaining that part of the code, so I took the decision to remove it all together, and my co-workers agreed with the change. This allowed me to focus more on implementing new and better features for the Sucuri Firewall.

Incidentally, the “Block” button still shows up

Thank you, I’ll remove the button in the next update.

Please don’t tell me it’s to encourage people to use Sucuri’s (paid) web application firewall service instead.

That wasn’t the intension, but now that you mention it, it does seems unnecessary to maintain two different code bases to offer the same feature. Even more when one of the implementations works several times better than the other one. For instance, Sucuri Firewall allows you to control —in a more granular way— when and how to block the malicious requests.

The good thing is, the code is still available here [1]. And since the project open-source, anyone can request the addition of the code back to the plugin, using this form [2]. However, I would prefer if the person makes the appropriate changes to remove the misleading parts from the interface.

[1] https://github.com/Sucuri/sucuri-wordpress-plugin/commit/59cb8f9
[2] https://github.com/Sucuri/sucuri-wordpress-plugin/pulls

The short term solution is disable Sucuri

Why not disable the redirection instead?

There’s an option in the settings page to do that, under “Alerts”.

Marking as “resolved” as there’s a solution available.

Your website is using CloudFlare, and someone —maybe you— enabled an option that forces CloudFlare to return a “503 Service Temporarily Unavailable” error message until the user who’s visiting the website turn JavaScript on.

If you visit your website in a new browser session, you’ll notice CloudFlare shows this page [1] for a few seconds while it creates some cookies to track the user and to make sure that the browser has JavaScript enabled, among other checks that they are not disclosing.

When Sucuri is scanning your website for malware, it communicates with your website in a way that makes it impossible to enable JavaScript, this forces CloudFlare to keep returning a 503 error message. Unfortunately, we cannot change this right now, you’ll not be able to scan your website using Sucuri SiteCheck.

Marking this ticket as “won’t fix” for now.

Thank you for your understanding.

[1] https://i.imgur.com/Mtlk6nf.png

[…] Concern remains

I’ll make sure this case is taken in consideration by a manager, but I predict that several days will pass before we can provide a definite solution knowing that it’s not entirely on our hands.

How many times does Sucuri’s malware checker ping a website (or Cloudlflare, if activated) on a daily basis?

The plugin sends, by default, one request to SiteCheck every 24 hours. This request triggers a chain of events that produces at least 14 additional HTTP requests (or more if the scanner detects more suspicious data). From these 14 requests only 2 contain the Google Bot User-Agent.

However, because SiteCheck is a public service [1] anyone in the world with an Internet connection can request a scan even if you don’t have the plugin installed. For example, you can scan my personal website [2] which doesn’t even use WordPress.

Our Sucuri Malware Scans are being performed via the iThemes Security Pro plugin, Is Sucuri affiliated or associated with them?

Aside from the fact that their plugin is using Sucuri’s public API service, I don’t know if they have a affiliated with the company. As a programmer, I tend to pay attention to the engineering side of things more than the business. If you chat with the Sucuri sales team [3] they may have a better answer.

Perhaps your conversation with them will yield better results

I hope so, I’ll update as soon as I know anything.

[1] https://sitecheck.sucuri.net/
[2] https://sitecheck.sucuri.net/results/cixtor.com
[3] https://sucuri.net/ (live chat at the bottom)

Hello @jetxpert thank you for your message,

This is a serious bug with Sucuri […]

I don’t think this is a serious bug.

Let me give you an analogy to explain:

If your website is your house, and you hire me to check your house every day to see if it’s been infected with malware, but you don’t give me the keys to enter, the only thing I can do is knock on your door and talk with whoever is in the house to see if everything is okay.

One day, I discover that some burglars are entering houses in your neighborhood, they are doing it by using masks that allow them to pass as familiar faces to whoever is opening the door —(In this analogy, the mask is the “User-Agent” of anyone’s web browser)—. I still don’t have the keys to your house, so the only thing I can do to help is to use the same mask as the burglar to see if this trick works in your house, in which case I will consider your house as compromised.

Now, let’s say you’ve decided to put a fence around your house —(let’s call this fence CloudFlare)—. With this fence, I cannot even knock on your door, so I send you a letter saying “Sorry, I cannot check your house, my access is Forbidden”.

You see where I’m going with this?

As I explained in my previous comment, there is a type of infection that reacts to the User-Agent in the request. This allows the malware to hide itself from anyone but web crawlers like Google Bot, Bing Bot, Yandex Bot, etc. The easiest way for Sucuri to check if a website is infected with this malware is to send a request pretending to be one of these web crawlers.

As a precaution, we have blocked these IPs (used by Sucuri) and reported them publicly as “abusive.”

Actually, instead of blocking Sucuri’s IPs, you could just instruct CloudFlare to let any request coming from Sucuri in, that is if you really want the scanner to check if your website is infected with malware, otherwise you can keep them blocked.

Cloudflare is a highly reputable company. It’s not their issue. They are reporting above IPs as “Fake Google Bots.”

I agree, both Sucuri and CloudFlare are working as expected.

This ticket or request, therefore, is not solved. Please re-open it and implement a fix to eliminate this issue. Recommend contacting Google, Amazon, Cloudflare, and iThemes to find a solution.

I can mark the ticket as “not resolved” and contact CloudFlare to see if they want to work with Sucuri to implement an internal whitelist for Sucuri SiteCheck (which to me is unnecessary considering that CloudFlare customers can already whitelist an IP by themselves). Google, Amazon and iThemes have nothing to do here.

I’ll update this ticket when I get an answer from CloudFlare.

There is a type of spam that hides from regular HTTP requests by checking if the User-Agent and/or IP address matches certain criteria.

For example, the malware could be checking if the User-Agent is the same as the one that Google uses in their web crawler, this way, if Google is scanning your website the malware will render the malicious text, but if it’s not then it renders the normal website.

Check all the “.htaccess” files that you can find your web server (all of them, not just the one in the root). There could be malicious conditions there that could be triggering or hiding the malicious code from you. If you cannot find any suspicious conditions in the access control files, then keep scanning the source code for similar conditions, and then the database.

Here’s an article [1] that explains how to clean your website from malware.

Let me know if you need more information.

[1] https://sucuri.net/guides/how-to-clean-hacked-wordpress