Does Sucuri.net Work for Malware Removal or Not?

Posted on May 15, 2012 Under Blog 10 Comments

Since we do WordPress security and hardening, and malware removal for websites – we often get clients that have used the Sucuri.net service (or ask us about it). Sucuri.net is a malware removal service that charges a yearly fee. If you’re website is infected with malware – they will remove it (as many times as you need in one year). The cost is $89/yr for one website, $189 for 2-5 websites, and $289 for 6-10 websites. If you want to protect your website and have security experts available for a single yearly flat fee – seems like a real no-brainer doesn’t? Especially if you’re worried about paying someone to remove a website infection, only to have it come back (and have to pay them again).

Sucuri malware removal review

We don’t often pay a lot of attention to “competitors”, but this week we were forced to take a look at Sucuri.net’s malware removal service because we had a client that used them to remove malware from their website (but it came back). In fact the malware and malicious code came back every day for 8 days straight, and Sucuri kept removing it. At this point the client hired us to fix the website for good because even though Sucuri fixed it (every day) for free – it was kind of annoying to him (as well as concerning) to have them remove it each day, without fixing it for good. Would they have kept removing the malware for an entire year without fixing the root cause?

Once we learned this, we had the client forward the Sucuri Support email he received each day after the cleanup, and this is what the body of the email looks like:

Hi,

Your site is now clean and malware-free. The following files were compromised and fixed:

CLEARED: Cleared malware from file: ./wp-includes/https.php
CLEARED: Cleared malware from file: ./wp-includes/legacy.php
CLEARED: Cleared malware from file: ./wp-includes/feed-print.php
OK: Hardening ./wp-admin/setup-config.php on WordPress
CLEARED: Cleared malware from file: ./wp-content/themes/elegant-grunge/Image.class.php
CLEARED: Cleared malware from file: ./wp-content/plugins/akismet/native.php. Details: http://sucuri.net/malware/backdoor-phpfilesman02

CLEARED: Cleared malware from file: ./wp-content/plugins/wp-cart-for-digital-products/wp_cart_for_digital_products.php
CLEARED: Cleared malware from file: ./wp-content/plugins/lock-out/lock-out.php
CLEARED: Cleared malware from file: ./wp-content/plugins/googmonify/googmonify.php
CLEARED: Cleared malware from file: ./wp-content/plugins/get-recent-comments/get-recent-comments.php

Please follow these steps to avoid reinfection: http://sucuri.net/kb/after-the-cleanup

This ticket is now in resolved status. If there is no further activity in the next 24 hours, this ticket will be automatically closed. Feel free to open a new ticket if you require further assistance.

Thanks for using Sucuri! 🙂

Every day he got the same email, with the same listing of cleaned files. To be fair, Sucuri does give that link to an “after the cleanup” page, but all it really says is to change your passwords, run a virus scan on your PC, update your website, and start doing backups. That’s it. All the things they tell you to do are great, but they’re just a (very few) bits of preventative maintenance. None of them have anything to do with securing and hardening your WordPress website. Also, they tell you what type of malware virus infection your website had (according to their internal definitions), but they don’t tell you where the security hole actually was (or how to plug it).

It seems to us that Sucuri.net is a one trick pony. They can remove the malware from your website, they even have a really cool malware scanner plugin that you can install for free to make sure you’re not infected. But they do not (that we can see) offer any actual security and hardening services for WordPress, nor do they help you fix the security hole(s) that got your website hacked into in the first place.

*Update*: Sucuri has commented below that the reason the malware “came back” was that the client was running WordPress 2.8.4 and 2.7 in the same hosting account, and this was was the malware kept coming back every day. Some people may have focused in on that part of our observations, but it wasn’t really the point.

We have a couple comments on this…

The first being – after the malware was removed – the confirmation email to the client provided a link to an “after the cleanup” page, and one of the points on that page was to “keep WordPress updated” (and the client obviously didn’t follow that recommendation). Sucuri’s position is probably that if the client had done that, the site would not have gotten reinfected. Our position is, that really doesn’t matter at all – even if he had done that, if the website wasn’t completely secured – it could be hacked again.

What we probably should’ve provided were a few more points about what we did for the client – and why a malware removal service (alone) is almost never good enough.

Although Sucuri does what they do well (malware removal for a flat yearly fee), they are only able to offer that one service for that price.

When this client came to us (after using Sucuri), during the security and hardening process of his WordPress website we did a lot of things including:

-complete reinstall of WordPress core files
-complete reinstall of all plugins
-removal of plugins without an update in the last 12-18 months
-scanned and checked the theme for vulnerabilities
-scanned all content in the database
-reset all passwords
-manually reviewed user accounts
-setup and configured an all-inclusive security plugin
-and dozens of other security and hardening points

We’re not saying Sucuri doesn’t work (it does). In our opinion it’s just not the same (or enough) as hiring someone to manually review and secure and harden your website, and to install disaster recovery options. One of our biggest beefs was that the “after the cleanup page” on Sucuri didn’t contain either links to detailed information or even a service / person you could hire for this. In a LinkedIn WordPress group discussion about this Dre Armeda says that Sucuri does offer additional security and hardening services, as well as another WordPress security plugin. While not all of the malware removal customers would take advantage of it – that’s probably information they should have presented on the “after the cleanup” page.

Again, if all you need is malware removal, Sucuri.net as a flat fee malware removal service works great. They also do have security and hardening services available. For business website owners – we advise our clients to take advantage of our WordPress malware removal / security and hardening services. If you have a malware infection, we will fix your website by removing the bad code, we’ll find and fix the source of the break-in, secure and harden your website to protect against future hack attempts, and setup a disaster recovery option that suits your needs.