Since we do WordPress security and hardening, and malware removal for websites – we often get clients that have used the Sucuri.net service (or ask us about it). Sucuri.net is a malware removal service that charges a yearly fee. If you’re website is infected with malware – they will remove it (as many times as you need in one year). The cost is $89/yr for one website, $189 for 2-5 websites, and $289 for 6-10 websites. If you want to protect your website and have security experts available for a single yearly flat fee – seems like a real no-brainer doesn’t? Especially if you’re worried about paying someone to remove a website infection, only to have it come back (and have to pay them again).
We don’t often pay a lot of attention to “competitors”, but this week we were forced to take a look at Sucuri.net’s malware removal service because we had a client that used them to remove malware from their website (but it came back). In fact the malware and malicious code came back every day for 8 days straight, and Sucuri kept removing it. At this point the client hired us to fix the website for good because even though Sucuri fixed it (every day) for free – it was kind of annoying to him (as well as concerning) to have them remove it each day, without fixing it for good. Would they have kept removing the malware for an entire year without fixing the root cause?
Once we learned this, we had the client forward the Sucuri Support email he received each day after the cleanup, and this is what the body of the email looks like:
Hi,
Your site is now clean and malware-free. The following files were compromised and fixed:
CLEARED: Cleared malware from file: ./wp-includes/https.php
CLEARED: Cleared malware from file: ./wp-includes/legacy.php
CLEARED: Cleared malware from file: ./wp-includes/feed-print.php
OK: Hardening ./wp-admin/setup-config.php on WordPress
CLEARED: Cleared malware from file: ./wp-content/themes/elegant-grunge/Image.class.php
CLEARED: Cleared malware from file: ./wp-content/plugins/akismet/native.php. Details: http://sucuri.net/malware/backdoor-phpfilesman02CLEARED: Cleared malware from file: ./wp-content/plugins/wp-cart-for-digital-products/wp_cart_for_digital_products.php
CLEARED: Cleared malware from file: ./wp-content/plugins/lock-out/lock-out.php
CLEARED: Cleared malware from file: ./wp-content/plugins/googmonify/googmonify.php
CLEARED: Cleared malware from file: ./wp-content/plugins/get-recent-comments/get-recent-comments.phpPlease follow these steps to avoid reinfection: http://sucuri.net/kb/after-the-cleanup
This ticket is now in resolved status. If there is no further activity in the next 24 hours, this ticket will be automatically closed. Feel free to open a new ticket if you require further assistance.
Thanks for using Sucuri! 🙂
Every day he got the same email, with the same listing of cleaned files. To be fair, Sucuri does give that link to an “after the cleanup” page, but all it really says is to change your passwords, run a virus scan on your PC, update your website, and start doing backups. That’s it. All the things they tell you to do are great, but they’re just a (very few) bits of preventative maintenance. None of them have anything to do with securing and hardening your WordPress website. Also, they tell you what type of malware virus infection your website had (according to their internal definitions), but they don’t tell you where the security hole actually was (or how to plug it).
It seems to us that Sucuri.net is a one trick pony. They can remove the malware from your website, they even have a really cool malware scanner plugin that you can install for free to make sure you’re not infected. But they do not (that we can see) offer any actual security and hardening services for WordPress, nor do they help you fix the security hole(s) that got your website hacked into in the first place.
*Update*: Sucuri has commented below that the reason the malware “came back” was that the client was running WordPress 2.8.4 and 2.7 in the same hosting account, and this was was the malware kept coming back every day. Some people may have focused in on that part of our observations, but it wasn’t really the point.
We have a couple comments on this…
The first being – after the malware was removed – the confirmation email to the client provided a link to an “after the cleanup” page, and one of the points on that page was to “keep WordPress updated” (and the client obviously didn’t follow that recommendation). Sucuri’s position is probably that if the client had done that, the site would not have gotten reinfected. Our position is, that really doesn’t matter at all – even if he had done that, if the website wasn’t completely secured – it could be hacked again.
What we probably should’ve provided were a few more points about what we did for the client – and why a malware removal service (alone) is almost never good enough.
Although Sucuri does what they do well (malware removal for a flat yearly fee), they are only able to offer that one service for that price.
When this client came to us (after using Sucuri), during the security and hardening process of his WordPress website we did a lot of things including:
-complete reinstall of WordPress core files
-complete reinstall of all plugins
-removal of plugins without an update in the last 12-18 months
-scanned and checked the theme for vulnerabilities
-scanned all content in the database
-reset all passwords
-manually reviewed user accounts
-setup and configured an all-inclusive security plugin
-and dozens of other security and hardening points
We’re not saying Sucuri doesn’t work (it does). In our opinion it’s just not the same (or enough) as hiring someone to manually review and secure and harden your website, and to install disaster recovery options. One of our biggest beefs was that the “after the cleanup page” on Sucuri didn’t contain either links to detailed information or even a service / person you could hire for this. In a LinkedIn WordPress group discussion about this Dre Armeda says that Sucuri does offer additional security and hardening services, as well as another WordPress security plugin. While not all of the malware removal customers would take advantage of it – that’s probably information they should have presented on the “after the cleanup” page.
Again, if all you need is malware removal, Sucuri.net as a flat fee malware removal service works great. They also do have security and hardening services available. For business website owners – we advise our clients to take advantage of our WordPress malware removal / security and hardening services. If you have a malware infection, we will fix your website by removing the bad code, we’ll find and fix the source of the break-in, secure and harden your website to protect against future hack attempts, and setup a disaster recovery option that suits your needs.
Good points. Just removing the malware without addressing the security issues only invites additional hacking attempts.
so very true – thx for the comment
As I said elsewhere, it is very easy to write a post without real information of what happened (specially when you are trying to sell a similar service).
If you look at that client thread with us, you would see that a lot more happened than what you describe (things outside our control).
Since we don’t discuss client matters publicly, I will leave as that.
@David – actually we don’t think additional details would help at all. Even if the malware hadn’t come back at all, if it was removed (once) and the root cause wasn’t fixed – it could come back. Your “after the cleanup” page offered little more than simple points to change passwords and keep WordPress updated. Maybe in some cases you can do some simple hardening like permissions changes, an .htaccess tweak, or timthumb fix – the non technical business website owner would be better suited with more details or at best “we fixed your site, but it’s not as secure as it could be. Here’s some information, or if you’re not a diy tech person, here’s the services we offer to fix that…” We didn’t find that to be the case when this client used your service, and that was the main commentary…
Your are missing the point. I won’t go into details, but the client had sites running WP 2.8.4 and WP 2.7 (very very outdated) in the same server account. That’s how it was getting reinfected and we notified him to update (or move those sites away).
That’s why I am saying you are not seeing all that happened.
@David – points well taken, the post has been updated to reflect our feelings about this
Hi!
I have a problem with an infected website. To me the problem isn’t removing the malaware, since it is pretty easy to find with Grep. But I don’t know where the security hole is and how to fix it, that’s the problem.
I contacted Sucuri and initially thought they would fix “everything”. I kinda of took that for granted. What’s the point if they don’t?
But when I started asking questions about preventive actions and fixing the security hole they suddenly stopped answering my mails. I sent 6 mails since but they never responded to any of them. Is that a serious business?
I won’t hire Sucuri ever.
I really can’t comment on them answering or not since we are not involved with that company. The Securi service itself that we know on the face of their website is a flat fee service for malware removal. I believe if you want preventative actions and how to remove the hole type of info you actually have to hire them (or us or some security expert) to do the work. That’s kind of the whole and total point of the blog post. The flat fee malware removal service they have works great, but to keep it from happenning you need a little more security and hardening. At the time we (first) wrote this blog post we didn’t think you could hire them for those services (but it appears you can). Maybe they didn’t respond because the flat fee service you paid for didn’t include that type of consulting? In any event hiring someone to clean and lock down your website is the best advice we can give.
Hi Daniel, it would be nice to respond to you via email or through your website, I don’t see them added to your comment unfortunately.
We have never marketed or told anyone that we fix “everything”. Sucuri’s services are clear, and our process is very public.
Lastly, there is not a single email we do not respond to, you can always give us a call as well.
I can relate. Sucuri.net paused its service to my website because it cannot solve the malware issues for eleven days now.