WP SITES

Log in

Sucuri Site Check Fails To Detect WP Sites WordPress Core Hacked – Review

by

Brad Dalton

Got my site hacked today which was a bit of fun.

Here’s how i found out what happened and how i fixed it.

Only effected the core WordPress files

http://wpsites.net..proxy.piratenpartij.nl

Not very smart hackers because they added a dot which 404’d the pages they where trying to redirect! hahaha

How Did I Know I’d Been Hacked

Wordfence alerted me when i installed it today and completed a scan after noticing some menu links redirecting to proxy.piratenpartij.nl

If i had the Wordfence plugin installed before like i normally do, i probably wouldn’t have been hacked. After installing the plugin and running a scan i received an email alerting me of the problems found on WP Sites.

Wordfence found the following new issues on “WP Sites”.

 

Alert generated at Wednesday 17th of October 2012 at 05:48:11 AM Critical Problems:* WordPress core file modified: wp-admin/images/icons32-2x.png

* WordPress core file modified: wp-admin/images/icons32-vs-2x.png

* WordPress core file modified: wp-admin/images/stars-rtl.png

* WordPress core file modified: wp-admin/images/stars.png

* WordPress core file modified: wp-content/index.php

* WordPress core file modified: wp-includes/images/admin-bar-sprite-2x.png

* WordPress core file modified: wp-includes/js/tinymce/themes/advanced/skins/wp_theme/img/embedded.png

Warnings:

* User “tienwru” with ‘subscriber’ access has a very easy password.

I found all my sites static pages had been effected. The ones included in my primary and secondary menu’s and the links in my footer.

Posts where uneffected.

Securi Scan

I completed a scan using Sucuri which was clean before i ran the Wordfence plugin scan.

I then completed the Wordfence scan immediately after using Securi which detected the WordPress core file where hacked and critical.

I scanned my site again using Sucuri’s free Site Check Tool which showed my site was clean.

Update: The Free Sucuri site check tool failed to detect that main menu links where redirected to pirate sites because they had been hacked with malicous redirect code.

Sucuri’s Tony Perez has commented on this below.

How To Fix

I simply deleted both the wp-admin and wp-includes folders from my public_html root directory and uploaded fresh ones.

I followed my own post about how to update WordPress manually and replace the corrupt files.

10 Ways To Secure WordPress

I’ve written many posts about the best ways to secure WordPress but since moving to WPEngine, i’d removed all the security protection and relied on them to protect my site.

Always a good idea to keep multiple full backups stored away from your server like i have.

Think You’ve Been Hacked

If you think you’ve been hacked, WordPress offer a very extensive list of information for anyone that thinks they have been hacked.

Comments

19 responses to “Sucuri Site Check Fails To Detect WP Sites WordPress Core Hacked – Review”

  1. Haydrion Avatar
    Haydrion

    Brad Dalton uhm Hi
    Uhm I am coming back from what I said ..
    You are RIGHT !
    Sorry I was to quick w my answer

    1. Brad Dalton Avatar
      Brad Dalton

      Could you please confirm who you are. Thanks.

      1. Haydrion Avatar
        Haydrion

        I am Danielle from The Netherlands 35 years and Web Developer. I have been using Sucuri for a couple of days, the paid version, I also love Wordfence and Better Wp Security and Vaultpress. I have been playing around with some security plugins as well as to speed my website, It’s very hard to get the right setup, I read a lot about WordPress Development and the behaviour of some plugins. That cost time. Sometimes I respond to quick. So that was it about me

        1. Brad Dalton Avatar
          Brad Dalton

          Thanks for the clarification and i always welcome constructive feedback Danielle.

  2. Haydrion Avatar
    Haydrion

    Wordfence here and there and blabla … sucuri has a WAF Cloudproxy now so there is no chance to change files anyway and also no need to have Wordfence or Better WP Security

    1. Brad Dalton Avatar
      Brad Dalton

      Good stuff.

      How about their online tool?

  3. Haydrion Avatar
    Haydrion

    Brad I find you very annoying, you bash Sucuri on a lot of sites, you have installed a Free Plugin who will detect malware and injected stuff, but it is basic. i have paid for their service and use the preium service which has No plugin. okay ?!

    If you love wordflence so much than please stay there. Wp Engin has no options that they have the server side option from Securi, they wish they had.

    It is 89 dollar each year which can never be in WPEngine at all for a price of 39 euro each month what is also a too overpriced service. The Sucuri Plugin is fee and is standalone from the paid service which has server side scanning and a lot more. – Danielle

    1. Brad Dalton Avatar
      Brad Dalton

      Haydrion or Danielle?

      I have never bashed sucuri on any sites.

      This is the only site i have written about Sucuri or made any comments relating to them.

      Its a real review based on my own personal experience after my site was hacked.

      Its 100% honest and accurate which includes both the Pro’s and Con’s based on real testing using several plugins, an online tool and files with malicious redirects.

      I never had anything to do with Sucuri or anyone from Sucuri before i wrote this post.

      I’m not writing beaten up rubbish like most Sucuri affiliates, simply to mislead people into clicking an affiliate link and buying Sucuri.

      Because, based on my testing, its a beaten up product that doesn’t protect anyone.

      By the way, who are you really?

      Skype me if you want to discuss further.

  4. Robert Abela Avatar
    Robert Abela

    Just stumbled upon this interesting post and comments as well.

    What Tony is saying is correct, i.e. SiteCheck cannot identify a changed file like WordFence (p.s. integrity file checks are really good to have).

    But then again, if the hack meant that links on the main page menu were redirecting to pages with malicious content, SiteCheck should have detected those…

    My 2c

    1. Brad Dalton Avatar
      Brad Dalton

      Exactly.

      I did also install the Sucuri plugin and it didn’t pick up the redirects in the main menu links either.

      I also noticed Tony has written an interesting review of the Wordfence plugin on one of his personal sites.

      Thanks for the comment Robert.

  5. Tony Perez Avatar
    Tony Perez

    Hi Brad

    This is not true:

    My site is hosted by WPEngine who have enabled server side scanning using Sucuri and never detected the hack and injection of malicious code.

    Server side scanning is not enabled on your site -I personally confirmed the configuration.

    Also, the differentiation I have made is between HTTP scans and server-side, SiteCheck uses HTTP scans.

    Again this statement shows you are missing the point all together:

    It’s clear a free site scan (Site check) won’t detect an injection of malicious code.

    This is a grossly inaccurate statement.

    Take Care

    Tony

    1. Brad Dalton Avatar
      Brad Dalton

      Your advertising is misleading Tony.

      Your free Site Check service DOES NOT cover sites which have been injected with malicious code.

      This free site check, unlike Wordfence, cannot detect sites which have been hacked and injected with malicious code.

      After running the scan using the Wordfence plugin, i was notified by email that my sites WordPress core files had changed and been injected with malicious code.

      I then went to http://www.sucuri.com and ran a Site Check which didn’t detect anything. So what is the point of using your free Site Check?

      It scans the web page url’s so it should have picked up these url’s http://wpsites.net..proxy.piratenpartij.nl

      When i clicked on Beginner Video’s link in the nav menu, it redirected to proxy.piratenpartij.nl

      It didn’t and reported ALL CLEAN. (Which is clearly wrong or unacceptable)

      Some one coming to your site and entering in their website address would expect your Site Check tool to scan the main pages linked in their nav menu to see if any of them had been hacked. Your tool doesn’t do this properly as proven by the site check i ran.

      STOP blaming your users when your Site Check Tool is misleading.

    2. Brad Dalton Avatar
      Brad Dalton

      Tony

      Your comments are grossly inaccurate, false and misleading not unlike your Site Check Tool which doesn’t do anything useful.

      “SiteCheck uses HTTP scans”

      Then why didn’t it pick up a malicious redirect from a navigation menu link?

      What’s the point in using it if it only gives people a false sense of security.

      You have totally missed the point because you are focused on protecting and hyping up your brand.

      What you should be focused on is providing real solutions for WordPress users which can really protect their sites and detect hacking. Your Site Check Tool doesn’t do this!

  6. Brian Avatar
    Brian

    Brad,

    The meat of your comparison fails basic logic. How could Sucuri possibly scan your core files with their free scan? They don’t have direct access to your server (duh) like the plugin does. WordFence *should* detect much more than Sucuri’s scan. Because WordFence has access to your entire install.

    The Sucuri scan is supposed to be a basic security check based on publicly available files and information. That’s why they list your WordPress version, public js files, theme information, etc. They also can determine if your site is being routed through an iFrame or forcing background downloads. It’s actually pretty awesome considering they *don’t* have server access.

    You really need to clarify what’s going on between these two security measures.

    1. Brad Dalton Avatar
      Brad Dalton

      Hello mate!

      Great to see you again.

      Please see the reply i gave to Tony.

      Yes there’s different types of scans.

      The free site check clearly doesn’t scan your server therefore cannot detect an injection of malicious code.

      Some users of the FREE SITE CHECK may think it does so its good to clarify this.

      Therefore you need to install a plugin which does like Wordfence or sign up as a client at Sucuri.

      Thanks for stopping by Buddy, always enjoy your conversation.

      P.S. Hope you’re not going to turn into a troll or Cyber bully Brian. hahahaha

      Cheers Brad

      Really love the controls WordPress gives you don’t you?

      1. Tony Perez Avatar
        Tony Perez

        Hi Brad

        Your response makes no sense and its hard to think that this post was meant to accomplish anything but try to garnish traffic by using our brand.

        Based on what you’re saying, then maybe an appropriate title would be “How to effectively use Sucuri SiteCheck” or “Complimenting Products: WordFence and Sucuri SiteCheck.” Either title would support the statements you are now making. But your existing title and post content does the complete opposite, you’re saying, implying, SiteCheck failed, but it didn’t. It did what it was designed to do, so again, I fail to see the comparison.

        You also say it fails to detect an injection of malicious code, that is not true. As I stated, if a file is injected that doesn’t display anything on the client (i.e., the browser) then there won’t be anything to report. Same reason Pharma and Phishing sites are so difficult to detect.

        In your case, a core file, that has no public display, was modified, likely to embed some kind of shell or backdoor of some kind, again, not something anyone would detect remotely. So again, not something SiteCheck would or ever would detect – it’s impossible. without access to your server.

        So in short, if what you’re saying in the comments is true, then you can’t help but think that your title choice was nothing more than intentional SEO poisoning for traffic generation with a poor understanding of the facts.

        Thanks for the clarification though.

        Tony

        1. Brad Dalton Avatar
          Brad Dalton

          Not SEO poisoning Tony. I’m disgusted!

          You clearly like to bully anyone that doesn’t agree with you and writes about their own personal experience.

          You even suggest what titles people should use when they write about your service.

          I am extremely disappointed with the hype you have created around a product & service which doesn’t work based on my experience.

          Better that you fully disclose exactly what your Site Check Tool does and doesn’t do, with the pro’s and con’s rather than go after anyone that finds faults and weaknesses in your tool.

          This is not a game and i only welcome mature, qaulity conversation on this site.

          MY content is 100% accurate based on my personal experience using your Free Site Check Tool after i had been hacked.

          You are welcome to write a guest post to clarify ALL the pro’s and Con’s of your tool and clear up anything which may be misleading. misunderstood and/or inaccurate on your website content or mine.

  7. Tony Perez Avatar
    Tony Perez

    Hi Brad

    Not surprised, these are changes to files that won’t display anything on the client browser. In order for SiteCheck, which is what you’re referring to, to work it has to display something. WordFence did an integrity check, found files were different and reported it to you. That’s actually a very good feature, one that is supported in our server-side scan for paying clients.

    In essence you’re comparing an apple to an orange. My expectation is that WordFence, which is doing a server side scan via their API would detect a change such as the ones you outlined above, and it did. It is not the same for the SiteCheck, there would be no way for it do an integrity check remotely without access to your server.

    I really need to put out a post on how SiteCheck works as there seems to be a lot of confusion.

    Thanks

    Tony Perez
    Sucuri

    1. Brad Dalton Avatar
      Brad Dalton

      Thanks for stopping by Tony.

      I blame no one for this except myself and really did enjoy cleaning up the injection as i have written about it before and am not scared of being hacked.

      I left myself open to being hacked after deactivating Wordfence and other security measures.

      My site is hosted by WPEngine who have enabled server side scanning using Sucuri and never detected the hack and injection of malicious code.

      Really wasn’t a major problem and i cleaned it up totally in a few minutes.

      I’m glad you clarified the difference between a free site scan and server side scan.

      It’s clear a free site scan (Site check) won’t detect an injection of malicious code.

      Maybe WPEngine should explain why this happened.

      Cheers

Leave a Reply

Join 5000+ Followers

Get The Latest Free & Premium Tutorials Delivered The Second They’re Published.