After our webinar on April 28, 2016 with Tony Perez, CEO of Sucuri, he had received questions during the webinar. These are his answers.

1.
Webinar: How Websites Get Hacked
Q&A by Tony Perez
Our April webinar discussed ​How Websites Get Hacked​. Last month we learned
the various impacts of a website compromise. This month, Tony went in depth
into the tactics attackers employ to compromise websites.
Understanding the HOW allows us to think about the areas that are most
important to us, and implement security controls to help mitigate our risk
potential.
This webinar was presented by our Co­Founder / CEO, Tony Perez, who took
questions following his presentation.
This online event was tailored for website owners who:
● Are concerned about or interested in website security
● Are trying to consider which security controls to employ
● Want to know the latest attack trends
● Are genuinely curious and weighing their security risks
April 28, 2016

2.
Webinar: How Websites Get Hacked
Q&A by Tony Perez
Tony Perez
Co­Founder / CEO
He was introduced to technology at the ripe age of 18 and has not looked back
since. He’s committed the past 15 years to navigating through various technology
industries, investing heavily into the website security domain the past 5 years.
Tony works at Sucuri, considering himself their number one fan, rivaled only by
his partner in crime, Daniel Cid. He has spent the better part of the past five years
helping to build and grow what today is recognized as a global powerhouse in
website security.
April 28, 2016

3.
Webinar: How Websites Get Hacked
Q&A by Tony Perez
1 ­ Besides brute force attacks on access control, we see some compromises by actors that
obtains real credentials to the site via other means (keyloggers or password dumps from
other sites where users have the same u/p). How to address that?
Yes, this is something we discussed in the presentation. Some attackers do have large data
stores of username / password combinations they’ve purchased or stolen. The best mechanism
to address this is to employ things like IP whitelisting (if possible, but can be achieved by
restricting access to a VPN) or by enabling some form of Multi­Factor authentication.
If you ever feel your password was part of a previous data breach, then it’s advised you change
them immediately. I’d also advise leveraging things like Password Managers, and generating
unique passwords for as many accounts as possible. Your goal is to not know any password. It’s
harder than it seems.. :)
2 ­ If I give each domain on my server an individual user permissions will that stop cross
domain hacking on a server box?
It will come down to how the server is configured, but in many instances it will stop the
cross­site contamination, as long as the user doesn’t have root access to the box, or doesn’t
find some form of privilege escalation vulnerability.
3 ­ Are there known host providers that are more susceptible than others?
A lot of the hosts that are not real hosts, but are services offered as its own revenue stream are
the most susceptible.
4 ­ Hi Tony, would there be any conflict using Wordfence together with Sucuri?
There shouldn’t be, but sometimes there are. Wordfence can generate a lot of false positives,
which can cause confusion (i.e., Wordfence says this is a bad file, Sucuri says it’s not) ­ get into
this endless back and forth. They also have a tendency to block our network and have been
unwilling to whitelist our network so there could be issues there. For the most part it should
work fine.
April 28, 2016

4.
Webinar: How Websites Get Hacked
Q&A by Tony Perez
5 ­ We are using your service and all traffic goes to our website through your servers, do we
still need to update our code regularly as we can see virtual patching done by your firewall on
most of the attacks ?
Having a strong patch management process is always recommended. Our virtual patching will
address exploit attempts against vulnerabilities in your environment, often the ones addressed
via patches. While we’d never say you don’t have to anymore, you will be covered if there is a
delay.
6 ­ I experienced problems with attacks, defacement on wordpress environment... etc. But
also with Sucuri installed. Also scan function never identified the malwares installed by
attackers. For now, I have to say that only emails from logged in users and emails from login
failed (brute force attacks) were useful
This doesn’t surprise me, the plugin is a utility plugin. There are ​varying degrees of security
plugins in the WordPress ecosystem​ which I’ve written about in the past. It’s not designed to
do a comprehensive scan. I encourage you to ​read how the remote scanner works​. The free
plugin is not what Sucuri is about, we are a security company first, the plugin is a simple utility
for the WordPress platform. I’d also encourage you to check out the hardening features and
play with the post­hack and auditing components. It’s a great tool to maintain visibility into
what is going on with your environment.
7 ­ What do you think about Patchman as proactive security application ? Can I use your
service as a reseller?
Don’t think much about patchman, I suppose it helps keep up with an organization's patch
management process. As for reselling, I’d encourage you to reach out to our team to see if
there are any potential synergies.
April 28, 2016

5.
Webinar: How Websites Get Hacked
Q&A by Tony Perez
8 ­ As a Sucuri customer, is WPScan automatically deployed or available for deployment? Is it
freeware or subscription model outside Sucuri? Do you have a checklist for small staff users, a
set of basic things we should do and how often we should use them? Are there hosts that you
recommend
I like the folks over at ​SiteGround​, I’d check them out. If you’re looking for a managed
WordPress host I’d encourage you to check out​ WPEngine​.
If you’re using WordPress, which I believe you are, I’d encourage you to install our free Security
plugin ​out of the repo​. It’s very simple, easy to use, and the best part is that it provides a very
straightforward list of things to do to harden the environment. Lastly, I’d redirect your
attention to the ​Hardening section on the repo​. Hope this helps, let me know if there is
anything else I can do.
Lastly, for WPScan, they are a free to use product and so you don’t require any Sucuri services
to use it. :)
9 ­ Are WP security plugins like iThemes Security Pro any good?
The question isn’t whether something is good or bad, but what you’re looking to do. The
iThemes Security Pro plugin is a great utility tool, if you want to go in and configure and tweak
we highly encourage it. Read more on ​my thoughts about security plugins in the WordPress
ecosystem​.
10 ­ What type of tools or services besides Sucuri would you suggest for a website built on
Wordpress? What would you suggest to tighten any back doors on a WordPress CMS
environment? Any blogs or websites we can check out on a weekly basis to read up on the
latest threats or learn to plug things up?
Not sure, what are you trying to do? Security tools? Marketing tools? Business tools?
I’d suggest not tightening, but removing them if possible. The key however will be identify
them, and I suggest doing that via some form of integrity checks and / or employment of an
Intrusion Detection System (IDS).
April 28, 2016

6.
Webinar: How Websites Get Hacked
Q&A by Tony Perez
You can always stay on top of the latest security vulnerabilities by visiting the ​WP Scan
Vulnerability Database​. And of course ​our blog​.
11 ­ Sucuri offers a pretty good website checker tool, are there any others out there that can
offer help in diagnosing vulnerabilities or attacks?
Well vulnerabilities are different than compromises. So if you’re looking for vulnerabilities I’d
recommend the ​WPScan project ​which we also sponsor, and you can also use ​Unmask Parasites
and ​SiteCheck​.
12 ­ Many of us are using 3rd party services for email campaigns, SEO, Zapier, etc. What
advice for these environments for us?
These are tough, I too use some of them. I always encourage having an open line of
communication with the service providers to understand how they handle security. I also don’t
like things like Universal Tag Managers where someone is able to bypass security controls
designed to reduce access to an environment.
13 ­ We have seen an increase in attempts on Joomla, is this become an known industry wide
pattern? Are there any stats available on the number of sites hacked and what platforms are
most vulnerable?
Great question, stay tuned for more info on this in our next webinar.
14 ­ My WordPress website utilizes Sucuri's CloudProxy Website Firewall. Is there any need
for me to also install another security plugin like iThemes Security Pro or Wordfence?
Nope, as long as everything is configured you’re fine. We’d recommend our ​free WP plugin​ as
it’ll look at things from an auditing perspective, other than that you’re fine.
April 28, 2016

7.
Webinar: How Websites Get Hacked
Q&A by Tony Perez
15 ­ One form of attack turns a WordPress site into an outbound message sender. What is this
about and how can it be detected?
Oh yes, very annoying. They sometimes abuse your forms send function, so adding a captcha
will often address that. Sometimes it’s a server side script, which is very annoying, and you’ll
need to identify where the script is. Others it’s abuse of a server misconfiguration for the mail
server. Just there I mentioned three distinct scenarios, without more information it’d be
difficult to answer this question.
16 ­ Thinking of risk containment. Does docker images provide any barriers in "shared
environments" if you run several sites in separate docker containers on a same setup.
It’ll come to the configuration of the docker images, but in many instances it should offer good
functional isolation.
17 ­ Can you recommend a Password Manager?
Fan of ​1Password​ and ​LastPass​.
18 ­ WordPress recently released a new update. Because of customized code and plugins on
our website, it can be quite time consuming for our web development team to make sure
everything is compatible with the newest WordPress version. How do I know which
WordPress updates are critical to website security? What kind of timeline do I have before I
become vulnerable? If my website it protected by CloudProxy, why do I need to worry about
websites and plugin updates?
Well, if a vulnerability is disclosed and patched and made public, then you are vulnerable at
that moment. Technically, you’re vulnerable as long as the vulnerability is in the environment,
whether it’s disclosed or not.. :) Attacks to said vulnerability can happen as quick as a few hours
from disclosure, to a few days, just depends on how big of an issue it is. As for why worry about
updates, it’s good habits. No solution is ever 100%, but they are best practices everyone should
follow.
April 28, 2016

8.
Webinar: How Websites Get Hacked
Q&A by Tony Perez
19 ­ What type of penetration testing/intrusion detection testing is available when our sites
are behind Sucuri's CloudProxy?
Not sure I understand the question. Are you looking to test the effectiveness of the product? Or
are you looking to test your own environment?
20 ­ What are the legal liability to agencies that want to use Sucuri for their clients?
I encourage you to ​reach out to our team​ to discuss further.
21 ­ Which platform is safer­ Wordpress or Drupal? We are currently using Wordpress, but
not trained in Drupal, which is more complicated. Does it really matter? Is it safer if the site is
managed by a Cloud­based host?
The CMS doesn’t matter, the issue is not the platform, it’s often how it’s deployed and the end
user. What do you mean by a cloud­based host?
22 ­ Do you consider Bluehost to be reputable/secure?
They’re a shared host, I encourage you to ​read how hosts account for your website’s security​.
23 ­ As a volunteer with self taught skills, what are my low­cost options for security?
Don’t know where to start with this question, it’d be like me asking a mechanic ­ Hey, don’t
want to spend any money, but can you tell me how to rebuild my engine? It’d be impossible to
cram years of knowledge into this response, but I what I recommend is starting with small
manageable parts. Focus on how you log in, employ things like Two Factor Authentication and
have a good patch management process (i.e., apply updates). Additionally, you want a backup
at all times.
24 ­ Can you describe your cloudproxy product? Can that be purchased as a separate product?
The CloudProxy is a custom Website Application Firewall (WAF) / Intrusion Prevention System
(IPS) designed specifically for websites, tailored for Content Management Systems (CMS) like
April 28, 2016

9.
Webinar: How Websites Get Hacked
Q&A by Tony Perez
WordPress, Joomla!, Drupal, Magento and so many others. It functions as reverse proxy in
which we filter all incoming traffic for malicious requests; those requests are then stripped from
the requests before sending it off to your host. It helps mitigate Distributed Denial of Service
(DDoS) attacks and exploit attempts against software vulnerabilities (i.e., SQLi, RCE, LFI, RFI,
XSS, etc…). Yes, you can purchase the ​Website Firewall​ independent of our Website Security
Stack.
25 ­ Is hosting your own website on a windows server safe?
If you configure and maintain it, yes. The problem is, most don’t know how to configure or
maintain it, making it challenging.
26 ­ Which CMS engine seems to be the most secure?
I wrote an article that kinda talks to this, ​check it out​.
27 ­ Is it good practice to use Sucuri's WAF along with CloudFlare, so that I can take advantage
of their CDN network?
If you really need 70 + points of presence, then sure, but the Sucuri Firewall will provide you a
Content Distribution Network (CDN) and in many instances it’ll address your needs perfectly. It
will work together however.
28 ­ Would you speak to injection attacks and how Sucuri can be used to protect this attack
vector?
There are various forms of injection attacks, see my explanation for question 24 how the Sucuri
Firewall works. It should help explain how the technology works and how malicious requests
are stripped. If it doesn’t, let me know and I’ll try to explain in more detail.
April 28, 2016

10.
Webinar: How Websites Get Hacked
Q&A by Tony Perez
29 ­ Can't we take any actions against Hackers ?
If you can locate them, sure. The problem however is it’s very difficult to do what’s called
attribution, the process of identifying who did it. If you’re big enough, you can work with law
enforcement in your country as well.
30 ­ First of all I love your products.. We have a number of Joomla 2/3 site and would like to
know do we need Akeeba Tools if we use Sucuri? I feel like maybe it is overkill?
Can you explain what a honeypot is?
Ah, thanks so much. Depends, which Akeeba tools are you using? Would need to know more to
better answer. A honeypot is an environment used to attract attackers so that we can study
their actions. Think of honey, or sugar, attract the ants and watch what they do.. :)
31 ­ Can you talk a little slower? It's a little difficult to understand.
I’m so sorry, but hopefully the recording will allow you to slow it down. I just get so darn
excited.. :)
32 ­ Is SSL must in any website? If yes, how secure is Let's Encrypt?
Personally, don’t think it is. Especially if you’re not taking other security precautions, ​I wrote an
article on the subject​. LetsEncrypt is a Certificate Authority (CA), they are good to go.
33 ­ Is Sucuri the only tool we need? Or is it wise to use Sucuri along with other products like
a Firewall, and SiteLock, WordFence, SSL, and iTheme Security? Or others?
If you used all the products at the same time, I can’t help but think you’ll run into a number of
conflicts and likely find yourself curled in a ball in the corner crying. We built Sucuri so that it
was the only tool you’d need, which is why we focus on the core areas ­ Protection, Detection
and Response. If we only focused on one area, then I’d say definitely supplement, but what
you’ll find, unless you are a security person, using all the tools will be overkill.
April 28, 2016

11.
Webinar: How Websites Get Hacked
Q&A by Tony Perez
34 ­ Does he have default or preferred settings for the Sucuri plugin in WordPress?
I usually run the Kill PHP execution feature, by far the one feature I recommend everyone use.
35 ­ Most of my attacks on my clients websites come from brute force attacks. What is the
best way to combat this?
Personally, I’d recommend a WAF/IPS solution like the Sucuri Firewall so that you can stop
getting the notifications and stop worrying about it. You can also employ things like IP
whitelisting or 2FA on your access nodes.
36 ­ If I utilize WPEngine they say the have robust security and if anything gets through and
hurts a site hosted on their platform they actually pay you guys Sucuri to fix it and I don’t get
charge WP Engine covers costs. Why would I need Sucuri on top of WP Engine?
WP Engine is a great host, we are a great Security company. They do leverage our remediation
services via our partnership. When a compromise occurs however, you won’t be able to engage
us, and it doesn’t include our protection services. So if you’re getting compromised, and you’re
ok with just cleaning it, then definitely stick with the WPE service on security. If you’re looking
to engage with our security team, understand what happened, and work to make sure it
doesn’t happen again, then I’d encourage working with ours. It’ll come down to preference. In
many instances, I have found that when it comes to security, website owners want to work
directly with us when shit hits the fan.
April 28, 2016