Breaking Site Functionality

An API key is required to activate some additional tools available in this plugin, the keys are free and you can virtually generate an unlimited number of them as long as the domain name and email address are different. The key is used to authenticate the HTTP requests sent by the plugin to a public API service managed by Sucuri Inc. Do not generate the key if you disagree with this.

This information is only sent by the plugin to the Sucuri API service if and only if you have agreed to generate the free API key; as you are complaining about this it means that you did not read that short text located below the form used to generate the key.

I will talk with our infrastructure engineers to see why the connection issues are happening,

Hello, my co-worker sent a message several hours ago to all the Sucuri team about a networking issue with one of our providers that affected multiple boxes used by CloudProxy [1] and other internal projects like wordPress.sucuri.net; this should be fixed at the moment. I will plan a modification of the code that powers the plugin to handle a situation like this (the connection issue) a bit better in the future.

I have read it and the API being used is fine as long as it doesn’t break the workflow when there is an exception on the server’s end. If it fails it should either fail silently or log it without breaking the functionality causing the post that is being made to be lost because it gets replaced with an error dialog. Plus why would it need to verify the certificate of the site you are on and within its admin panel making a post? If there is an external service is involved, fine, but no external calls, no need to verify anything.

I agree with you about the first part, that the plugin must fail silently if the server where the API service is being hosted fails to respond to the request, I am working right now to modify the code that powers that part of the plugin to improve the error handling, I will try to finish that this week.

About the second question, the SSL certificate verification is necessary to prevent MITM [1], as you are concerned about the privacy of the data that is being sent to the Sucuri servers having this option enabled is a good thing. If you disable it and keep the API key the plugin will continue sending the data attached to the event logs triggered by WordPress and a malicious user could get in the way and steal that information (which is not sensitive at all but you would still prefer to prevent that leak of information).

Marking as not resolved for now.

[1] https://en.wikipedia.org/wiki/Man-in-the-middle_attack

I am aware of what a MITM attack is and in the case of creating a post on the admin section and publishing does not expose itself to this. Your assertion is false in that regard.

If anything, the MITM can occur more likely during the communication between my server and your server than it can on my OWN authenticated server using local permissions that have ZERO to do with anything that can be intercepted because data is handled internally, not being sent anywhere.

What IS being sent, is information to you, however benign, which if someone can compromise YOUR server by hijacking DNS records or whatever, is where the potential for MITM can be introduced. During the Point A (Me) to Point B (You) communication. Not during the Point A (Me) to SELF.

Anyway, you are doing what you need to do to fix it, that’s enough discussion on it I suppose. BTW, I don’t educate myself with half baked Wiki articles, I have more reliable sources for that, and have for 2.5 decades in the field. Thanks though.