*Unable to scan the page. 403 Forbidden

That payload means that, when Google’s Web Crawler is trying to scan your website, your website is returning a “403 Forbidden” HTTP status code instead of “200 OK”. If you want to test by yourself, you can execute this command:

curl -v \
-H "User-Agent: Mozilla/5.0 (compatible; Googlebot/2.1; +https://www.google.com/bot.html)" \
"https://boomerbenefits.com/"

Apparently, you enabled an option on your Cloudflare dashboard that inserts a reCaptcha for suspicious HTTP requests. When Sucuri is trying to scan your website using Google’s User-Agent, Cloudflare inserts the reCaptcha because it —accurately— believes that the request is not really coming from Google but from an unknown service.

This is certainly a bug that Sucuri may or may not be possible to fix, it highly depends on how Cloudflares inserts the reCaptcha code. For now, just ignore the warning and hopefully —if Sucuri finds a fix— you will stop seeing it in future scans.

Thank you for the quick response!

Same issue here. This is a serious bug with Sucuri. It also impacts iThemes/iThemes Security Pro (which we are using) since they also depend on Sucuri as their malware scanner.

As reported by Cloudflare and iThemes Security Pro, IPs 35.175.205.111 and 52.203.142.240 are constantly pinging our website thus impacting both our bandwidth and confidence level in Sucuri. As a precaution, we have blocked these IPs (used by Sucuri) and reported them publicly as “abusive.”

Cloudflare is a highly reputable company. It’s not their issue. They are reporting above IPs as “Fake Google Bots.”

This ticket or request, therefore, is not solved. Please re-open it and implement a fix to eliminate this issue.

Recommend contacting Google, Amazon, Cloudflare, and iThemes to find a solution.

Thank you!

Hello @jetxpert thank you for your message,

This is a serious bug with Sucuri […]

I don’t think this is a serious bug.

Let me give you an analogy to explain:

If your website is your house, and you hire me to check your house every day to see if it’s been infected with malware, but you don’t give me the keys to enter, the only thing I can do is knock on your door and talk with whoever is in the house to see if everything is okay.

One day, I discover that some burglars are entering houses in your neighborhood, they are doing it by using masks that allow them to pass as familiar faces to whoever is opening the door —(In this analogy, the mask is the “User-Agent” of anyone’s web browser)—. I still don’t have the keys to your house, so the only thing I can do to help is to use the same mask as the burglar to see if this trick works in your house, in which case I will consider your house as compromised.

Now, let’s say you’ve decided to put a fence around your house —(let’s call this fence CloudFlare)—. With this fence, I cannot even knock on your door, so I send you a letter saying “Sorry, I cannot check your house, my access is Forbidden”.

You see where I’m going with this?

As I explained in my previous comment, there is a type of infection that reacts to the User-Agent in the request. This allows the malware to hide itself from anyone but web crawlers like Google Bot, Bing Bot, Yandex Bot, etc. The easiest way for Sucuri to check if a website is infected with this malware is to send a request pretending to be one of these web crawlers.

As a precaution, we have blocked these IPs (used by Sucuri) and reported them publicly as “abusive.”

Actually, instead of blocking Sucuri’s IPs, you could just instruct CloudFlare to let any request coming from Sucuri in, that is if you really want the scanner to check if your website is infected with malware, otherwise you can keep them blocked.

Cloudflare is a highly reputable company. It’s not their issue. They are reporting above IPs as “Fake Google Bots.”

I agree, both Sucuri and CloudFlare are working as expected.

This ticket or request, therefore, is not solved. Please re-open it and implement a fix to eliminate this issue. Recommend contacting Google, Amazon, Cloudflare, and iThemes to find a solution.

I can mark the ticket as “not resolved” and contact CloudFlare to see if they want to work with Sucuri to implement an internal whitelist for Sucuri SiteCheck (which to me is unnecessary considering that CloudFlare customers can already whitelist an IP by themselves). Google, Amazon and iThemes have nothing to do here.

I’ll update this ticket when I get an answer from CloudFlare.

Hi @yorman,

Thank you for your quick response. Great explanation. Concern remains.

How many times does Sucuri’s malware checker ping a website (or Cloudlflare, if activated) on a daily basis?

At our end, each time a Sucuri malware scan of our website is performed, we get hit by two IPs (8 times each). If Sucuri scans a website twice-daily, that’s 32 pings that Cloudflare is rejecting.

By the way, we did some further testing and have decided to let Cloudflare do its job. With the IPs blocked, obviously, the Sucuri scans were also being blocked. If we Whitelisted the IPs, other issues cropped up when we checked our website using https://sitecheck.sucuri.net/.

To assist you, we also contacted Cloudflare and weren’t able to help much. According to Cloudflare, the triggering rule (Rule ID 100035) coded in their servers cannot be modified for this specific purpose. Perhaps your conversation with them will yield better results.

Note: Our Sucuri Malware Scans are being performed via the iThemes Security Pro plugin, Is Sucuri affiliated or associated with them?

Again, thank you. Cheers!

[…] Concern remains

I’ll make sure this case is taken in consideration by a manager, but I predict that several days will pass before we can provide a definite solution knowing that it’s not entirely on our hands.

How many times does Sucuri’s malware checker ping a website (or Cloudlflare, if activated) on a daily basis?

The plugin sends, by default, one request to SiteCheck every 24 hours. This request triggers a chain of events that produces at least 14 additional HTTP requests (or more if the scanner detects more suspicious data). From these 14 requests only 2 contain the Google Bot User-Agent.

However, because SiteCheck is a public service [1] anyone in the world with an Internet connection can request a scan even if you don’t have the plugin installed. For example, you can scan my personal website [2] which doesn’t even use WordPress.

Our Sucuri Malware Scans are being performed via the iThemes Security Pro plugin, Is Sucuri affiliated or associated with them?

Aside from the fact that their plugin is using Sucuri’s public API service, I don’t know if they have a affiliated with the company. As a programmer, I tend to pay attention to the engineering side of things more than the business. If you chat with the Sucuri sales team [3] they may have a better answer.

Perhaps your conversation with them will yield better results

I hope so, I’ll update as soon as I know anything.

[1] https://sitecheck.sucuri.net/
[2] https://sitecheck.sucuri.net/results/cixtor.com
[3] https://sucuri.net/ (live chat at the bottom)

Thanks, @yorman. Excellent response. Have a great week. Cheers!