Earlier this month we discussed what seemed to be new attempt to scam people by the web security company SiteLock and their web hosting partners, using a supposed assessment of a website’s likelihood of attack. That post was based on information in an article written by a contributor at Forbes that had been contacted by their web host Network Solutions about the supposed risk of compromise of their website. The author of that article did a very good job of breaking down on how the claimed “comprehensive analysis” leading to risk score seems to be without a basis and we recommend reading that article.
The web host 123 Reg, which is now part of GoDaddy, has now started sending out emails based on the same assessment and the results are equally questionable. We were contacted by someone that received one of these that has a small website built on HTML files, so there is limited ability for it to be hacked when compared to, say, a website using CMS and a lot addons for the CMS. Despite that, the email claims that the “website is at high risk of vulnerabilities or compromise” and that “vulnerabilities are 12 times more likely to be exploited than the average website”, which is completely ridiculous. If you were to believe that there website is at high risk of being exploited then we can’t think of one that you wouldn’t.
Here is the email they are sending out:
Dear [redacted],
We take a proactive approach to protecting our customers’ website security. There are many factors that make a website vulnerable to hackers, and some sites are more vulnerable than others simply because of their software, plug-ins and passwords.
To help you understand where your website may be vulnerable, we have completed an automated scan of your website via the SiteLock Risk Assessment, a predictive model that analyses over 500 variables to determine a website’s likelihood of attack. The Risk Assessment is designed to score a website on a scale of low, medium or high.
After performing a comprehensive analysis of [redcated], we can confirm that your website is at high risk of vulnerabilities or compromise. When a website indicates a high risk score, vulnerabilities are 12 times more likely to be exploited than the average website, according to SiteLock data.
It is important that you act. For £0.99 per month, SiteLock ‘Find’ carries out a daily scan of your website. It can reveal where your website is vulnerable, and discover any malware. For £4.99 per month, SiteLock ‘Fix’ can also remove the malware from your site.
Find out more about SiteLock from 123 Reg
Alternatively, you can call us on 0330 221 1007 for more information.
Good website security comes down to teamwork. Here at 123 Reg, we do everything we can to keep your website safe server-side, and we urge you to do the same. A security breach can undo years of hard work in a matter of minutes. That is why, as a security precaution, we recommend you always upgrade outdated software like web applications or plugins to the latest versions when available.
Kind regards,
123 Reg Team
Based on everything we have seen so far these seems to be a rather naked attempt to sell security services based on scaring customers of web hosts under the guise of providing serious analysis of the security risk of the website. What makes it worse is that from what we have SiteLock services are not very good at providing protection, so the end result wouldn’t even be a good one even if the means is quite bad (as well as the company not doing much to help improved security for everyone in comparison something like our Plugin Vulnerabilities service).
One of the other people that received one of these emails raised another issue with them:
cheers @123reg, but I use your automatic installer with auto updates turned on, so if anything is insecure and outdated… pic.twitter.com/1FXWeanNf8
— Adam Hay (@antireality) August 31, 2017
It should go without saying that no company involved with security should be doing something like this. SiteLock already has a well earned reputation for this type of thing. Who seems like they should be taking more heat for this is GoDaddy, as not only are they multi-billion dollar company, but they also provide security services under the brand Sucuri (which has lots of issues of its own).
A Better Alternative to SiteLock For Cleaning Up a Hacked Website
If your web host is pushing you to hire SiteLock to clean up a hacked website, we provide a better alternative, where we actually properly clean up the website.