We often get asked about whether people should use a service that claims to protect their website from being hacked. Part of our answer is that we have seen no evidence that these services actually provide that protection and plenty that they don’t, including being hired to clean up hacks on websites using those services.
That these services don’t work isn’t something that is really hidden, often the marketing material service for them suggests that they don’t really work. Take GoDaddy’s Website Security service. That service has three price tiers. With all three tiers, one of the bullet points is “Firewall prevents hackers.” In the lowest tier another bullet point is “Annual site cleanup and remediation” and in the other two it is “Unlimited site cleanups.”:
If the firewall prevents hackers, why would you need a hack cleanup?
Even if you want to give the benefit of the doubt to GoDaddy, that say they are thinking people would sign for the service when their website is already hacked or they are advertising hack cleanups, even though you wouldn’t need them, since they are confident the service works, it makes no sense that they wouldn’t offer unlimited hack cleanup with the lowest tier of the service as well, since even considering those possibilities, there would only need to be one hack cleanup.
That contradiction doesn’t just appear in that spot. In the textual information on the same page, they claim to take a “preventative approach” that “blocks attacks”, but immediately pivot to an indication that their service doesn’t accomplish that:
Take a proactive, preventative approach to the safety of your website. The Website Security firewall blocks attacks on your site while its malware scanner regularly searches your site for malicious content and alerts you if any is found. All you need to do is submit a malware removal request, and our expert security team will get to work cleaning* up your site.
What is completely missing from that page is any evidence, much less evidence from independent testing, that their service is effective at stopping attacks or detecting malware. Based on our experience having been hired to re-clean websites they were supposed to have protected and cleaned, the results of such testing probably wouldn’t be good.