A Single Tweet Nicely Sums Up the Problem With WordPress Allowing SiteLock to Be Involved With WordCamps

The web security company SiteLock has a well earned reputation that can be summed up with what Google suggests when you type in their name:

Google's second suggestion is "sitelock scams".

That obviously isn’t a reputation you would think that any company would want. It would probably be difficult for SiteLock to legitimately change it though since their business model seems to be based around the activity that gets them labeled as such.

It would also be difficult because if they, for example, stopped partnering with web host to try to get people to pay them to clean up hacked website that are not in fact hacked, then they would actually have to really clean up websites to get paid and from everything we have seen they are even worse than the average web security company, which is already quite bad, when doing that. For example, we are often brought in to re-clean hacked websites after some other company had previously had done that and then the website got hacked again. While that isn’t always their fault, in almost every instance we have been told that the determining how the website was hacked never even came up, despite trying to do that that being a basic part of the cleanup and important to make sure the vulnerability that allowed the website to be hacked has been fixed. That is certainly something we have seen with SiteLock. What we haven’t seen with other companies is that SiteLock has caused websites to be broken after doing their work.

Instead of trying to change, SiteLock looks to have focused on various efforts to present a public face very different than the one that their customers and not always willing potential customers can find themselves dealing with. What looks to be an important component of that effort is their involvement and sponsorship in the conferences for WordPress, WordCamps, which uses money they have gotten from their questionable business practices. We think a tweet put out by one of those WordCamps succinctly shows what the problem with WordPress allowing that to occur is:

The claim that SiteLock wants make your WordPress secure is belied by many things we have run across, including a few recent examples: thinking that leaving malicious code on a website for a while is not a threat, not taking the actions needed to prevent hacked websites from being reinfected, and not warning about vulnerable plugins or insuring they are being kept up to date on a website they are supposed to be keeping secure. But maybe the most troubling recent example is that SiteLock is still knowingly spreading false information about the security of the core WordPress software and using it to make a profit. We would love to hear from someone on the WordPress or WordCamp side of things how that makes anyone’s WordPress secure.

At some point, maybe we have already reached that point, you have to say that WordPress is complicit in what is going on here. Back in September of last year we contacted the central WordCamp organization to let them know that about the issues with SiteLock and ask for a comment about the situation or a more general comment on any restrictions on who can be a sponsor. We never got any response from them, though it was pretty clear they saw the message. So it seems that they can’t actually justify what is going on, but are still willing take money SiteLock has gotten through less than above board business activity. We later left a comment on a blog post about SiteLock on the WordCamp US’ website, shortly afterwards the comments left on that post were removed and commenting was disabled, so there does seem to an effort to hide what is going on.

What could explain some of why they continue to allow SiteLock’s participation is that SiteLock’s owners don’t just sponsor WordCamps under the SiteLock brand, but also through brands of the web hosting company Endurance International Group, which they run. For example, at WordCamp Europe they were a higher level sponsor through EIG brands Bluehost and MOJO Marketplace (MOJO Marketplace also doesn’t seem to be too concerned about security):

SiteLock Still Spreading False Information About the Security of WordPress to Their Customers

Back in September we wrote about how the web security company SiteLock had introduced a new feature that was supposed to warn about vulnerabilities on WordPress websites, but would falsely claim that websites running older WordPress versions had vulnerabilities in them that they didn’t.

This seemed to be caused in part by a fundamental lack of understanding of how WordPress handles security, which involves security fixes being released for older version of WordPress that have the automatic background updates feature (WordPress 3.7 and above). This is something that anyone dealing with hacked WordPress websites should know since part of properly cleaning them involves determining, to the extent possible, how they were hacked and you would need to know what vulnerabilities would exist in a version of WordPress when cleaning it. From everything we have seen SiteLock doesn’t properly clean up hacked websites (and they even use that fact as a reason to upsell their customers), so maybe it shouldn’t be surprising they wouldn’t know this.

It also seems to be caused in part by them not understanding the underlying data source for the vulnerability information, the WPScan Vulnerability Database, as that correctly labels which versions of WordPress are vulnerable to the vulnerabilities (as we will show in a bit).

We know that SiteLock is aware of all of this as they clearly read our post as they filed a DMCA takedown notice to remove an image we had included in the post.

You would think that after becoming aware of this SiteLock would have fixed this, right? Well it turns out 9 months later they are still falsely claiming that WordPress website contain vulnerabilities they don’t.

The other day someone contacted us after they had been told by their web host iPage that they their website had security issues and they should sign up for SiteLock. After doing that they contacted us after seeing our previous post about this issue and thinking that what SiteLock had told them about vulnerabilities on their website wasn’t true.

The website was running WordPress 4.6.6 at the time and SiteLock claimed it had the following medium and high severity vulnerabilities:

Severity: High
Category: csrf
Summary: WordPress 4.2-4.7.2 – Press This CSRF DoS
Description: CSRF DoS vulnerability in WordPress versions 4.2 to 4.7.2 through the Press This functionality.

Severity: Medium
Category: rce
Summary: WordPress 4.3-4.7 – Potential Remote Command Execution (RCE) in PHPMailer
Description: Potential Remote Command Execution (RCE) in PHPMailer used in WordPress versions 4.3 to 4.7.1 can potentially be used to remotely execute commands.

Severity: High
Category: bypass
Summary: WordPress 4.2.0-4.7.1 – Press This UI Available to Unauthorised Users
Description: Authentication bypass vulnerability in WordPress Press This versions 4.2.0 to 4.7.1 allows unauthorized users to access the UI.

Severity: High
Category: csrf
Summary: WordPress 2.8-4.7 – Accessibility Mode Cross-Site Request Forgery (CSRF)
Description: Cross-Site Request Forgery (CSRF) in WordPress versions 2.8 to 4.7 via Accessibility Mode allows unauthorized actions to be performed.

Severity: Medium
Category: bypass
Summary: WordPress 2.8.1-4.7.2 – Control Characters in Redirect URL Validation
Description: Control Characters vulnerability in WordPress versions 2.8.1 to 4.7.2 through the Redirect URL Validation

Severity: Medium
Category: unknown
Summary: WordPress 3.0-4.7 – Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Description: Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in WordPress versions 3.0 to 4.7 in the multisite activation key creates the potential to guess/brute-force the activation key.

Severity: High
Category: xss
Summary: WordPress 3.4-4.7 – Stored Cross-Site Scripting (XSS) via Theme Name fallback
Description: Stored Cross-Site Scripting (XSS) WordPress versions 3.4 to 4.7 via Theme Name fallback allows malicious code to be stored on the site.

Severity: High
Category: xss
Summary: WordPress 4.3.0-4.7.1 – Cross-Site Scripting (XSS) in posts list table
Description: Cross-Site Scripting (XSS) vulnerability in WordPress versions 4.3 to 4.7.1 through the posts list table.

Severity: Medium
Category: xss
Summary: WordPress 2.9-4.7 – Authenticated Cross-Site scripting (XSS) in update-core.php
Description: Authenticated Cross-Site scripting (XSS) WordPress versions 2.9 to 4.7 via update-core.php allows malicious code to be injected to the page.

Severity: High
Category: xss
Summary: WordPress 4.0-4.7.2 – Authenticated Cross-Site Scripting (XSS) in YouTube URL Embeds
Description: Authenticated Cross-Site Scripting (XSS) vulnerability in WordPress versions 4.0 to 4.7.2 allows an attacker to inject malicious code on to the site through YouTube URL Embeds.

Severity: High
Category: xss
Summary: WordPress 3.6.0-4.7.2 – Authenticated Cross-Site Scripting (XSS) via Media File Metadata
Description: Authenticated Cross-Site Scripting (XSS) vulnerability in WordPress versions 3.6.0 to 4.7.2 allows malicious code to be injected on to the site via Media File Metadata

Severity: High
Category: sqli
Summary: WordPress 3.5-4.7.1 – WP_Query SQL Injection
Description: In WordPress 3.5 to 4.7.1 WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data.

Severity: Medium
Category: unknown
Summary: WordPress <= 4.7 – Post via Email Checks mail.example.com by Default
Description: Post via Email Checks mail.example.com by Default in WordPress version 4.7 and earlier.

Those vulnerabilities don’t exist in WordPress 4.6.6, which can be seen by looking at the relevant entries in the WPScan Vulnerability Database. Let’s take a look at a couple of examples:

For the vulnerability “WordPress 3.0-4.7 – Cryptographically Weak Pseudo-Random Number Generator (PRNG)” the vulnerability was fixed in version 4.6.2:

For the vulnerability “WordPress 3.6.0-4.7.2 – Authenticated Cross-Site Scripting (XSS) via Media File Metadata” you can see that it was fixed in version 4.6.4:

It also worth noting here that the severity ratings that SiteLock provides here look to be vastly overstated since none of these vulnerabilities is likely (or has in fact been) exploited on wide scale, which you would expect at least for vulnerabilities rated as being high severity.

iPage isn’t innocent in this, as not only do they get a significant percentage of the price being paid for SiteLock services sold through their partnership, but their parent company also happens to be run by SiteLock’s owners.

You would also think that WordPress might make a point of warning people away from SiteLock since they are profiting off falsely claiming that WordPress websites contain vulnerabilities, but instead they have welcomed them as sponsor and speaker at various WordCamps, WordPress conferences. In fact they thanked them for their “commitment to the WordPress community”:

We’d like to thank each of our 2017 global community sponsors for their commitment to the WordPress community. Their generous contributions support community events like WordCamps and WordPress user groups worldwide.

WordPress Doesn’t Want You To Know That WordCamp Sponsor SiteLock Takes Advantage of People

When it comes to the web security company SiteLock taking advantage of people, their web hosting partners have long been critical component of that. More recently there has been a new partner helping them to present a public face very different than the company that people end up dealing with if they have the misfortune of signing up for their services. That would be WordPress, which has allowed SiteLock to participate and sponsor WordPress’ WordCamp conferences.

It isn’t a situation where the people involved in running the WordCamps are not aware of the what SiteLock does. We contacted them back in September asking for a comment for a post we were preparing raising our concerns about the situation. We didn’t receive a response, but we received quite a bit of traffic to a post included in the message to them, shortly after we sent the message, so they seem to have reviewed it. SiteLock’s involvement has continued since then, which indicates to us that the WordPress folks can’t justify what they are doing, but will continue doing it anyway.

Fast forward to last week when in our monitoring of what SiteLock is up to we can across a post on the website for this weeks WordCamp US praising SiteLock. Wanting to let people know the reality of SiteLock we posted the following comment on the post:

It is rather unfortunate that you are promoting SiteLock in this way, as this company is quite bad at what they do and take advantage of so many people.

For example, a couple of months ago we were brought to fix a WordPress website after their cleanup left it broken, http://www.whitefirdesign.com/blog/2016/09/14/godaddy-and-sitelock-make-a-mess-of-a-hack-cleanup-and-drop-the-ball-on-security-as-well/. While fixing it we found that there were a couple of much larger issues, they had left the hacker with access to the website and didn’t detect that one of their web hosting partners, who had gotten the website’s owner to hire SiteLock in the first place, had a serious security issue that was leading to website being hacked.

Around the same time we found that they were spreading false information about vulnerabilities in WordPress to their customer, http://www.whitefirdesign.com/blog/2016/09/06/sitelock-spreading-false-information-about-wordpress-security-to-their-customers-through-their-platform-scan-for-wordpress/.

If you do a search for “sitelock scam” you will see a more of what SiteLock is really doing.

One thing we mentioned we think is important emphasis, is that SiteLock was (and maybe still is) claiming that customer’s website running older version of WordPress have vulnerabilities that they don’t. This was due to SiteLock not having a basic understanding of how WordPress handles security, which they should considering that is very important when properly cleaning up hacked websites and protecting them against future hacks, both of which are services they offer (some explanation to this might be that for one of their main protection services they don’t actually provide the service themselves, while claiming to). It is against that backdrop that one part of the WordCamp post sticks out:

With 2017 just around the corner, SiteLock hopes to continue their strong support for WordPress and WordCamps and make 2017 the best year yet!

Maybe it is just us, but it doesn’t seem that spreading false claims of vulnerabilities in WordPress based website shows support for WordPress, strong or otherwise.

We left that comment on Tuesday afternoon, by the next morning the existing comments (not just ours) on the post were gone and the ability to comment was removed. By comparison the previous post and next one still are open for comments and include comments. Again the WordPress folks would rather sweep under the rug the reality of what SiteLock is up to while being involved with WordCamps than deal with the situation.

What makes this all the more troubling is at the same time WordPress is helping to promote a very bad security company, they are intentionally not warning people when they are using insecure plugins, which could lead websites to be hacked and then those websites might wind up being taken advantage of by a bad security company like SiteLock.

WordPress Giving Legitimacy to SiteLock By Allowing Them to Sponsor and Attend WordCamps

As we have continued to hear more troubling stories from the public about the web security SiteLock’s business practices and seen the damage they can cause, we have been very troubled that other organizations would provide them with legitimacy by getting involved with them.

One set of organizations is the various web hosts that had partnered with them. We recently found that the CEO of the parent company of many of those web hosting partners is also the owner of SiteLock, so it isn’t surprising that those web hosts wouldn’t have a problem with what is going on since their CEO is in on it. It would seem the others are getting paid handsomely to help them out.

Due to SiteLock discovering a couple of vulnerabilities in WordPress plugins some time ago, we had started following their blog for Plugin Vulnerabilities service. While no more vulnerabilities were disclosed on the blog, we did start noticing that they were sponsoring and attending quite a few of the official conferences for WordPress, WordCamps (and oddly giving presentations unrelated to security, including Creating a Digital Download Business – What to Sell, How to Sell It and Shortcuts to Success. and Contact Forms are Boring – 5 Creative Ways to Use Forms in WordPress.). That seems like a really bad idea, considering that imprimatur of WordPress is then connected with this company, provided them legitimacy they shouldn’t have.

There is also the issue that money that SiteLock makes taking advantage of people funding these WordCamps, which seems to be reasonable to consider as a moral and ethical issue.

It also doesn’t seem to be great idea to have a company that has shown that they lack a basic understanding of how WordPress responds to security isues, leading them falsely claim that WordPress website contain critical vulnerabilities, involved with WordPress events.

Just in the next couples of weeks SiteLock is sponsoring WordCamps in Pittsburgh, Raleigh (with a presentation also not security related, Using Curated Content in WordPress—Why and How), and Dallas. They are also a sponsor of the WordCamp for the whole US in December.

We would like be able to give you WordPress and WordCamp’s side of the story as to why they have are involved with SiteLock, but it has been a week since we contacted them with the following email asking for comment and we haven’t received any response:

We are writing a post about the fact that the security company SiteLock is being allowed to sponsor and attend numerous WordCamps despite be well known for taking advantage of its customers.

We first became aware of their practices after we had written a number of posts about other issues we had noticed involving them and then we started getting contacted by people who had been take advantage of by them, http://www.whitefirdesign.com/blog/2016/05/03/it-looks-like-sitelock-is-scamming-people/. There are a litany of complaints that can be see if you do a search on Google for something like “SiteLock scam”, including this page with numerous complaints https://sitelock.pissedconsumer.com/. While some of the complaints seem to be unfair to them, there is a pretty clear pattern of actions that seem quite problematic, to say the least.

We would like to include in our post any comment you might have as to why they are allowed to sponsor and attend WordCamps in light of that, so that the public has a better understanding of why WordCamps would get involved with such a company and take money that has been made by taking advantage of people. We would also like to include in our post any comment you might have as to any restrictions you place on what kinds of companies can sponsor and attend WordCamps.

If they were not aware of SiteLock’s reputation before, it seems that could have at least indicated that and that they reviewing things, but the lack of response points to them being aware of what SiteLock does and being okay with being involved with them.

If would like to let them know how you feel about that you can contact the central organization for WordCamp’s here. You also might want to contact ones happening locally that SiteLock is involved in, to see if they are aware of what one their sponsors is up to.

Hosting Recommendation Too

This isn’t the only Sitelock connection with WordPress. As we discussed in a recent post, one of the owners of Sitelock is also the CEO of a major web hosting provide, Endurance International Group. Endurance has many brand names they provide web hosting under, one of those being Bluehost. Bluehost has come up repeatedly in complaints about Sitelock. Bluehost is also one of the web hosts listed on the Hosting page on wordpress.org:

wordpress-bluehost-hosting-recommendation

That page has a top level menu link of the website, so we would assume that brings in a lot of business to them.