SiteLock Promoted Services To WordPress.com Users That Are Not Relevant to Them

In a recent post about how WordPress is giving the web security SiteLock unwarranted legitimacy by allowing them to be involved in WordCamps, conferences dedicated to WordPress, we mentioned that one of the reasons it didn’t seem great to have them was that they are falsely labeling WordPress website as having vulnerabilities due to their lack of understanding of how WordPress handles security updates. It turns out their lack of knowledge of WordPress extends further, leading to trying to sell people services that are not relevant to them, as we found while looking for information for another post.

In a March post entitled This Week in Exploits: Increased WordPress.com Security on SiteLock’s WordPress focused The District blog, SiteLock mentioned that WordPress.com had enabled HTTPS for those using custom domain names. For those not familiar, WordPress.com is a blog hosting service powered by the WordPress software. It has some rather notable differences with self hosted WordPress installations, some of which we will note in a bit. It seems that SiteLock is not familiar with the differences the WordPress.com service and the WordPress software, but that didn’t get in the way of them trying to use the blog post to sell people on unneeded services.

After a paragraph mentioning the HTTPS change, they pivot to selling their service:

If you’re a WordPress.com user, one way to take advantage of WordPress.com’s exemplary efforts is to go further and enhance the security of your WP.com site with protection services.

First they promote a web application firewall:

The first and probably most fundamental upgrade to your site’s security is to implement a web application firewall, or WAF. With a simple DNS change and SSL cert approval, SiteLock TrueShield WAF protects sites, WordPress.com or otherwise, from malicious traffic, suspicious bots, scrapers and spam comments. The PCI-compliant TrueShield WAF supports SSL and Extended Validation SSL. Service packages depend upon protection capabilities desired.

Considering how the WordPress.com service works it isn’t clear what value that would provide. Much of that would likely already be being done WordPress.com and if there was some vulnerability discovered it should impact the whole service, so you would expect that it would be quickly fixed across the service. The marketing materials for that also don’t present any evidence as to the efficacy of its protection provided by that in general, much less when used with WordPress.com.

Next SiteLock is promoting malware scanning:

The next upgrade to WordPress.com security is a malware scan. The SiteLock Malware Scan crawls websites looking for malicious code and links and immediately alerts the site owner if any are found. The Malware Scan runs daily to find malware early and keeps sites off of blacklists, and results can be viewed in the SiteLock Dashboard or downloaded as CSV for analysis and remediation.

This doesn’t seem to be to useful for the WordPress.com service since you can not use JavaScript code on it:

Users are not allowed to post JavaScript on WordPress.com blogs. JavaScript can be used for malicious purposes. As an example, JavaScript has taken sites such as MySpace.com and LiveJournal offline in the past. The security of all WordPress.com blogs is a top priority for us, and until we can guarantee scripting languages will not be harmful, they will not be permitted.

JavaScript from trusted partners, such as YouTube and Google Video, is converted into a WordPress shortcode when a post is saved.

Since malware on a website is usually JavaScript based (or in some other format not permitted by WordPress.com) there couldn’t be malware on WordPress.com blog and you also couldn’t have your website flagged for malware since, again, there couldn’t malware on these websites in the normal course of things.

Next up they try create a connection between spam and the “dreaded ‘reported attack site’ screen”:

Speaking of blacklists, the final security upgrade is a spam scan. The SiteLock Spam Scan monitors all industry-leading search engine and spam blacklists for the customer’s domain and, again, immediately alerts the customer to any adverse reports. This allows the quickest way to remediation if the worst happens, reducing, if not eliminating, customer interaction with the dreaded ‘reported attack site’ screen.

The Reported Attack Site screen refers to something that has been shown on the Firefox web browser when Google has detected malware on a website, not spam, which is something SiteLock should know. From this description isn’t clear what spam they are scanning for, since it could refer to spam emails or spam content on a website. In looking around for more information on what the Spam Scan actually does, it looks like it actually checks lists of email address claimed to be sending spam, so it isn’t clear what the search engine reference in this refers to. Unless you use your own domain with WordPress.com and send email through it (which wouldn’t be through WordPress.com) this wouldn’t be relevant.

Finally SiteLock brings up their plugin for WordPress:

Security is vital. Easy security management is a must. SiteLock Security Plugin for WordPressprovides complete website security management and allows users to access their SiteLock Dashboard from within WordPress. Highlights include real-time updates ensuring minimal latency between identifying and correcting issues, identifying specific vulnerabilities in order to remediate them as quickly as possible and managing SiteLock Trust Seal settings.

That will not work on WordPress.com blogs, since you can’t install plugins on them.