We have written a lot about the shady stuff involving the web security company SiteLock and the main complaint we have gotten about this is that because we also offer web security services (though very different from what they offer) that the information we provide is suspect. We can’t point to much written by others in a professional capacity because for the most part SiteLock has remained under the radar. But we now have something written by someone else that we can point to that shows the kind of activity that has caused “sitelock scams” to be one of the search predictions that Google provides when searching for SiteLock:
An article put out by Forbes last week describes something we have yet to have anyone contact us about, a report from SiteLock that is supposed to be “high-level security analysis by leveraging over 500 variables to score a website’s risk on a scale of low, medium and high”. The author of story was told that their website, which is “single-page static website with just a handful of files and no CMS or other editing software”, had a “Medium” “likelihood of compromise”. The author of the article noted they could only think of two ways that type of website could be compromised, but SiteLock told them that neither of those was consider when calculating the score:
The SiteLock representatives clarified that they do not check for or consider either password security or server vulnerabilities in their assessment and that their risk score is based exclusively on the characteristics of the site itself.
Considering that SiteLock was saying that there was a “Medium” risk of compromise how else did they think it could be compromised, they couldn’t even come up with an answer:
When asked how a remote attacker might then modify the files on a CMS-less single-page self-contained static website without either guessing/phishing/resetting the account password or finding a vulnerability in the server stack, a representative initially said they would work with their engineering team to send me some examples of how such a site could be compromised, but later said they would not be commenting further and did not respond to two subsequent requests for additional comment.
In light of the fact that the score seems to be baseless in this instance, it is worth noting the only detail of the score provided was:
The only detail of any kind offered by the report as to how it assessed my site at Medium risk was that 7% of the risk came from “Popularity: Number of visitors and overall social media presence,” 29% of the risk from “Presence of specific components” and 64% from “Site size and the number of distinct components.”
So SiteLock is making it appear that all of this is evidence based, they are giving percentages and claiming to leverage over 500 variables (we can’t even think of close to 500 variables that could possibly be used unless they are really stretching as what they count as a separate variable), but the reality is that the score seems to be baseless. The author of the piece had the expertise to see past the superficial evidence based nature of this, but SiteLock wouldn’t be doing this if they didn’t think that others would not be as knowledgeable.
This isn’t the first time that we have seen SiteLock put forward claims that websites are vulnerable based on false evidence or unsupported by evidence. In June we noted how they continued to use false information about the security of WordPress to claim websites were vulnerable. In other instances we have had people come to us after SiteLock has claimed there is some vulnerability on their website, but has refused to provide the details, instead only suggesting purchasing SiteLock services to resolve. That was also the case for the author the article.
When the web hosting partner that was passing along the score was asked what could be done to reduce it, the response was to purchase SiteLock services:
When asked what a company could do to reduce their risk score, Network Solutions noted that it offers two subscription monitoring services by SiteLock that scan a customer’s site each day, alerts them if their site has been compromised and automatically removes selected malware from infected files.
The web host would likely get a significant percentage of the fee for those services if they were purchased.
SiteLock gave a similar response:
When asked how a company might work to reduce their risk score from Medium to Low in the absence of any technical detail as to which of the 500 indicators were triggered for their site and if their subscription vulnerability scans did not reveal a known vulnerability, SiteLock offered that it has a commercial professional services team that can be hired in a consulting arrangement to review a site and determine if there are any concerns with its architecture or technical design.
In line with what we have seen in the past when caught doing questionable stuff, SiteLock claimed that they didn’t see anything wrong with what they are doing:
The company strenuously emphasized that it believes such a score is very useful and that many companies have found it of great use to them, but declined to provide more detail as to what companies have done with that information beyond simply subscribing to SiteLock’s products.
The Forbes article raises other issues with this situation that are also problematic and we would suggest you read the article.
Based on all of that it looks like these scores can be safely ignored, but with other claims from SiteLock about the security of websites that are backed by some level of evidence we recommend getting a second opinion before taking any action, as they are not all false. We are always happy to provide a free second opinion.