WordPress Doesn’t Want You To Know That WordCamp Sponsor SiteLock Takes Advantage of People

When it comes to the web security company SiteLock taking advantage of people, their web hosting partners have long been critical component of that. More recently there has been a new partner helping them to present a public face very different than the company that people end up dealing with if they have the misfortune of signing up for their services. That would be WordPress, which has allowed SiteLock to participate and sponsor WordPress’ WordCamp conferences.

It isn’t a situation where the people involved in running the WordCamps are not aware of the what SiteLock does. We contacted them back in September asking for a comment for a post we were preparing raising our concerns about the situation. We didn’t receive a response, but we received quite a bit of traffic to a post included in the message to them, shortly after we sent the message, so they seem to have reviewed it. SiteLock’s involvement has continued since then, which indicates to us that the WordPress folks can’t justify what they are doing, but will continue doing it anyway.

Fast forward to last week when in our monitoring of what SiteLock is up to we can across a post on the website for this weeks WordCamp US praising SiteLock. Wanting to let people know the reality of SiteLock we posted the following comment on the post:

It is rather unfortunate that you are promoting SiteLock in this way, as this company is quite bad at what they do and take advantage of so many people.

For example, a couple of months ago we were brought to fix a WordPress website after their cleanup left it broken, http://www.whitefirdesign.com/blog/2016/09/14/godaddy-and-sitelock-make-a-mess-of-a-hack-cleanup-and-drop-the-ball-on-security-as-well/. While fixing it we found that there were a couple of much larger issues, they had left the hacker with access to the website and didn’t detect that one of their web hosting partners, who had gotten the website’s owner to hire SiteLock in the first place, had a serious security issue that was leading to website being hacked.

Around the same time we found that they were spreading false information about vulnerabilities in WordPress to their customer, http://www.whitefirdesign.com/blog/2016/09/06/sitelock-spreading-false-information-about-wordpress-security-to-their-customers-through-their-platform-scan-for-wordpress/.

If you do a search for “sitelock scam” you will see a more of what SiteLock is really doing.

One thing we mentioned we think is important emphasis, is that SiteLock was (and maybe still is) claiming that customer’s website running older version of WordPress have vulnerabilities that they don’t. This was due to SiteLock not having a basic understanding of how WordPress handles security, which they should considering that is very important when properly cleaning up hacked websites and protecting them against future hacks, both of which are services they offer (some explanation to this might be that for one of their main protection services they don’t actually provide the service themselves, while claiming to). It is against that backdrop that one part of the WordCamp post sticks out:

With 2017 just around the corner, SiteLock hopes to continue their strong support for WordPress and WordCamps and make 2017 the best year yet!

Maybe it is just us, but it doesn’t seem that spreading false claims of vulnerabilities in WordPress based website shows support for WordPress, strong or otherwise.

We left that comment on Tuesday afternoon, by the next morning the existing comments (not just ours) on the post were gone and the ability to comment was removed. By comparison the previous post and next one still are open for comments and include comments. Again the WordPress folks would rather sweep under the rug the reality of what SiteLock is up to while being involved with WordCamps than deal with the situation.

What makes this all the more troubling is at the same time WordPress is helping to promote a very bad security company, they are intentionally not warning people when they are using insecure plugins, which could lead websites to be hacked and then those websites might wind up being taken advantage of by a bad security company like SiteLock.

Here Are SiteLock’s Web Hosting Partners, You Probably Should Avoid Them

As we have looked closer at how the web security company SiteLock takes advantage of people we have found that their web hosting partners are critical component of that being possible. Avoiding those web hosts prevents you from getting taken advantage of and also if enough people did that would get web hosts to stop allowing that to happen in the first place, but we also think that by partnering with SiteLock these web hosts are showing they are companies you should avoid even if you are not worried about being taken advantage of by SiteLock. There are number of reasons we think that is the case:

First, these web hosts are not being upfront with their customers as they don’t disclose that their partnership is really based around them getting a significant cut of SiteLock fees. That means for example, that they are making a large profit of off their customers websites being hacked. In the case some of their partners the web hosts are even controlled by the owners of SiteLock, something the web hosts won’t even publicly acknowledge, despite it being disclosed to their investors. If they are not being upfront about that, you have to wonder what else they are not being truthful about.

Second, they are showing that money they get from SiteLock is more important than their customers, as SiteLock is not a company that should be anywhere near the security of websites based on what we have seen over the years. This is due to the fact that at a basic level they don’t even try to properly clean up website, leaving them open to exploited again, and in some cases they couple that with leaving a broken website behind as well. They are also rather bad at detecting malicious code and detecting whether websites are secure. There are many companies that clean up hacked website, so to partner with SiteLock, it has to been about getting that money, not about doing what is best for their customers.

Third, we have found that these web hosts who are partnered with them do not have much concern for security. Not only by getting involved with a really bad security company, but their own practices. For example, at one web host we found that they were distributing outdated, inscure, software to their customers and their access controls were broken, leading to websites being hacked that otherwise would not have been. We don’t find that type of thing surprising, seeing as we can’t imagine a company that really cared about security partnering with SiteLock, considering their track record. Making their customers more secure would also likely reduce the amount of money they can make through selling SiteLock services as well.

To help you to avoid those web host we have started to compile a list of web host who have partnered with SiteLock. If you know of addition or subtraction we need to make to the list please leave a comment below or contact us.

(Last update: 11/29/2016)

#|A|B|C|D|E|F|G|H|I|J|K|L|M|N|O|P|Q|R|S|T|U|V|W|X|Y|Z

#

  • 1&1
  • 123 Reg
  • 123hospedaje
  • 24 Host India
  • 365ezone
A
  • A Small Orange
  • Alojamiento Tico
  • Ardanhosting.com
B
  • BigRock
  • BizLand
  • BlueDomino
  • BlueHost
  • BuyHTTP
C
  • Certified Hosting
  • Colombia Redes
D
  • Domain.com
  • DomainHost
  • Dot5Hosting
  • dotster
E
  • EasyCGI
  • EdorHosting
  • eHost
  • eNom
  • EntryHost
  • Exabytes
F
  • FastDomain
  • FatCow
  • FreeYellow
  • Full Tech Solutions
G
  • Globat Web Hosting
  • GMO Cloud
  • GoDaddy
  • GreenGeeks
H
  • HaiSoft
  • Hostable.com
  • HostCentric
  • HostClear
  • HostForWeb
  • HostGator
  • HostHero
  • HostMonster
  • Hostnet
  • HostPapa
  • Hostpuppies
  • HostUtopia
  • HyperMart
I
  • IMOutdoors
  • iPage
  • IPOWER
  • ITX Design
  • iViperHost
  • IX Web Hosting
J
  • Just Host
K
  • Kualo
L
  • Lithium Hosting
M
  • MaxterHost
  • Media Temple
  • Midphase
  • Mustang Technologies
  • MyDomain
N
  • names.co.uk
  • Netfirms
  • Network Solutions
  • Networks Web Hosting
  • Noworryhost
O
  • OCNHost
  • OpenSRS
P
  • PowWeb
  • PureHost
R
  • ReadyHosting
  • Register.it
S
  • ServerFreak
  • StartLogic
T
  • TMDHosting
  • Tripod
U
  • UK2
  • USANetHosting
V
  • v2Web
  • Verio
  • Very Chio
  • VirtualAvenue
  • VisualWebTechnologies
  • VPSLink
W
  • Web Fortuners
  • WebHost4Life
  • WebhostforASP
X
  • XANTEC
  • Xeran

#|A|B|C|D|E|F|G|H|I|J|K|L|M|N|O|P|Q|R|S|T|U|V|W|X|Y|Z

Misleading Vulnerability Statistics and Plone Security

When it comes to web security information, getting good information is difficult in large part because there are so many people handing out advice that really are not qualified to do that (that includes many security companies), which can lead to falsehoods gaining widespread exposure. Even when you get past that it can be difficult because there are not always easily determined answers. Take for example the security of various web applications, trying to say how secure one is or how the security of one compares to another is difficult without doing a full security review of one or more of them.

Quicker methods don’t necessarily produce great results. For example you could look at how many vulnerabilities in them have led to websites being exploited in the past, but take a phrase from another industry, past performance does not guarantee future results.

Another method that is sometimes used is to look at how many vulnerabilities have been discovered in the software. There are a number of problems with that. One is that is you don’t know how many undiscovered vulnerabilities still exist in the software. It would also seem likely that more popular software would have more people looking over the code, so that they would have had more discovered than comparably secure software that is less popular. There is also the problem that not all vulnerabilities are equal importance, in fact most vulnerabilities discovered in web application have little chance of being exploited on the average website. You could try to mitigate by only counting more severe vulnerabilities, but as we have found severity ratings can be quite inaccurate.

Another problem we recently ran across when looking at something related to Plone, is that comparisons are not always done using comparable statistics.

The Plone developer’s described their security track record this way:

Unfortunately, there are no trustworthy statistics on vulnerability numbers available. This is mostly due to the fact that security databases are often outdated or incomplete. That said, Plone consistently has fewer vulnerabilities reported on databases than other content management systems. As our security team diligently reports any vulnerabilities found and works with vendors such as Red Hat to ensure our reports are complete and accurate this is strong evidence for Plone’s security

Here is how that is portrayed on the Wikipedia entry for the software:

Mitre is a not-for-profit corporation which hosts the Common Vulnerabilities and Exposures (CVE) Database. The CVE database provides a worldwide reporting mechanism for developers and the industry and is a source feed into the U.S. National Vulnerability Database (NVD). According to Mitre, as of 2013-05-29, Plone has the lowest number of reported lifetime and year to date vulnerabilities when compared to other popular Content Management Systems. This security record has led to widespread adoption of Plone by government and non-governmental organizations, including the FBI.

The following table compares the number of CVEs as reported by Mitre. It should be noted that logged CVEs take into account vulnerabilities exposed in the core product as well as the modules of the software, of which, the included modules may be provided by 3rd party vendors and not the primary software provider.

Comparison of Common Vulnerabilities and Exposures
CMS First released CVEs
Plone 2003 62
Joomla 2005 638
WordPress 2003 934
Drupal 2001 969

If you compare Plone to WordPress there is a great disparity, but looking at the vulnerabilities listed for both there is a glaring issue, hinted at by this portion of the Wikipedia entry:

It should be noted that logged CVEs take into account vulnerabilities exposed in the core product as well as the modules of the software, of which, the included modules may be provided by 3rd party vendors and not the primary software provider.

Currently there are 1024 entries for WordPress in the database, but if you start looking through them you will notice that many of them are for plugins and not for WordPress itself. There are 849 instances of the word “plugin” on that page, though some of those relate to WordPress and some are multiple instances of it in the same entry. There are another 60 entries that involve the word “theme”, many of which related vulnerabilities in themes. If subtract those two values from the overall entry total you get 115.

The current total for Plone is still 62 entries. None of those entries include the word “add-on”.

Considering the popularity of WordPress, the difference between the crude calculation of vulnerabilities in the core of WordPress and Plone total number doesn’t seem that significant. It also worth noting that we can’t recall a vulnerability in the core of WordPress that has led to lots of website being hacked in many years, maybe verging on a decade.

But what about the vulnerabilities in plugins versus that lack of mention of Plone addons. It is possible that Plone add-ons are quite secure, but one explanation is raw numbers. As of writing this there 47,665 reported to be on the WordPress’ Plugin Directory. The Plone number is much smaller, on the page that lists “all Plone add-ons” there are currently 2861 packages and some addons have multiple packages, so the number of addons is even smaller than that.

Another Cyber Security Company In The News Failing To Do Security Basic With Their Own Website

When it comes to security companies, whether it is web security or the wider field of cyber security, one thing that we found over the years is that most of them seem to know and or care little about security. We think that explains a lot of why that security is in such bad shape these days. One easy spot example of these companies either not knowing or caring about security is when their websites are running outdated software with security vulnerabilities, as keeping software up to date is really a security 101 item whether for websites or other systems.

The cyber security company PacketSled has been in the news recently after the founder and CEO of the company “resigned after election night posts on social media about assassinating President-elect Donald Trump“. Their website is currently running WordPress 4.4.2:

The PacketSled Website is Running WordPress Version 4.4.2

Like the last couple of instances we looked at with cyber security companies running outdated WordPress installations, it isn’t just that they are not running the latest major version, 4.6, but they have not kept up to date with new minor releases for the version they are one (the current version is 4.4.5). What makes that stand out is that back in WordPress 3.7 a new update system was introduced that would normally apply those minor updates automatically. So either these companies are disabling that and failing to manually update or there is some conflict with their systems and the automatic update system and they are not manually updating. If there was some conflict, then helping WordPress to fix that would help others in the same situation as well as them (since they can’t manage to do the manual updates either).

Whatever the cause, they missed three security updates, the earliest having been released six months ago.

123 Reg’s Partnership With SiteLock is Already Producing the Expected Bad Results

As we have continued to dig deeper in to how the web security company SiteLock takes advantage of people, one central element of it is their partnerships with web hosting companies. From their main website you can’t even sign up for their services, only request a quote, and if people were to be looking around for a security provider they would likely come across many horror stories involving them when doing. Instead it looks like the services gets sold on the trust in them implied by their web hosting partnerships marketing them and due to the fact that to varying degrees the web hosts push people to use them if their website is hacked (or in some cases when SiteLock or the web host is falsely claiming it is hacked). The reality of the partnerships is that they are not based on the web hosts believing SiteLock, instead it is based on them getting paid a significant amount of money (one major web hosting company disclosed they get 55% percent of the revenue from SiteLock services sold through the partnership with SiteLock).

Neither SiteLock or the web hosts are upfront about the real reason for their partnerships. Take for example how 123 Reg announced their partnership with SiteLock last month, there is no mention of that financial arrangement. Instead they make a number of claims that don’t match what we have seen of SiteLock’s services in the real world, including:

By partnering with SiteLock, small business customers now have access to best-of-breed security solutions that deliver proactive and reliable protection from internet threats and vulnerabilities.

And:

Our partnership will ensure that websites run safely and smoothly, and will further secure the infrastructure in the UK. Through our combined efforts and commitment, we can make it easy for customers to seamlessly integrate security into their sites and prevent future attacks.

That things are not as they are claiming is hinted at by the paragraph that follows that though:

SiteLock can detect known malware the minute it hits. After identifying malicious content, it automatically neutralizes and removes the threats. SiteLock then provides businesses with complete reports on scans, threats detected and items removed.

On the one hand 123 Reg is claiming that they “can make it easy for customers to ” “prevent future attacks”, but then they are claiming that SiteLock is going detect malware the minute it hits, which indicates they can’t prevent future attacks (otherwise there wouldn’t be malware to detect). No evidence is provided that SiteLock can actually detect malware the minute it is hits and we have seen rather bad results in their attempts to detect malicious code, in one situation we found SiteLock claiming a website was secure while it contained malicious JavaScript code that compromised credit card details entered on the website.

Our experience is that SiteLock does a quite poor job of cleaning up hacked websites. For example, everything we have seen indicates that they fail to do two of three basics steps for cleaning up a hacked website, 1) making sure the website has been secured (which usually means getting the software up to date) and 2) determining, to the extent possible, how the website was hacked. In one recent instance their failure to do those not only left hackers with two forms of access to the website, but also meant that a security problem at one of their partner web hosts remained unfixed, which would allow even more website to be hacked (that vulnerability remaining unfixed would provide them more people to to have the potential to take advantage of as well).

Not to surprisingly then we have already run into an example of the partnership with 123 Reg producing the bad results you would then expect:

It’s not been awful, but it’s been repetitive. A few links stuck in the index page as far as I can see. They’ve tried to put in malware which Sitelock has found and got rid of. But they’re still getting in. We’ve changed passwords, sitelock has changed dns settings (after this I don’t understand much), any coding on the site is from the lastest version of xara web designer and xara say they’re safe. 123reg (who sold me Sitelock) said they can’t keep everything out, which beggars the question – what’s the point? PC that the site was uploaded from is free from viruses and malware. Hosting service are saying it shouldn’t happen again but are advising me to move anyway (!).

If SiteLock was doing things properly they would have done the work to determine how the website was getting hacked and fixed that, but since their idea of protection is to detect a website is hacked instead of actually protecting it, that doesn’t happen, leading to situation like what is described there.

If your web host is a partner with SiteLock your best move is probably to move to another web host since through that partnership they are showing that they don’t really care for their customers. If you are at the point where you are being contacted by your web host or SiteLock about your website being infected with malware or otherwise hacked we recommend you read one of our previous posts that takes you through some of the  important information to understand about the situation before you make any decisions on dealing with it.

Bluehost Had Different Response to a Hacked Website When the Press Questioned Their Pushing SiteLock

When it comes to SiteLock and their taking advantage of people, a critical component of that successfully happening is their partnerships with various web hosting providers. These partnership do not seem to be based on the web hosting companies thinking that SiteLock is really great company to help out people with security issues (from everything we have seen over several years they don’t even understand the basics of what they are supposed to being doing), instead the web host is getting significant amount of money when SiteLock sells services through their partnership. In the case of the parent company of Bluehost, the Endurance International Group, they disclosed to investors that they receive 55% of the revenue (they seem to unwilling to disclose that to the broader public, as one the company’s other web hosting brands won’t even acknowledge that they even are getting paid). In the case of Bluehost and the other web hosting brands owned by the Endurance International Group there is likely reason for the partnership, the majority owners of SiteLock are also the CEO and a board member of the Endurance International Group.

In theory this would likely lead to bad situation for customers, the web hosts have an incentive to treat a security issue in way that makes them the most money and SiteLock would necessarily be overcharging people, since over half the fee for the service doesn’t go them. In the real world things look a lot like that. Take for this instance, what is describe in an article from NBC’s San Francisco Bay area station when their problem solvers look into a Bluehost’s handling of hacked website:

But recently, Rose’s website was taken down. A message on the site read “temporarily unavailable.” She didn’t know how or why it happened, but she did know it would hurt business.

“It means we don’t get sales, so I don’t make money,” Rose said.

Scrambling to get her site back up, Rose called Bluehost, her hosting site, and was connected to SiteLock, a website security company.

Rose said SiteLock referenced an email it had sent her – that it detected malware on her site. Rose recalled the email, but had dismissed it as spam. After all, she didn’t do business with SiteLock; she’d never even heard of the company.

Still, Rose said SiteLock told her she had to pay upwards of $120 a month to fix the malware and get her site up and running again.

Over year that $120 a month plan would work out to $1440, which is much more than you normally pay to have a website cleaned and purchase a security service (the $648 that SiteLock would get would be more in the realm of reasonable).

When Bluehost was contacted by NBC had very different response:

Bluehost explained that SiteLock is a security partner, and it did in fact find malware on Rose’s site. So it took down the site so the malware wouldn’t spread to other websites hosted by Bluehost.

Bluehost acknowledged that the SiteLock email could be perceived as spam, so it’s working to evolve its email communications.

And eager to help out Rose, Bluehost jumped in and fixed her site for free. Boo Boo’s Best is back in business.

Thats right, Bluehost has the capability to clean up hacked websites themselves and it didn’t cost anything for the customer. Its telling how different the response from Bluehost was when what they are doing was having some light shined on. We have to wonder if they were concerned that if they didn’t get this cleared up quickly, then more digging might have be done and the reality of their partnership might get more exposure.

The takeaway seems to be if you run in to this situation you should make a public scene about it, or better yet, before that can ever happen move to a web host that isn’t partnered with SiteLock so you don’t risk running into this (properly securing your website would also limit the chance of this, but entirely as SiteLock is known to sometimes falsely claim website have been hacked).

A Case Study in SiteLock Leaving a Website Insecure While Labeling It as Being Secure

When it comes to the security of websites we frequently see that while security basics are often not being done, security companies are pushing more advanced security products and services. Sometimes those two things come together, last month we looked at one cyber security company that claims to have “clients in the intelligence community, DoD and nearly every cabinet agency” and isn’t bothering to keep the software running the various parts of their website up to date while telling the public they need to take advanced measure to protect their websites. As we mentioned in a post the other day, by comparison the web security SiteLock does keep the software on their own websites up to date, while leaving the software out of date on their customers websites that they are supposed to be securing. We ran across another example of that while looking at one of their case studies that is supposed to show how great their services are.

The case study is missing basics details that would be needed to understand what was actually going on and if SiteLock had done anything to actual secure the website. The post claims the website in the case study was targeted by cybercriminals, but they don’t even mention what type of attack there was:

When cybercriminals began to target Airspeed-Wireless.com last year, he became alarmed. Spiridigliozzi took an investigative approach and soon determined the attacks were coming from an IP address in Iran. His host-provided security options were limited so instead he blocked the malicious IP, hoping it would solve the problem. Unfortunately it did not and the hacking attempts continued.

Most hacks are not targeted, so it is entirely possible that what was actually happening was that website was being hit as part of mass hacks that wasn’t even trying to exploit vulnerabilities relevant to the website and there wasn’t a real threat.

Blocking IP addresses is not an effective security measure because if there is a actually a vulnerability then a hacker could easily get around it by simply using another IP address. It is important to note that the web host, the one that SiteLock says has limited security options, is Bluehost, which is not only a SiteLock partner, but it’s parent company, Endurance International Group, is run by the owners of SiteLock. SiteLock’s partners get paid handsomely for pushing SiteLock services, so providing a poor security options would likely be financial advantageous for them (that might be a good reason to avoid web hosts that have partnered with SiteLock).

The case study that then moves on to another website:

During the process Spiridigliozzi was attacked again, this time on a website he was developing. The new attack came from an IP address in Morocco. The hacker injected malware into the newly developed site and taunted Spiridigliozzi by engaging him in online chat.

There is no explanation as to how the website was hacked, which would be important information for people to know to protect their own websites and to determine if SiteLock could have actually prevented it and whether there might a more effective way to do that.

In the next section the tout their TrueShield Web Application Firewall:

SiteLock also wanted to provide Spiridigliozzi with a preventative solution. They installed the SiteLock® TrueShield™ Enterprise Web Application Firewall (WAF) on Airspeed-Wireless.com. This top tier WAF blocks bad bots, the Open Web Application Security Project (OWASP) Top 10 threats, backdoor connections and meets PCI standards.

First it is worth noting that contrary to how they promote the service, this isn’t actually their service, instead they just slap their branding on Incapsula’s WAF.

Next, just the other day we discussed an instance where one of their customers using the WAF was hacked again and they were told that they don’t cover backdoor access :

Now, after we’ve been hacked yet again, I find out that is not true. SiteLock assures me that everything is set up correctly, and that the hacker must have a back door access point.  They don’t cover that. Bluehost doesn’t cover that. I’m screwed.

That obviously doesn’t match up with their claim in the case study that WAF blocks backdoor connections.

Then they claim that numerous threats were blocked:

Since it was installed, TrueShield has blocked 9,478 malicious threats, five SQLi attempts, and 27 visitors from blacklisted IP addresses.

What stands out is the fact that most of threats that were supposed be blocked are vaguely “malicious threats”, but a few SQL injections attempts are broken out even those would also be a malicious threat. That vagueness is important since the reality is that probably only a small fraction of one percent of hacking attempts have the possibility of being successful (many hacking attempts will involve trying to exploit vulnerabilities in software not being used on a website for example). A useful measure would how many of the blocked attempts would have actually lead to the website being exploited if not running through the WAF, SiteLock probably doesn’t have any clue as to that sort of things since they don’t actually provide that service.

The next section points to SiteLock odd idea of how to protect a website:

Spiridigliozzi is grateful for the upgraded security, “The SiteLock suite of security tools now allows me to be more proactive in preventing unwanted visitors and bots from accessing my website, the dashboard gives me an immediate indication of any problems and I also receive email alerts if there are any issues.”

If there is a vulnerability on a website the best way to protect against it is to fix it, trying to stop people that might exploit it is going to be harder to do and SiteLock doesn’t provide evidence of its effectiveness.

It turns out that the website is actually insecure now in an easy to check for way. It is running an outdated version of Magento with known security vulnerabilities:

sitelock-case-study-outdated-magento-version

Magento does provide patches for older versions, so an outdated version might be secure, but in this the website MageReport.com reports that the security patch that provides the same fixes as Magento 1.9.3 is not installed (both the security patch and Magento 1.9.3 were released on October 11):

sitelock-case-study-security-patch-8788-not-applied

SiteLock seems to be unaware of this as they are currently labeling the website as secure:

sitelock-case-study-insecure-website-labeled-secure

The Previous Case Study Is Running An Outdated Version of Joomla

In the case study that proceeding the one we just discussed, SiteLock promoted its scanning service:

The SiteLock 360-degree Security Scan was placed on bluedgebiz.com. As the name suggests, the scan provides a comprehensive scan of Wilson’s entire site. This includes a complete malware, network, spam, SQL Injection, and Cross-Site Scripting scan. With this scan, Wilson is alerted immediately if suspicious code or vulnerabilities are found.

In the past we discussed that we couldn’t find evidence that SiteLock was actually able to find vulnerabilities and a past commenter who had a gotten their scanning service ended up with their website hacked four months later. Both of which don’t point to this service being that great, but the other issue with this is that even if you are alerted vulnerabilities you would need to take action.

Clearly something hasn’t worked in the case of this website as the website is currently running an outdated version of Joomla 3.6.3:

sitelock-case-study-outdated-joomla-version

Version 3.6.4 was released on October 25. That version fixed “three critical security vulnerabilities” and by critical, Joomla really meant it in this instance as websites still running older versions (the vulnerabilities existed back to version 3.4.4) were quickly being exploited (it should be noted that Joomla provided a heads up to everyone four days before that version was released).

What You Need To Know When SiteLock Contacts You Claiming Your Website Has Malware or Is Otherwise Hacked

When it comes to companies providing security services for websites most of them are quite bad from what we have seen over the years. The company SiteLock stands out from the pack though, as it it isn’t just a situation where they don’t seem to know and or care little about security, as is true of so many companies, but they seem to have taken it another level, by doing things that seem to be accurately described as scamming.

As we have recently been taking a closer look into their practices we have noticed that one of the common starting points of problems involving them is with them contacting websites that are hosted with web hosting partners claiming that the websites are hacked and that they can resolve the issue. We thought it would be helpful to present in one post some of the important information you should know when you are in that situation. Some of this they have been fairly successful in hiding from the public up until now.

Your Web Host Has a Financial Relationship With SiteLock

While web hosts will always refer to SiteLock as partner of theirs (HostGator refers to them as a “trusted partner“), what they don’t mention is what exactly that means. It isn’t a situation where they though SiteLock was a really great security company and thought it would be helpful to connect their customers to them (everything we have seen over several years is that SiteLock is quite bad at handling even the basics of security), instead the web host is getting cut of any SiteLock services that get sold through the partnership.

We wonder if they don’t mention that in part because customers probably would not be to happy to find that their web host is profiting off of their website being hacked.

That connection obviously raises some serious questions on how the web hosts handle clients with possibly hacked websites and their interest in keeping their clients secure, since that could cut into their profits. For one of their partners, GoDaddy, we have found multiple instances where the web host has put their customers at risks through their negligence and SiteLock continued to partner with them despite that.

The payments also means that their recommendation to use SiteLock is far from unbiased.

In the case of the many web hosts owned by the Endurance International Group (which include A Small Orange, Bluehost, FatCow, HostGator, HostMonster, iPage, and IPOWER, and others) there is another connection. The majority owners of SiteLock also happen to be the CEO and a board member of Endurance International Group. What is interesting about that is that the only reason we know that to be the case is that the Endurance International Group is legally required to disclose this to their investors in financial filings, neither company discloses that in a public fashion. In fact one the web hosts, HostGator, recently would not even acknowledge that this was true when presented with the information coming directly from their parent company. That seems to be us to a pretty good indication that the companies don’t think that what they are doing is above board.

Don’t Ignore The Message…

We oftentimes hear that people have ignored messages from SiteLock or their web host that the website contains malware or is otherwise hacked. That is a very bad idea, because if the website is hacked then the situation can get worse if you ignore it. For example, additional hackers might exploit the same vulnerability and they might do more damage to the website then the earlier hackers did. That being said, one of the issues we have found with SiteLock is that they will claim that websites have been hacked when they haven’t actually been, so that is why we recommend you a get a second opinion after being contacted.

…But Get a Second Opinion

You should get any information that SiteLock and or your web host will provide on the hack and then get in touch with a reputable hack cleanup company to discuss the situation, due to the fact that SiteLock is known to incorrectly claim websites are hacked in some instances. We are always happy to provide a free consultation on dealing with a hacked website and we always make sure a website is actually hacked before taking on a cleanup, as we have found that other issues are often confused as being hacks.

Make Sure Your Hack Cleanup is Done Properly

We are often brought in to re-clean hacked websites after someone else previously did that and then website got hacked again. While that isn’t always the fault of the company doing the previous clean up, we often find that the previous company had not done basic pieces of the cleanup, which would increase the likelihood that it would get hacked again. Making sure that the company is doing things correctly reduces the chances you will have the website hacked multiple times and possibly have to pay multiple companies in the end (the lower priced providers often don’t end up being the value they seemed at first).

The company doing the cleanup should tell you they are doing the following three basic elements of a proper cleanup:

  • Clean up the malicious content. (This is the obvious one.)
  • Secure the website. (This usually consists mainly of making sure the software on the website is up to date. If the company doesn’t have the expertise to do that, then they likely don’t have the expertise to properly clean up a website using that software either.)
  • Determine, to the extent possible, how the website was hacked. (Websites don’t just get hacked and if you don’t fix the vulnerability that obviously leaves open the possibility it could be hacked again. Without determining how it was hacked you won’t know what the vulnerability that needs to be fixed actually is.)

Your Will Likely Be Overpaying SiteLock For SiteLock Services

We had long suspected that web hosts get a cut of services fees from SiteLock’s services, but when we found how much it was, it surprised us. According to prepared remarks for earnings call, in fiscal year 2014 the Endurance International Group reported receiving 55 percent of the revenue from their partnership with SiteLock. In practical terms that means the company actually provided the service is getting half the revenue from the service, or to put it another you are only getting about half the level of service you are paying for. So you are probably better off finding someone else to provide any services you are being offered from SiteLock.

SiteLock Provides A Service That Indicates They Don’t Do Proper Hack Cleanups

One of the upsells that SiteLock tries to get people to buy is an ongoing service that includes repeated manual hack cleanups, with prices in the thousands of dollars a year. If a website has been properly cleaned up the only way the website should get hacked again if some other vulnerability is discovered that could be exploited. The fact they offer a service that involves them repeatedly doing hack cleanups indicates that they are not properly securing websites, so you end paying a lot more than you should for a cleanup and your website is still left insecure. A recent situation where we were brought in to clean up the mess SiteLock left behind seems to confirm the don’t do proper cleanups.

SiteLock Lies About Who Provides Some of Their Services

As we have recently been looking closely at SiteLock we keep finding more troubling aspects of the company. One that we recently discovered is that they claim that they directly provide some of their services, while they are really provided by another company. In that case it involves sending all of a website’s traffic through another company systems, which is a pretty big concern. There is also the aspect that they are not honest, which is fairly important when dealing with a security company, especially one that can claim your website is hacked and get your web host to take actions against it.

Beware of SiteLock’s Protection Plans

Another thing that has come up repeatedly is that SiteLock sells plans that are supposed to protect that don’t actually protect them. Take one comment we received on a previous post on SiteLock:

Listen to this: Bluehost persuaded me to get Sitelock security for my website and I stupidly paid $500 for a year. This was in January. Yesterday, Sitelock alerted me to malware on my site that could result in terrible consequences. They would remove the malware for a one-time fee of $300! I contacted them to say, “WHAT WAS THE $500 for??” and a hostile character calling himself “sean” told me it was for “scanning.” This company needs to be stopped from continuing their predatory practices.

Not surprisingly SiteLock doesn’t present any evidence, much less independent third-party evidence, that their protection services provide any protection over taking basic security security measures.

In another instance we looked at recently a website with a protection plan was hacked again and at that point SiteLock informed the person running the website, that since the protection was correctly set up the hack must have been caused by something they were not responsible for.

While what we have seen is that these protection services from any company have a limited at best ability to protect and we don’t recommend them, before signing up for one, you should get evidence as to their efficacy.

More Evidence That SiteLock’s TrueShield Web Application Firewall Is Really Incapsula’s WAF

Last week we looked at the evidence we had found that a couple of services that SiteLock was claiming to provide directly were actually provided by Incapsula. That would be an issue both because you have a security company pretty blatantly lying, but also because websites using the services would have traffic is going through a company they are neither aware would have access to their traffic and or that they have a relationship with.

For one of the services, Sitelock’s TrueSpeed CDN, the evidence was beyond a reasonable doubt to us that the service is really provided by Incapsula. For their TrueShield Web Application Firewall (WAF) it seemed likely that was also the case, due in part that it would be easier to use Incapsula’s WAF when they already were using their CDN, but the evidence wasn’t as strong. We ran into another piece of evidence that makes it pretty conclusive that the service is also actually provided by Incapsula.

While requesting a page be saved on archive.org, so that we could link to it if it got removed from the website it was on, this was saved instead:

sitelock-trueshield-web-application-firewall-captcha-page

That page claims that the website is “protected and accelerated by SiteLock” and that there is a ” SiteLock security network”:

The web site you are visiting is protected and accelerated by SiteLock. Your computer might have been infected by some kind of malware and flagged by SiteLock security network. This page is presented by SiteLock to verify that a human is behind the traffic to this site and malicious software.

Here is one of a number a screenshots we found with of the exact same page when coming from Incapsula:

incapsula-waf-captcha-page

The only difference with it is the branding. There really isn’t a way that could be coincidental.

That doesn’t match with SiteLock’s description on the page for the service though. For example, they claim that SiteLock is analyzing the request, when in fact it is Incapsula:

sitelock-trueshield-web-application-firewall-diagram

Looking At How SiteLock Sells Their Services Versus the Reality Behind Them

We recently have been taking a close look at the practices of the web security SiteLock after finding that not only were they providing poor quality services (as is par for the course for web security companies), but a lot of what they look to be doing falls more closely to outright scamming. We thought it would be useful to show how some of what we have found comes in to play to their interactions with a customer. To do that lets look at a recent complaint from one of SiteLock’s customers that hits on a number of issues with what SiteLock is doing.

After their website had been hacked in February of last year SiteLock sold them on one of their services:

[L]ast February we purchased “SiteLock Premium” for $500/year. I was told this was the best security product available. With it, I would have a firewall that would prevent any further attacks.  And since it runs “in the cloud” it would actually make our site faster. We were assured that SiteLock has never been hacked and even if we are hacked, our site would be cleaned.

There are a number of issues we see with that.

We are not sure how SiteLock’s website never being hacked (if that were even true) would mean that their customer’s website wouldn’t be hacked, but that would seem to require the same practices being done on both, but that isn’t the case as we will get to in a later in the post.

Then there is the issue that as best we can tell SiteLock’s web application firewall (WAF) isn’t actually their own, instead there are reselling Incapsula’s WAF service. That raises several issues. One is that SiteLock promotes the service as if they are providing it, if they would lie about that, you can reasonably wonder what else they are not being honest about. Since the service involves sending the website’s traffic through the CDN, that means all the traffic is flowing through a company the SiteLock’s customers are not even aware of, much less have a relationship with. Finally you have to wonder if SiteLock is even aware of how good or bad the WAF is at protecting against attacks, since it isn’t actually something they run.

Another serious issue is that SiteLock failed to do a basic part of a proper hack cleanup, making sure that they software is brought up to date. In this case the website is still using Joomla 2.5:

A Website That Is Supposed to be Secured by SiteLock is Still Running Joomla 2.5.28

That version of Joomla reached end of life on December 31, 2014 and therefore was not receiving further security updates. So any cleanup in 2015 should have included upgrading to a supported version of Joomla. (It is important to note that SiteLock is certainly not alone in doing this important part of hack cleanup, many providers cut corners like this.)

By comparison SiteLock does keep their website up to date. Both their blog and their WordPress focused sub-domain, wpdistrict.sitelock.com, are using the latest version of WordPress:

The SiteLock Blog is Running WordPress Version 4.6.1

SiteLock's The District Website is Running WordPress Version 4.6.1

Keeping the software running your website up to date is going to provide real protection, whereas other security services may not (we haven’t seen SiteLock present any evidence that their services provide better protection then doing the security basics). Its telling that SiteLock does that for their own website, but doesn’t for their customers.

More Money

One of the things we frequently see brought up with SiteLock is after purchasing one security services that was supposed to protect the website and then doesn’t, they want to sell your more expensive services (that was even mentioned by someone who praising their service (and then deleted their post for some reason)). Remember that this person was sold a $500 a year plan that they say SiteLock claimed was the “best security product available”, then the website got hacked again and they are pushing a $720 a year plan:

We were recently informed by SiteLock that our site had sustained a Pharma attack that had inserted links directly into our code. This attack could not be automatically cleaned their software could not remove the malware systematically without risking bringing down our site. The SiteLock technician suggested that we purchase their “Infinity Scan” product for $60 /month.  That product includes manual cleaning of our site.

Again there are multiple issues raised here.

You can start with the fact that SiteLock makes a big deal about their automated malware removal in their marketing material, but never mention that it can have the serious problem of taking down a website. It also seems to us that in an instance where it isn’t up to task they shouldn’t be charging extra to deal with the situation, as it is unable to do what it is promoted to do (and considering their track record you would also have to wonder if they sometimes claim it couldn’t to get more money from people).

The other troubling aspect of this is that they have a service that provides manual hack cleaning on a repeated basis. If a website is properly cleaned then it shouldn’t get re-hacked, so unless you are not taking basic security measures or get unlucky and have get hacked thorough multiple zero-day vulnerabilities in a year you shouldn’t need multiple cleanups in one year. The fact that they provide this would be a red-flag on it own that they don’t do proper hack cleanups, but we already knew that SiteLock doesn’t proper clean up hacked websites, so you don’t have to wonder about that.

What would seems to have happened here seems to be another example of that. So how did SiteLock explain how the website was hacked again after they were brought in:

Now, after we’ve been hacked yet again, I find out that is not true. SiteLock assures me that everything is set up correctly, and that the hacker must have a back door access point.  They don’t cover that. Bluehost doesn’t cover that. I’m screwed.

The backdoor access must have either existed when SiteLock was first brought in to deal with the website and should have been handle during the cleanup or was gained after the were supposed to protecting the website. In either case we don’t understand how that wouldn’t be on them. The explanation seems to be that since things were set up correctly it couldn’t be their fault, which doesn’t make any sense to us.

Also worth noting here is that their web host, Bluehost, who pushes SiteLock services as one of their “partners”, is ultimately run by the owners of SiteLock and looks to be getting a majority of the money from services sold through their partnership (which explains the high price of SiteLock’s services and the low quality for the amount paid). That isn’t something they publicly disclose and something that one of the other web hosting owned by the same company, Hostgator, wouldn’t even acknowledge is after it was pointed out those facts were coming from their parent company.