SiteLock Report Leads to False Claims About the Security of WordPress Websites

One of the problems when it comes to improving security is there is so little accurate information out there. Often times security companies are putting out misleading or outright false claims. When their information is repeated by security journalists the quality of it usually degrades from the already often low quality. As example of what happens when security journalists repeat security companies’ claims was something we recently ran across related to SiteLock.

In an article on CISO MAG the following claim was made that seem unlikely to be true:

SiteLock’s analysis also showed that a website’s content management system had an impact on overall security. Forty-four percent of websites using WordPress CMS had not been updated for over a year at the time of filing this report.

We went to look into that because that because it seemed like it would be a good example of SiteLock getting stuff wrong, but in looking at the report what SiteLock actually claim was very different. What they said hasn’t been updated in a year are plugins in the Plugin Directory:

44% of plugins in the WordPress repository have not been updated in over a year

It is important to note that doesn’t mean that those plugins are somehow insecure, though if plugins are not at least being updated to list them being compatible with newer versions of WordPress there is a greater chance that if there is a security vulnerability found that it will not be fixed promptly or at all (though in reporting many vulnerabilities to WordPress plugin developers through our Plugin Vulnerabilities service even very recently updated plugins are not always fixed in a timely manner or at all).

Making that incorrect claim seem odder is the beginning of the next paragraph of the CISO MAG article:

Nearly seven in 10 infected WordPress websites had the latest security patches installed, but were compromised because of vulnerable plugins.

If “nearly 7 in 10 had the latest security patches” then it wouldn’t make much sense that 44 percent of them hadn’t been updated in the last year.

The claim that the website “compromised because of vulnerable plugins” is also not what the report says. Instead it says:

69% of infected WordPress websites were running the latest security patches for WordPress core at the time of compromise.

This data illustrates that even when running a version of WordPress with all of the latest security patches, a vulnerable plugin or theme can just as easily lead to a compromise.

Looking at the rest of the report there were a couple of other WordPress related items that stood out. The first thing is a mention of “publications” that “inaccurately implied that WordPress websites which aren’t running the newest version of WordPress are insecure”:

NOTE: Many publications have inaccurately implied that WordPress websites which aren’t running the newest version of WordPress are insecure. As of the end of Q2 2017, the WordPress community actively provided security fixes for all versions of WordPress from v3.7 to the current v4.8. Our research takes into account each security patch release for every version of WordPress in Q2 2017. For example, WordPress v3.7.21 contains all of the same security fixes implemented in the current version, v4.8. In theory, this makes v3.7.21 as safe as v4.8.

We are not sure what publications they are referring to, but one security company comes to mind, SiteLock, which has been falsely claiming that websites are insecure when running the latest version of older versions of WordPress. We first noticed this back in September of last year and SiteLock was clearly aware of that post, but as of at least June they were still doing this.

Another element of the report repeats a WordPress related falsehood from SiteLock that we debunked in April:

Fake Plugins: Trend Maricopa

In what SiteLock Research would call an “oldie but a baddie,” we saw a trend in the first week of April that centered on the return of an old trick targeting WordPress websites where malware disguised itself as a legitimate forum plugin in the WordPress plugin directory. This ruse, while easily dispatched by specialized malware detection systems, would just as easily escape the concern of an untrained eye. Fake plugin malware iterations continue to be developed and deployed because, quite simply, most people don’t notice them. In a world where the majority of website owners don’t take a proactive approach to malware prevention or remediation, persistent infections continue to be common.

The reality is the supposed legitimate plugin, WordPress SEO Tools, has never existed, whether in the Plugin Directory or otherwise. We don’t understand why SiteLock is continuing to peddle that falsehood when it is so easy to confirm it to be false.

Deleting Files Your Web Host Identified as Malicious is Not a Proper Hack Cleanup

Websites don’t just happen to get hacked, something has to have gone wrong for that to happen. Far too often we see that original problem is compounded by improperly cleaning up the website from the hack, which if properly done involves trying to determine how the website was hacked so the source of the hack can be determined and fixed. If you don’t do that then the website can get hacked again. You might get lucky and the hacker doesn’t come back, but if they do, it can lead to repeated issues if not resolved (which is the point where we are often brought in to clean things up).

For whatever reason we recently have been contacted by a lot of people coming to us through information we have written about the web security company SiteLock, who have, instead of doing or getting a proper cleanup done, decided just to delete files that their web host has indicated contain malicious code. In some cases they contact us because they then continue to have problems and in others they are looking for security solutions that won’t actually resolve the possibility of being re-hacked to try to deal with the possibility of that occurring.

It isn’t that no one has suggested doing something other than what they have done, as an example, one of the people that contacted in this type of situation, forwarded us a file with a list of malicious files their web host, Bluehost, had provided. Right above the list was the following information:

Files may have false positives. Please review each file to make sure each file actually contains malware. Please note that we are not a security company
The Content listed below may not be a complete list of malicious content on your account.
You are ultimately responsible for all of your content.
This is just what we have found that appears to be malicious.
These files appear to contain malicious code.
You will want to review the files and remove the injected code from important files and/or remove unused or invalid files.

Bluehost usually also sends out an email like the following when they are notifying someone that their hosting account is being deactivated, which includes some example files:

Your [redacted] account has been deactivated due to the detection of malware. The infected files need to be cleaned or replaced with clean copies from your backups before your account can be reactivated.

Examples: /[redacted]/public_html/tracking/include/pclzip.lib.php
/[redacted]/public_html/calltrack/include/pclzip.lib.php

To thoroughly secure your account, please review the following:

 

* Remove unfamiliar or unused files, and repair files that have been modified.
* Update all scripts, programs, plugins, and themes to the latest version.
* Research the scripts, programs, plugins, and themes you are using and remove any with known, unresolved security vulnerabilities.
* Update the passwords for your hosting login, FTP accounts, and all scripts/programs you are using. If you need assistance creating secure passwords, please refer to this knowledge base article: https://my.bluehost.com/hosting/help/418
* Remove unused FTP accounts and all cron jobs.
* Secure the PHP configuration settings in your php.ini file.
* Update the file permissions of your files and folders to prevent unauthorized changes.
* Secure your home computer by using an up-to-date anti-virus program. If you’re already using one, try another program that scans for different issues.

 

You may want to consider a security service, such as SiteLock, to scan
your website files and alert you if malicious content is found. Some
packages will also monitor your account for file changes and actively
remove malware if detected. Click here to see the packages we offer:
https://my.bluehost.com/cgi/sitelock

Please remove all malware and thoroughly secure your account before contacting the Terms of Service Department to reactivate your account.

In the case of that message, it is rather explicit that those are just examples, not all of the files, but we have people contacting us that just deleted those files.

Bluehost is one of many brands that the Endurance International Group (EIG) does business under, which is one of SiteLock’s largest partners (and also run by SiteLock’s owners). Their other brands include A Small Orange, FatCow, HostGator, iPage, IPOWER, JustHost, and quite a few others. Many of those who have contacted after just deleting those files have been at their various brands, so they likely would have received a similar message.

Proper Cleanup

In both types of message shown above it is suggested to not just delete files. That is important because hackers often add malicious code to existing files, so just deleting the files could cause the website to no longer function if they are needed for normal usage of the website.

If you just remove malicious code that was on the website that will not resolve the issue, as the code had to get their somehow. That is why in addition to making sure you have removed all of the malicious content, you need to secure the website (which usually mainly consists of updating the software) and try to determine how it hacked in the first place, so that issue can resolved and the hacker can’t get back in.

If you can afford it, your best bet to get all this done is to hire someone that provides a service that does all those things, which as far as we aware is not a service that SiteLock provides.

Going Forward

Once the website has been properly cleaned up the best solution is to make sure you are taking steps to keep the website secure going forward. We have people coming to us that instead of being interested in doing those things are looking for a scanning service or a protection service. We have yet to see any service like that were evidence, much less evidence from independent testing, is being provided that they are effective at doing those types of services. We have had plenty of people that are using those types of services that have come to us because they didn’t provide the type of protection that was claimed (often after the websites has been hacked again), so they don’t seem like a good use of money unless you can find one that provides evidence of its effectiveness.

OneHourSiteFix’s Crazy Claims About WordPress Websites Being Hacked

Recently we got a spam comment on one of our posts that was meant to provide a link to onehoursitefix.com. The name given with the comment was “how to fix a hacked site” and the comment, which was irrelevant to the post, was:

You might be scratching your head at this point because you are
certainly not sure what tattoo. It is also a classical technique, which started out
for the dancers to seem weightless. s always preferable to let someone
know your location going and which route you.

It probably doesn’t say great things about that website, OneHourSiteFix, that they appear to need to promote themselves in that way, but that turns out to be much less concerning than the blog post we noticed linked to from their homepage.

The title of the post in the title HTML tag is “WordPress Website Defaced ? Due To A Well Known Security Company ?” and the on page title is “WORDPRESS PLUGIN VULNERABILITY MEANS MILLIONS FIND THEIR WORDPRESS WEBSITE DEFACED BY HACKERS”. The post is listed as being put out on June 26, 2017.

The first paragraph seems to be written by someone who has absolutely no idea what they are talking about:

Free open-source website and blog creation tool ‘WordPress’ has left millions of pages defaced, due to a remote code execution (RCE) feature being added to the package. This feature has allowed hackers to take control of pages using WordPress plugins allowing attackers control over editorial features in order to vandalize pages or even worse execute malicious payloads. Plugins are those great bits of extra software you can add to your WordPress site to do everything from show a map of visitors to show a fancy photo gallery. Plugins however, have always been a l known and documented ‘attack vector’ for hackers. An attack vector being ‘a way in’ or path into a website. The end result is millions of site owners have found their WordPress website defaced by hackers.

What it sounds like this person might referring to is a vulnerability that had existed in WordPress 4.7.0 and 4.7.1 that allowed attackers to change the content of posts and was fixed in January. It wasn’t a “remote code execution (RCE) feature” and there hasn’t been something like that added to WordPress. The vulnerability could have had more serious consequences if certain plugins that allow PHP code to be run in posts, which might be what the reference to plugins there is trying to refer to. There was nothing that could remotely be what is described there that happened in June, what did happen in January also doesn’t appear to have impacted millions of websites.

That explanation seems more likely based on the next paragraph (though it again doesn’t make much sense as written):

A well known security firm released a statement saying they had detected multiple hackers seizing control of sites. A backdoor in the protocol allows attackers to inject ads, spam and affiliate links. The security firm expects many more attacks to follow and even advised users to disable the plugins due to attackers using these them to insert malware into any affected website More often than not the old, ‘Hacked By GeNErAL’ ! types of defacement are being replaced by monetising hacks with compromised sites being used to make money for the hacker via the use of paid ads (selling everything from viagra, research chemicals to fake crypto currency exchanges) or redirect them to an ‘online pharmacy’
The fourth paragraph claims, which is below, would seem to confusedly reference what happened as well. As the exploitation only started after it was disclosed that WordPress 4.7.2 had included a fix for the vulnerability a week after that version was released.
What is also interesting is that before the security company released the details of the hack, very few WordPress websites had actually been compromised. The timeline in which the hack was detected, details released and then the fix released – does arouse suspicions amongst the conspiracy theorists amongst us.
The third paragraph makes a claim that seems crazy:
In March alone, over 45 million of WordPress websites were defaced and infectd. Many websites are still affected with many of their users not even realising that hidden within their blog there is a page that is selling some seedy pharmaceutical product . Often these hacked website pages are only found by using very specific search terms in google so blog owners are blissfully unaware that their sweet and innocent cupcake blog is actually harbouring a deep secret within the blog pages…
If it were true that 45 million WordPress website had been “defaced and infected” in just that month that would likely mean that a majority of WordPress had that happen to them. While the numbers seem to be a bit of an estimate, there are figures out there for the total number of WordPress websites at figures like 75 million according to a Forbes article from December. Clearly over half of WordPress websites were not hit during that month.

Another Very Odd Claim

In looking at their service there is another element that makes it sound like something is very amiss. One part of their service is cleaning up hacked websites and the other is a web application firewall (WAF) that is supposed to stop them from being hacked again. What is missing is the thing that should tie those together, determining how they website got hacked. If you don’t do that you can insure the vulnerability that was exploited has been fixed and the website won’t get hit again. That would also seem important to make a WAF effective.

Instead of doing what would actually prevent the website from being hacked again they make a claim that doesn’t sound believable:

 IN ADDITION – our security experts manually analyse EVERY element of your site – every row in your database and every line of your files is checked and cleaned. This layered approach ensures we don’t just throw the hackers off a site – we slam the door on them as well.

That would take a very long time to do on most websites, yet somehow they are also going to fix the website in an hour, and it would likely be very ineffective since the sheer amount of information being reviewed would make it less likely that someone would spot a real issue among everything else.

On the page about their cleanup service there was a linked review that while giving them five-stars and seemed positive, indicated that this person’s websites have been repeatedly hacked:

Always quick, always clean.

OneHourSiteFix staff goes above and beyond everytime we’ve had an issue. Quick service, speedy cleaning, and even making sure sites like Google rank you site as safe again. We can’t thank them enough for keeping our servers from getting shut down by our service provider due to infections/spam. Top notch, our go to company for website cleaning everytime! Need help, look no further!
Which isn’t surprising based on what else we saw.

Sucuri’s Scare Tactics on Display with Their Claim That the Washington Post’s Website Contains Malware

Back in March we put out a post about the, now GoDaddy owned, website security company Sucuri’s SiteCheck scanner falsely claiming that our website was “defaced” and that “malicious code was detected”. That claim was based on a page on our website being named “Hacked Website Cleanup – White Fir Design”.

We recently had someone contact us that ran across our post after having Sucuri make a similar false claim about their website. In their case they were contacted by their web host SiteGround with the Sucuri results. In looking in to what was going on we found a post on SiteGround’s blog from March announcing they were going to start doing that. What they say about Sucuri is disconcerting:

There are several reasons to change our scan partner from Armorize to Sucuri. First, Sucuri is one of the most respected companies in the website security field. In addition, we have been working in partnership with them for several years. We have relied on their expertise for solving numerous complex security issues. And last, but not least, many of our clients’ websites have also been cleaned by Sucuri from malicious code over the years. That is why it was only natural that we extend this already successful partnership and make it cover the daily site scans too.

If they are truly one of the most respected companies in the website security field, that doesn’t same much about the field. Not only has their scanner been quite bad for years, but what we have seen with their clean up of hacked website hasn’t been good either, an example of that involved a website they claimed clean despite compromising credit info entered on it. They also don’t seem to understand the basics of security. And about a year ago they accidentally made a good case for avoiding themselves.

But let’s get back to their scanner, which SiteGround is now helping to cause more people to interact with the results of.

Scare Tactics

If you go to the web page for Sucuri’s Scanner you will notice that just below where you enter an address to have it scanned, it states:

Disclaimer: Sucuri SiteCheck is a free & remote scanner. Although we do our best to provide the best results, 100% accuracy is not realistic, and not guaranteed.

That sound reasonable, the problem is that it doesn’t in any way match how they present results from it. Here is what it looks like when they think a web page contains malware, as can be seen with a page from the Washington Post’s website, which we happened to submit to test out something related to the false defacement claims:

Among the very scary sounding things they have on their are:

Warning: Malicious Code Detected on This Website!

Status: Infected With Malware. Immediate Action is Required.

Malware Detected Critical GET YOUR SITE CLEANED

Get Immediate Clean Up CLEAN UP MY SITE

Your site appears to be hacked. Hacked sites can lose nearly 95% of your traffic in as little as 24 to 48 hours if not fixed immediately – losing your organic rankings and being blocked by Google, Bing and many other blacklists. Hacked sites can also expose your customers and readers private and financial information, and turn your site into a host for dangerous malware and illicit material, creating massive liability. Secure your site now with Sucuri.

Though looking at the evidence presented to back that all up they seem a lot less sure there is even an issue as it is stated that “Anomaly behavior detected (possible malware)”.

When looking at the malware definition given, MW:ANOMALY:SP8, things are also unclear, as first they refer to what it detects as being “suspicious” and “possibly malicious”:

A suspicious block of javascript or iframe code was identified. It loads a (possibly malicious) code from external web sites that was detected by our anomaly behaviour engine. Those types of code are often used to distribute malware from external web sites while not being visible to the user.

But then states their “engine found it to be malicious”:

This is not a signature-based rule, but looks at anomaly behaviors on how the web site is being loaded. Our engine found it to be malicious (related to remote includes).

It isn’t reassuring that on one page they both claim detecting this would mean that something is malicious and that it is only possibly malicious.

Get a Second Opinion

We would strongly recommend that web hosts don’t do what SiteGround is doing here and further spreading Sucuri’s inaccurate results. It would probably be best to avoid any web host that does something like this as well, since it doesn’t show they have an interest in best helping their customers or that they are doing proper due diligence.

If you do get sent results by your web host that claim your website is hacked, whether they come from Sucuri or another company, we would recommend that you get a second opinion as to their veracity from a more trustworthy company that does hack cleanups. We are always happy to do that for free and we would hope that others would too.

If Wordfence Security Doesn’t Find Any Malicious Files on Your Website It Doesn’t Mean That It Isn’t Hacked

When it comes to WordPress security plugins, one is by far the most popular. That plugin being Wordfence Security, which has over 2+ million active installs according to wordpress.org (the next most popular one has 800,00+ active installs). At least some of its popularity is based on people believing that the plugins is much more capable than it really is.

Some of that belief is based on the company behind the plugins simply lying about its capabilities. For example, here is the second sentence of their description of the plugin on wordpress.org:

Powered by the constantly updated Threat Defense Feed, our Web Application Firewall stops you from getting hacked.

Would it be possible for the plugin to stop some hacks? Sure, but it can’t possibly stop all hacks. For example, if the website is hacked through a compromise of the FTP login details or a server level breach, that is occurring below the level the plugin is operating, so it can’t stop that. While a security plugin could try to detect a change made by that hack, the hacker would also likely have the ability to remove, disable, or modify the plugin with the access they have as well. It isn’t hard to understand why Wordfence would lie about this, since people will believe it and other false claims they make.

Even in situations where the plugin might be able to provide protection, unless you are paying for their premium service, they will leave you vulnerable for 30 days or more after they add protection (their ability to do that would require them knowing about the vulnerability, which isn’t a given), so Wordfence knows that a blanket claim that the plugin will stop you from being hacked isn’t true.

The claims being made don’t always come from the makers of Wordfence. For example, last year we noted an instance when someone posted on the wordpress.org support forum looking for help with hacked website they were told by two people that Wordfence Security would fix it, despite the person looking for help having already said that they had tried to use it to fix the website.

The latest incident of a belief that Wordfence Security is more capable than it really is, involved someone who came to us looking for advice on a claim from their web host that their website had been hacked. They believed that their web host’s claim was false in part because Wordfence Security couldn’t find any malicious files on the website.

Our experience from people presenting us results from numerous different automated tools for detecting malicious code over the years, is that they miss a lot of malicious code and can produce some bad false positives. So you can’t rely on them to determine that a website isn’t hacked. Due to the false positives you can’t totally trust them to determine that a website is hacked, though we would have more confidence of a claim that a website is hacked than it isn’t based on their results.

In this case what the website’s owner hadn’t done was to ask the web host for evidence to back up their claim that the website was hacked. Instead of looking to Wordfence Security or another plugin/service to try to determine if a website is hacked in this type of situation that should be the first thing done. Once you have that evidence, if you are unable to determine if the evidence backs up the claim we would recommend that you get a second opinion from a company that deals with hacked websites. We are always happy to do that for free and we would hope that other would as well.

When we were sent one of the files from the website, we not only immediately recognized it contained malicious code, but it was something that would have been picked by our partially automated scanning for malicious code (a human reviews all the results this scanning produces to determine if the code is actually malicious code). So the website was actually hacked and Wordfence Security had just missed malicious files, despite containing fairly common malicious code.

Since Wordfence Security couldn’t even detect the malicious code, it also wouldn’t have been able to clean it up, a further reminder that Wordfence Security’s ability to clean up hacked websites is also limited.

What It Takes for SiteLock to Claim a Website is At Low Risk

One of the more recent activities from the web security SiteLock that seem like it could be classified as a scam, is a score, from “low” to “medium” to “high”, that is supposed to indicate how likely a website is to be hacked.

We first ran across it when a Forbes contributor wrote about how they were told that their website, which consists of a “static HTML page with a few images and a few locally hosted CSS, font and JavaScript files”, was at “medium” risk based on this score. When the author of the article raised question about this, SiteLock couldn’t even explain a way that the website could be hacked that was considered by their score despite claiming it was at “medium” risk of that happening. Another element that makes this seem like a scam was that SiteLock provided supposed percentages of the risk that that got to “medium” risk, which don’t seem believable. Most of the risk, 64%, came from the “Site size and the number of distinct components”, despite the website having only one page and no components that seem like they could have lead to the website being exploited.

With SiteLock claiming that website was at “medium” risk, we wondered what it would take for SiteLock to claim is at “high” risk. A couple weeks later we got the answer, when we were contacted by someone that had been notified that their website was at “high” risk based on the scoring. So what kind of website is at “high” risk? One that only contained static HTML pages, but it did have multiple pages, so maybe that is enough for them to make that claim.

The question that then left us with was what it would take for a website to receive a “low” risk score. The answer it seems, based on a recent tweet we ran across, is for a website where the domain name that isn’t even registered:

This isn’t the only recent issue we have seen with SiteLock and an unregistered domain name, as several weeks ago we discussed a claim from SiteLock that a website contained “critical” severity malware due to a link to an unregistered domain name.

In looking for other instances of the “SiteLock Platform Digest” show in that tweet, we ran across someone that had received it unsolicited and SiteLock tried to claim that it was sent due to a web host, despite the web host having nothing to do with SiteLock.

iPage Causing OpenCart Websites to Stop Functioning

We recently had someone come to us for OpenCart support after out of the blue the website stop functioning and the following error was being shown instead:

Warning: require_once([redacted]/system/startup.php): failed to open stream: No such file or directory in [redacted]/index.php on line 17 Fatal error: require_once(): Failed opening required ‘[redacted]/system/startup.php’ (include_path=’.:/usr/local/lib/php-5.5.22-amd64/lib/php’) in [redcated]/index.php on line 17

The error message seemed to indicate that a file was missing, but when we checked the files the file in question, /system/startup.php, was still there. With a closer look at the message we could see that the file was being requested from a different location than it seemed it should. What we then found was that web host for the website, iPage, had for some reason changed the directory path for the account of the website. The configuration files still had the old location included in the directories listed in them. This wasn’t a one off issue, as while we were looking into the issue we found another instance of that involving another OpenCart based website two months ago.

The quickest solution to the issue is to simply update the path for various settings in the /config.php and /admin/config.php files. The limitation with that is that if iPage changes the directory path again the website would stop working again.

To workaround that we then tried to use relative paths for the various directories listed in those files, which worked except images were not showing up. In troubleshooting that we noticed the “src” attribute for images was empty. We the found that the cause of that was the following code in the file /catalog/model/tool/image.php (also in /admin/model/tool/image.php):

if (!is_file(DIR_IMAGE . $filename) || substr(str_replace('\\', '/', realpath(DIR_IMAGE . $filename)), 0, strlen(DIR_IMAGE)) != DIR_IMAGE) {
	return;
}

The second check in that if statement would fail causing no image to be specified.

Removing that check would resolve that issue, but the problem would reoccur after any upgrade due to the new version of the file restoring that code.

Ultimately we added code to the configuration files to get the current directory path using getcwd(), so that if iPage changes it again then the new one will be used automatically and the website won’t go down.

SiteLock and Their Web Hosting Partners Are Not Trying To Extort You

When it comes to information on web security a lot of it is incredibly inaccurate. A lot of that comes from security companies, as can be seen by looking over many of the posts on this blog detailing some of the many instances of that happening. They are not alone in this, much of the information put forward by the public is wrong as well.

One area where we have been seeing that as well dealing directly with people making such claims, involve baseless or outright false claims about the web security company SiteLock and their web hosting partners. What makes this stand out is there is so much bad stuff about them that is true and yet you have people making untrue claims of bad things they are supposed to be doing, but are not.

In some cases the true problems and the false ones might be related. Recently we discussed yet another instance of SiteLock falsely claiming that a website contained malware, this time it involved a link URL for blog post comment that linked to an unregistered domain name. We often see and hear people claiming that SiteLock or their web hosting partner have hacked their websites. We have yet to see any evidence of that or any a plausible explanation of how someone came to the conclusion that had occurred. It seem conceivable that some of those claims involved websites that SiteLock falsely claimed contained malware and the owner believed that it was infected, but thought that SiteLock did it (that might sound odd, but it doesn’t based on some of the interactions we have had with people making the claims).

Recently we have seen and heard from a many people claiming that SiteLock and their web hosting partners are holding websites hostage, holding them for ransom, or are engaged in extortion.

What these seems to underlie this is people reading previous claims along the same lines or not paying attention to what they are being told.

The reality is that while SiteLock’s web hosting partners will often disable a website if they believe malware is on it (and they are not always right) there is no requirement that you hire SiteLock to clean up the malware, as we mentioned before. Here for example is the text that Bluehost (whose parent company does business under the names A Small Orange, FatCow, HostGator, iPage, IPOWER, JustHost, and quite a few others) explains what needs to be done to have the website turned back on:

You will need to review your files and clean the account accordingly by removing all malicious files, not just the reported url. Once you have confirmed your files are clean and no longer a threat, please contact us again to have your account reactivated.

In dealing with lots of website that are in this situation there has never been any issue with the website being turned back on when we have cleaned up the website instead of SiteLock.

We also haven’t seen any issue where people could not get the access needed to move their website before it has been cleaned up.

In cases where website have incorrectly been disabled and we were ask to take a look at the claim, we are not aware of any situation where the web host did not the turn back on the website after it was pointed out there was false positive that lead to disabling.

If you have a website that SiteLock or their web hosting partners are claiming is hacked what we suggest you do is to get any evidence they will provide you about the issue and then get a second opinion on the situation. We are always happy to do that for free and we hope that other security companies, who are certainly aware of what is going on, would do that as well.

Someone that knows what they are doing will usually easily be able to tell if the website is in fact hacked and needs to be cleaned. If it is hacked, you would probably be best off not hiring SiteLock to clean it because not only do they overcharge for the quality of service they provide (due in part to how much of the fee is going to their web hosting partners), but also because they don’t properly clean up websites.

SiteLock Claimed Website Had Critical Severity Malware Due to Link to Unregistered Domain Name in Comment

On most days we now have multiple people contacting us in regards to claims made by SiteLock and their web hosting partners about the security of their websites. Those contacts broadly fall into to two categories these days.

The first involves websites that SiteLock and their hosting partners are claiming are hacked, which are in fact hacked, but seemingly due to their reputation and shady sales tactics, the websites’ owners believes that the websites are not hacked. In some cases we even are contacted by people claiming that SiteLock or their web host has hacked their website, though those claims have appeared to be completely baseless (we have seen zero evidence ever that SiteLock has hacked any websites).

The second category largely involves SiteLock and their web hosting partners making seemingly baseless claims that websites contain some vulnerability, are at high likelihood of being hacked, or have some other security issue. A recent source of many of those claims has been something referred to as the SiteLock Risk Assessment, which is supposed to provide a score of how likely a website is to be hacked based on “predictive model that analyses over 500 variables “, but the scores appear to be unconnected to reality.

The combination of those situations is not just bad for the people having to deal with the claims made by SiteLock and or their web host, but also for the general public since websites that are really hacked are not being seen as having the serious issue they have, due in part to the false claims also being made.

A recent example of the latter category stood out to us as a good example of the type of activity that has caused SiteLock to earn a reputation as scammers.

We were recently contacted by someone that had multiple calls and emails from SiteLock claiming their website contained malware. Below is one of the emails that was sent by SiteLock about this supposed issue:

Dear SiteLock Customer,

   My name is [redacted] and I’m a Security Consultant here at SiteLock Website Security.We are reaching out to you because one or more of the domains you own has malware on it and this issue needs to be resolved. As your website security provider you Do Not have the appropriate level of security to remedy/ remove and prevent these issues.

I’ve attempted to leave a message or left a message on the number in our records as well.

Contact me immediately and directly. We are able to assist you. [redacted] // [redacted]
Cheers,

Worth noting here is that SiteLock’s usage of “Security Consultant” is in fact a euphemism for a commissioned sales person, who likely doesn’t have any background in security.

When we were contacted about this, we asked if there had been any evidence provided to back up the claim that the website contained malware. One reason for doing that is that SiteLock labels all sorts of things that are not malware as being malware, so that makes providing a second opinion in many instances very difficult because the claimed issue could be one of many things.

The website’s owner had not been provided any yet and after SiteLock was asked for evidence, a couple of screenshots were provided. The first showed the following alert box:

What the “critical security issues” is supposed to be is shown in the second screenshot:

The most relevant portion is shown here:

So by malware on the website and “critical security issue” they really meant there was a link to another website. The link in question wasn’t something that was placed on the website as part of a hack of the website, instead the URL was the website provided with a comment on a post from 7 years before. So the claim didn’t seem at all accurate and the repeated contact by SiteLock seemed unreasonable, but it gets worse. We expected that at least the linked to domain, aspergerssyndromsymptomsblog, would contain something malicious, why else would they be claiming it was malware? But instead we found that the domain name isn’t even registered anymore. So a link from a comment to an unregistered domain caused SiteLock to claim a website contained malware.

The SiteLock employee that sent the email mentioned earlier was recently quoted in a SiteLock post saying the following:

The positivity and high energy makes me want come to work each day. We provide valuable products that help business owners succeed, without them having to worry about security issues. We also have great perks here, including free breakfast on Mondays and lunch on Fridays, an on-site gym and cafe, and an employee game room. I feel right at home!

In reality it appears that SiteLock is actually causing people to worry about security issues that don’t even exist and then trying to sell them solutions to protect them from non-existent issues.

123 Reg Sending Out Scammy Emails Based on Baseless SiteLock Risk Assessments

Earlier this month we discussed what seemed to be new attempt to scam people by the web security company SiteLock and their web hosting partners, using a supposed assessment of a website’s likelihood of attack. That post was based on information in an article written by a contributor at Forbes that had been contacted by their web host Network Solutions about the supposed risk of compromise of their website. The author of that article did a very good job of breaking down on how the claimed “comprehensive analysis” leading to risk score seems to be without a basis and we recommend reading that article.

The web host 123 Reg, which is now part of GoDaddy, has now started sending out emails based on the same assessment and the results are equally questionable. We were contacted by someone that received one of these that has a small website built on HTML files, so there is limited ability for it to be hacked when compared to, say, a website using CMS and a lot addons for the CMS. Despite that, the email claims that the “website is at high risk of vulnerabilities or compromise” and that “vulnerabilities are 12 times more likely to be exploited than the average website”, which is completely ridiculous. If you were to believe that there website is at high risk of being exploited then we can’t think of one that you wouldn’t.

Here is the email they are sending out:

Dear [redacted],

We take a proactive approach to protecting our customers’ website security. There are many factors that make a website vulnerable to hackers, and some sites are more vulnerable than others simply because of their software, plug-ins and passwords.

To help you understand where your website may be vulnerable, we have completed an automated scan of your website via the SiteLock Risk Assessment, a predictive model that analyses over 500 variables to determine a website’s likelihood of attack. The Risk Assessment is designed to score a website on a scale of low, medium or high.

After performing a comprehensive analysis of [redcated], we can confirm that your website is at high risk of vulnerabilities or compromise. When a website indicates a high risk score, vulnerabilities are 12 times more likely to be exploited than the average website, according to SiteLock data.

It is important that you act. For £0.99 per month, SiteLock ‘Find’ carries out a daily scan of your website. It can reveal where your website is vulnerable, and discover any malware. For £4.99 per month, SiteLock ‘Fix’ can also remove the malware from your site.

Find out more about SiteLock from 123 Reg

Alternatively, you can call us on 0330 221 1007 for more information.

Good website security comes down to teamwork. Here at 123 Reg, we do everything we can to keep your website safe server-side, and we urge you to do the same. A security breach can undo years of hard work in a matter of minutes. That is why, as a security precaution, we recommend you always upgrade outdated software like web applications or plugins to the latest versions when available.

Kind regards,

123 Reg Team

Based on everything we have seen so far these seems to be a rather naked attempt to sell security services based on scaring customers of web hosts under the guise of providing serious analysis of the security risk of the website. What makes it worse is that from what we have SiteLock services are not very good at providing protection, so the end result wouldn’t even be a good one even if the means is quite bad (as well as the company not doing much to help improved security for everyone in comparison something like our Plugin Vulnerabilities service).

One of the other people that received one of these emails raised another issue with them:

It should go without saying that no company involved with security should be doing something like this. SiteLock already has a well earned reputation for this type of thing. Who seems like they should be taking more heat for this is GoDaddy, as not only are they multi-billion dollar company, but they also provide security services under the brand Sucuri (which has lots of issues of its own).