Is SiteLock Not Even Saying What Website They Are Claiming is Vulnerable?

A few days ago we discussed a Forbes article about a report from the web security company SiteLock that claims be a score of how likely a website is to be compromised that seems to be based on nothing, as despite claiming a website had a “Medium” likelihood of compromised SiteLock couldn’t point to any way that the website would be compromised other than ones that are not considered in their score. In that post we noted that previously we have had people come to us after SiteLock had contacted and claimed that there was vulnerability on their website, but wouldn’t give them any details of it. It looks like they can provide even less information, as the following portion of an email sent to someone that was formerly a customer of one of their web hosting partners shows:

It is baffling that telling the owner of a website which one of their websites is claimed to have a vulnerability, without providing any details whatsoever of the vulnerability, is going to somehow expose the vulnerability.

What is a bit odd about this message is that Bluehost’s name is incorrectly capitalized as “BlueHost” with the “h” capitalized when it shouldn’t. It seems like you should get your partners name right, especially when that partner is ultimately run by SiteLock’s owners. Without seeing the rest of the email we can’t see if there is any indication that this actually another phishing email being sent to Bluehost customers, like the one we that came up last week when Bluehost was pushing someone to hire SiteLock to deal with a non-existent malware issue. Though that phishing email actually mentioned a specific website.

One alternate explanation that isn’t too far out there considering SiteLock’s track record and the fact this person isn’t even with the web host anymore is that there is no basis for the claim. By not mentioning a website they might hope to get more interest from webmasters than if they mentioned one and it wasn’t important.

Resolving “You are not authorised to view this resource.” Issue on Joomla Website Due to PHP Version Change

Sometimes figuring out the source of an error is as easy as doing a Google search on the message being shown instead of what should be shown. In other situations that isn’t the case. We recently had someone contact us for Joomla support that had a website where the website’s menu had disappeared and for most pages of the website they were getting a message that “You are not authorised to view this resource.” instead of the page’s content.

You are not authorised to view this resource.

If you were to Google that message you get a lot of results with a lot of different possible resolutions. One of the first results is for a slightly different message (with an additional sentence after that one) and there were eighteen possible causes listed for the issue in that result.

In this situation, looking at what was shown in the PHP error log (and was shown when the display of errors was turned on) made it look like the problem could have been caused by the PHP version being used. The version of PHP in use was version 7, which considering that the Joomla and the installed extensions where several years out of date, could cause errors to occur. It would appear that web host had automatically changed to that version and lowering the version back down to PHP 5.6 got the website working again.

PHP 5.6 is supported with security updates until the end of next year, so moving to a newer version isn’t necessary yet.

While extensions may still have issues with the newer version of PHP, Joomla introduced official support for PHP 7 with Joomla 3.5, which was released in March of last year. Considering that numerous security fixes have been released since that version, you should already have upgraded Joomla to a newer version than that.

SiteLock Likelihood of Compromise Reports Look Like Another SiteLock Scam

We have written a lot about the shady stuff involving the web security company SiteLock and the main complaint we have gotten about this is that because we also offer web security services (though very different from what they offer) that the information we provide is suspect. We can’t point to much written by others in a professional capacity because for the most part SiteLock has remained under the radar. But we now have something written by someone else that we can point to that shows the kind of activity that has caused “sitelock scams” to be one of the search predictions that Google provides when searching for SiteLock:

An article put out by Forbes last week describes something we have yet to have anyone contact us about, a report from SiteLock that is supposed to be “high-level security analysis by leveraging over 500 variables to score a website’s risk on a scale of low, medium and high”. The author of story was told that their website, which is “single-page static website with just a handful of files and no CMS or other editing software”, had a “Medium” “likelihood of compromise”. The author of the article noted they could only think of two ways that type of website could be compromised, but SiteLock told them that neither of those was consider when calculating the score:

The SiteLock representatives clarified that they do not check for or consider either password security or server vulnerabilities in their assessment and that their risk score is based exclusively on the characteristics of the site itself.

Considering that SiteLock was saying that there was a “Medium” risk of compromise how else did they think it could be compromised, they couldn’t even come up with an answer:

When asked how a remote attacker might then modify the files on a CMS-less single-page self-contained static website without either guessing/phishing/resetting the account password or finding a vulnerability in the server stack, a representative initially said they would work with their engineering team to send me some examples of how such a site could be compromised, but later said they would not be commenting further and did not respond to two subsequent requests for additional comment.

In light of the fact that the score seems to be baseless in this instance, it is worth noting the only detail of the score provided was:

The only detail of any kind offered by the report as to how it assessed my site at Medium risk was that 7% of the risk came from “Popularity: Number of visitors and overall social media presence,” 29% of the risk from “Presence of specific components” and 64% from “Site size and the number of distinct components.”

So SiteLock is making it appear that all of this is evidence based, they are giving percentages and claiming to leverage over 500 variables (we can’t even think of close to 500 variables that could possibly be used unless they are really stretching as what they count as a separate variable), but the reality is that the score seems to be baseless. The author of the piece had the expertise to see past the superficial evidence based nature of this, but SiteLock wouldn’t be doing this if they didn’t think that others would not be as knowledgeable.

This isn’t the first time that we have seen SiteLock put forward claims that websites are vulnerable based on false evidence or unsupported by evidence. In June we noted how they continued to use false information about the security of WordPress to claim websites were vulnerable. In other instances we have had people come to us after SiteLock has claimed there is some vulnerability on their website, but has refused to provide the details, instead only suggesting purchasing SiteLock services to resolve. That was also the case for the author the article.

When the web hosting partner that was passing along the score was asked what could be done to reduce it, the response was to purchase SiteLock services:

When asked what a company could do to reduce their risk score, Network Solutions noted that it offers two subscription monitoring services by SiteLock that scan a customer’s site each day, alerts them if their site has been compromised and automatically removes selected malware from infected files.

The web host would likely get a significant percentage of the fee for those services if they were purchased.

SiteLock gave a similar response:

When asked how a company might work to reduce their risk score from Medium to Low in the absence of any technical detail as to which of the 500 indicators were triggered for their site and if their subscription vulnerability scans did not reveal a known vulnerability, SiteLock offered that it has a commercial professional services team that can be hired in a consulting arrangement to review a site and determine if there are any concerns with its architecture or technical design.

In line with what we have seen in the past when caught doing questionable stuff, SiteLock claimed that they didn’t see anything wrong with what they are doing:

The company strenuously emphasized that it believes such a score is very useful and that many companies have found it of great use to them, but declined to provide more detail as to what companies have done with that information beyond simply subscribing to SiteLock’s products.

The Forbes article raises other issues with this situation that are also problematic and we would suggest you read the article.

Based on all of that it looks like these scores can be safely ignored, but with other claims from SiteLock about the security of websites that are backed by some level of evidence we recommend getting a second opinion before taking any action, as they are not all false. We are always happy to provide a free second opinion.

iPage’s Strange False Claim of Malware Being Detected on a Website

We get a lot of people that contact us looking for a second opinion as to a claim that their website contains malware coming from the SiteLock and or their web hosting partners. One of the latest included a head scratching claim in an alert from the web host iPage (the logo shown with that is SiteLock’s, so maybe they did the scan):

Malware has been detected on your site during a recent scan. 0 domain may be affected.

So there was malware detected on their site during a recent scan, but it impacted “0 domain”. Those seem like they are contradictory statements to us, but maybe something that doesn’t count as a domain was impacted?

What we suggested to the website’s owner was to contact iPage for more evidence because that wasn’t enough based on that to give a second opinion as to the veracity of the claim, though it seemed unlikely considering the website was built with the Weebly website builder provide by iPage.

The response they got from iPage was that the there was not any malware, but they were not provided with an explanation as to what had happened:

We apologize for any inconvenience caused. I have performed a scan of your account and it is malware free. Right now there is no alert regarding infection is shown in the ControlPanel.

If you receive an alert similar to this from iPage whether it actually lists a positive number of domains affected or not, our recommendation is to contact iPage for more information and then get a second opinion instead of signing up for a SiteLock service, which they are trying to sell you from that alert, right off the bat.

False Claim From Bluehost Phishing Email Leads to Bluehost Trying to Sell Unneeded SiteLock Service

On a daily basis we are contacted by people looking for a second opinion after their web host and or their web host’s security partner SiteLock claim that their website contains malware. While a lot of the time there really is some hack of the website that has occurred, though not necessarily involving malware, there are many instances where the claim turns out to be false. There have been many different reasons for that, one of the latest seems like it might be the worst the one yet, since the web hosting partner, Bluehost, tried to sell someone on a $1,200 a year security service from SiteLock based on false information from a phishing email that didn’t even claim there was malware on the website.

What we were told at first about the situation didn’t make sense to us. The website’s owner said they were told by their web host Bluehost that their website was using excessive MySQL resources and that the cause was malware. MySQL is database system and malware and other hacks rarely involve interaction with a database, so we didn’t understand where the belief that malware would be the cause would have come from. Looking at the website made things seem odder. The one possibility we could think of is if a hack added spam content to a website it could cause increased traffic to the website that in turn could increases MySQL resource usage. Not only did we not see any indication of that type of issue, but there was also the fact that the website was built with the Weebly website builder software, which seems unlikely to be hacked in that way or using much in the way of database resources.

After asking if Bluehost provided any more information that might make their conclusion that malware was the cause seem more reasonable, we were forwarded the following email that had started the situation:

Bluehost abuse12@bluehost.com via annika.timeweb.ru

11:16 PM (12 hours ago)

Dear Bluehost customer [redacted]:

It has come to our attention that your site is using an excessive amount of MySQL resources on your BlueHost.Com account. This is causing performance problems on your website as well as for other customers that are on this server. It can cause our servers to crash and cause additional downtime.

Our research shows that server performance degrades when the MySQL usage is over 1,000 tables and/or 3 GB on a single account or 1,000 tables and/or 2 GB on a single database. In order to ensure optimal performance for your account and the others in your shared hosting environment, we request that you reduce the MySQL usage on your account to under these limits in 14 days.

You must confirm the current copy of our Terms of Service here:
http://my.bluehost.com.687fe34a901a03abed262a62e22f90db.d0013151.atservers.net/domain/[redacted]
How to fix:
http://mysql.bluehost.com.687fe34a901a03abed262a62e22f90db.d0013151.atservers.net/domain/[redacted]

Terms of Service Compliance Department
1958 South 950 East
Provo, UT 84606
Phone line: (888) 401-HOST Option 5 | Fax line: 801-765-1992

The very beginning of that caught our attention first, as it referenced “annika.timeweb.ru”, which seems like it shouldn’t be where an email from Bluehost should be coming from. A Google search on that showed that this email was part of an ongoing phishing campaign against Bluehost customers. Later on in the email the URLs being linked to are intend to look like it is Bluehost by starting “my.bluehost.com” and “mysql.bluehost.com”, but the rest of the domain is “687fe34a901a03abed262a62e22f90db.d0013151.atservers.net”. The server that is hosted from is in Belarus.

Since this was a phishing email there was not anything wrong with the website. So that makes Bluehost’s claim that it was malware and that the SiteLock service should be purchased when they were contacted even odder. The Bluehost support person must not have checked to insure that the issue the customer was contacted about actually existed, despite a phishing campaign going on making false claims along those lines. Even then it doesn’t make sense to say this was malware based on the claimed MySQL resource usage issue. So what explains it?

Well it might have something to do with the fact that Bluehost gets 55% of the revenue from sales of SiteLock services through their partnership or that SiteLock’s owner also run the parent company of Bluehost, the Endurance International Group. Based on what have heard in the past it sounds like when support persons don’t know what is going on they may blame malware for what is going on and point people to SiteLock.

In any case, it is a good reminder to make sure to get a second opinion when you are contacted by SiteLock or their web hosting partners so that you don’t end up spending over a thousand dollars a year on something you don’t need. If you were really hacked you also don’t need to spend anywhere near that amount of money to get the website properly cleaned up (SiteLock doesn’t even properly clean up websites for their high fees).

Wordfence Pushes Their Less Effective Products and Services Over Doing a Security Basic

From dealing with a lot of hacked website we see the damage the security industry often causes. One of the problems we have run into over and over is that people are not interested in doing the basics of security and instead trying to rely on security products and services to protect them. Doing that has leads to website being hacked that shouldn’t, that even includes the website of a security company. It isn’t hard to understand why this happens since these security products and services are often promoted as being a magical bullet, while in reality some are somewhat useful and others are of little use to no use.

In some cases security companies are explicitly promoting using their products instead of doing the basics even when they would have provided better results. Case in point a post by the WordPress focused security company Wordfence today.

They claim that websites are being infected with a particular malware through two vectors:

So far the Wordfence Security Services Team has seen two infection vectors (methods of infection). The first is websites that are infected because they left the searchreplacedb2.php script lying around. This is a relatively uncommon infection vector. We wrote about this risk a few weeks ago.

The second vector is by far the most common. The attackers are exploiting a vulnerability in the WordPress ‘Newspaper’ theme. This vulnerability allows them to inject malicious code into the WordPress ‘wp_options’ table which then redirects your traffic to malicious websites or ad campaigns. Our Security Services Team has seen several other themes that are based on the Newspaper WordPress theme that suffer from the same vulnerability.

What isn’t noted in their post is that according to discoverer of the vulnerability in the theme, the vulnerability was fixed four days after the developer was notified and the fix was put on in April of last year. Why not note that, well one reason might be the next paragraph in their post:

Wordfence released a Premium firewall rule about 40 days ago which prevents these attackers from exploiting the Newspaper theme. Even if you had a vulnerable theme, you would have been protected. About 10 days ago, that rule became available to our free customers too.

So simply keeping the theme up to date would have protected those using it long before Wordfence ever got around to protecting against the vulnerability. Wordfence didn’t mention the importance of keeping software updated in those parts of the post, but surely they would do that in a section “What to Do To Protect Yourself” since updating the theme would in fact be the best protection against the vulnerability in the older version from being exploited. It turns otu that isn’t the case:

What to Do To Protect Yourself

As always we recommend running Wordfence Premium. In this case, our Premium customers have been protected for over 40 days from TrafficTrade by a Premium firewall rule that was deployed by our team in real-time.

The firewall rule became available to our free community users about 10 days ago. Both Wordfence free and Premium are now protecting your sites from these attacks.

Because this infection is so wide-spread, we have released additional detection in the Wordfence malware scan to detect a newer variant of TrafficTrade. We are seeing attackers modify your wp_options table to inject the malicious code into that table. A Wordfence scan will now detect this.

This new feature is immediately available for free and Premium Wordfence customerswith Wordfence version 6.3.16 which was released this morning. Simply install Wordfence or update to 6.3.16 and run a scan.

We mentioned earlier that security companies promote their products as being magic bullets, Wordfence is a perfect example. They promote their plugin with the blanket claim that its “Web Application Firewall stops you from getting hacked” despite the obvious counter example here that they only started protecting against the theme vulnerability more than a year after it was disclosed.

Restoring the Tax ID to Customer Data in OpenCart 2.x and Above

When upgrading from OpenCart 1.5 to a newer version there are some significant changes. One that we recently dealt with for a client was restoring the Tax ID field that was previously available as part of the information entered during checkout by customers and was removed in OpenCart 2.0. There two steps to accomplish this.

The first step is to restore the Tax ID field to the customer data and to checkout. That can be done by creating a custom field, which can be done from the Customers menu in the admin area of OpenCart. You are provided with a number of options when setting up a new custom field, including what customer groups you wish it to be shown to:

The second step is to copy over the existing Tax IDs to the new custom field. The existing Tax IDs are stored in the tax_id column of the address table in the database and the custom field in the custom_field column in the customer table. Because of the formatting used for the custom_field column you cannot simply copy over the values from one to the other. The simpler method technically to copy the data is to enter the values from the tax_id column in to the customer’s details in the admin area. For those technically minded you can use a bit of coding to get the values from the one column, convert them to the formatting for the second, and then copy them over.

Fixing OpenCart Login Failure Due to Missing Logs Directory

We recently had someone come to us for OpenCart support after out of the blue they were unable to login to the admin area of OpenCart anymore. When they tried to log in with the correct credentials they were getting the following messages and nothing else:
Warning: fopen([redacted]/system/logs/openbay.log): failed to open stream: No such file or directory in [redacted]/system/library/log.php on line 6Warning: Cannot modify header information – headers already sent by (output started at [redacted]/admin/index.php:85) in [redacted[/system/library/response.php on line 12

Similar messages were being shown on other pages on the website.

The first warning shown indicated that there was a failure to open a file at /system/logs/openbay.log. When we started looking into things we noticed that there was no directory at /system/logs/, which was the defined location for the logs directory in the config.php file for OpenCart. After creating that directory the warning messages were gone and the website’s owner was able to successfully able to log in.

It is isn’t clear why the issue propped up at the time it did because the file that was unable to be written to was created but empty after the directory was created, so it didn’t seem like there was something that suddenly need to be written to that hadn’t before.

Your Web Host Doesn’t Require That SiteLock Clean Up Your Hacked Website

These days we have a lot of people contacting us looking for advice after the web security company SiteLock or one of their web hosting partners has contacted them about a claimed hack of their website. One of the things that has been coming up fairly often that we don’t quite understand are claims like the following:

I’ve recently had my site (a personal, wordpress blog hosted by Blue Host) deactivated and blocked and they are essentially holding it ransom and saying that I must pay an exorbitant fee to have sitelock ‘fix’ it and then pay a monthly fee on top to keep it safe.

As far as we are aware web hosts don’t require that SiteLock do the cleanup, only that the website needs to be cleaned up before being allowed back online.

Before getting further in to that it is worth noting that the web host in that instance, Bluehost, is one of many web hosting brands owned the Endurance International Group (EIG).  Their other brands include A Small Orange, FatCow, HostGator, iPage, IPOWER, JustHost, and quite a few others. They seem to be SiteLock’s largest partner at this time, which might have something to do with the fact that the majority owners of SiteLock also run EIG.

The first thing we do in a situation where someone contacts us about a claim from SiteLock and or the web hosting partners that a website hacked is to ask about any evidence provided to back up the claim. In this case the person we were dealing with forwarded us an email from Bluehost. The email contained an example of the issue on their website and boilerplate text we have seen in numerous emails from Bluehost about hacked websites. Here is what the boilerplate text says about what needs to be done need to have the account reactivated:

You will need to review your files and clean the account accordingly by removing all malicious files, not just the reported url. Once you have confirmed your files are clean and no longer a threat, please contact us again to have your account reactivated.

It’s possible that in phone conversations Bluehost is telling people something else, but from our experience dealing with lots of website hosted with Bluehost and other SiteLock web hosting partners there is no requirement to use SiteLock. And we have never had anyone have a problem getting the the web host to reactivate the website after we have cleaned it.

The only mention of SiteLock in that email is this:

You may want to consider a security service, such as SiteLock, to scan your website files and alert you if malicious content is found. Some packages will also monitor your account for file changes and actively remove malware if detected. Click here to see the packages we offer: https://my.bluehost.com/cgi/sitelock

The other important thing to note is that while they refer to the account being deactivated, that doesn’t mean you can’t access your website if you want to move it. Usually they only restrict viewing the website, so cPanel and FTP access are still available. So you can copy the website’s files, database, and any other items handled by cPanel while the website is deactivated.

As for the claim about SiteLock’s fees being exorbitant that is true. For the quality level of the service SiteLock provides, which involves them failing to do basic parts of the cleanup, you can spend much less with other providers or for many website we actual charge less while doing a proper cleanup. Part of the reason for this is that a lot of the money you pay to SiteLock doesn’t go to the cost of the work, for example at EIG web hosts, like Bluehost, that company gets over half of the fee despite not doing any of the work.

SiteLock Causes Easily Fixable Hacked Websites to be Abandoned Unnecessarily

In our interacting with lots of people looking for advice after being contacted by the web security company SiteLock, one of the problems we have now seen happen repeatedly is that in SiteLock’s quest to squeeze as much money out of people as possible, they are causing people to abandon hacked websites that could quickly and easily be fixed. This causes time and or money to be unnecessarily spent on a creating a new website, and for businesses that are generating business through their websites, unnecessary financial losses.

The business practice that leads up to this is summed up with part of a recent comment from someone that did abandon their website, as to what SiteLock told them about getting the existing website cleaned up:

if I gave them a hundred bucks a month there will clean it up and make sure it stays clean or a one time fee of 300 dollars but, not responsible if within 2 days it’s hacked again

The reality here is that if a proper one-time cleanup is done the website won’t be hacked again in 2 days. Of course, if SiteLock can get someone to believe otherwise they have a better chance of them purchasing an ongoing plan that would get them $1200 a year versus them only getting $300 from the person. The flipside of this is that it also causes people to abandon websites believing they are going to have to pay all that money to keep the existing website secure and that it makes more sense to just start over (which might not actually resolve the issue).

The other important thing to note about this is that while a website cleaned with proper one-time hack cleanup won’t get hacked again in 2 days, SiteLock doesn’t do proper cleanups for that $300. They skip two key components, which are getting the website secure as possible (mainly by getting the software up to date) and trying to determine how the website was hacked and resolving that. Their $100 a month plans don’t provide those things either as far as we are aware. By comparison for most cleanups we do we charge less than $300 for the cleanup (and we only do proper cleanups) and with other providers you can get a low quality cleanup like SiteLock provides for much less than $300.

As we noted before, SiteLock is actually aware that websites can get hacked again if those two parts of a proper cleanup are not done, but that hasn’t lead them to doing them.

What makes this even worse is that many web hosts and other entities like WordPress help to promote SiteLock, which leads to more websites being abandoned unnecessarily (as well as causing many other problems people face if they get involved with SiteLock).