Back in September we looked at the fact that a website we were doing an upgrade of Magento on had a security seal from SiteLock claiming that the website was secure, despite the fact that it wasn’t since the website was running outdated software with known security issues. Fast forward six months and SiteLock is still labeling websites as secure when they are running outdated and insecure software.
Today’sĀ case involves a website that we are doing an upgrade from Zen Cart 1.3.8a. That versionĀ is nearly five years out of date and there have been numerous releases with security improvements since then (due to its age, it isn’t clear exactly how many of those fix issues that existed in 1.3.8a). Despite that the website is labeled as being secure by SiteLock:
Not only does falsely claiming the website is secure mislead those visiting the website, but it also gives webmaster a false sense of security, which a security service shouldn’t do.
If SiteLock was actually interested in security it would quite easy for them to make sure the software on websites is up to date. Our Zen Cart Version Check extension for chrome is able to correctly detect the version in use from outside the website in this case:
With access to the website’s file, as Sitelock does, it is even easier to do and more accurate. For Zen Cart the version number is listed in the file /includes/version.php, so all you would need to do is to check files matching that for the following lines and you would know whether an outdated version of Zen Cart is in use:
define(‘PROJECT_VERSION_NAME’, ‘Zen Cart’);
define(‘PROJECT_VERSION_MAJOR’, ‘1’);
define(‘PROJECT_VERSION_MINOR’, ‘3.8a’);
A Better Alternative to SiteLock For Cleaning Up a Hacked Website
If your web host is pushing you to hire SiteLock to clean up a hacked website, we provide a better alternative, where we actually properly clean up the website.
It seems that Sitelock is intentionally crashing sites in order to sell their services — this is a criminal activity and someone should stop it and seek restitution from the hosting services that have allowed Sitelock to attach to sites under their care
That’s interesting that you would not this. It’s something I found with one or two of my own clients. In fact, one had SiteLock on board for six months and showing them as secure when in fact, their SSL cert had expired and not one of the https pages were showing, nor was the software updated to the correct version with WP being two versions outdated. To me that just seems like paying for nothing at all. I try not to advise against companies but this one seems to be like buying a pretty sticker that tells people they are secure when nothing could be further from the truth. Even the site owner had no idea his ssl wasn’t working correctly.