When it comes to companies providing security services for websites most of them are quite bad from what we have seen over the years. The company SiteLock stands out from the pack though, as it it isn’t just a situation where they don’t seem to know and or care little about security, as is true of so many companies, but they seem to have taken it another level, by doing things that seem to be accurately described as scamming.
As we have recently been taking a closer look into their practices we have noticed that one of the common starting points of problems involving them is with them contacting websites that are hosted with web hosting partners claiming that the websites are hacked and that they can resolve the issue. We thought it would be helpful to present in one post some of the important information you should know when you are in that situation. Some of this they have been fairly successful in hiding from the public up until now.
Your Web Host Has a Financial Relationship With SiteLock
While web hosts will always refer to SiteLock as partner of theirs (HostGator refers to them as a “trusted partner“), what they don’t mention is what exactly that means. It isn’t a situation where they though SiteLock was a really great security company and thought it would be helpful to connect their customers to them (everything we have seen over several years is that SiteLock is quite bad at handling even the basics of security), instead the web host is getting cut of any SiteLock services that get sold through the partnership.
We wonder if they don’t mention that in part because customers probably would not be to happy to find that their web host is profiting off of their website being hacked.
That connection obviously raises some serious questions on how the web hosts handle clients with possibly hacked websites and their interest in keeping their clients secure, since that could cut into their profits. For one of their partners, GoDaddy, we have found multiple instances where the web host has put their customers at risks through their negligence and SiteLock continued to partner with them despite that.
The payments also means that their recommendation to use SiteLock is far from unbiased.
In the case of the many web hosts owned by the Endurance International Group (which include A Small Orange, Bluehost, FatCow, HostGator, HostMonster, iPage, and IPOWER, and others) there is another connection. The majority owners of SiteLock also happen to be the CEO and a board member of Endurance International Group. What is interesting about that is that the only reason we know that to be the case is that the Endurance International Group is legally required to disclose this to their investors in financial filings, neither company discloses that in a public fashion. In fact one the web hosts, HostGator, recently would not even acknowledge that this was true when presented with the information coming directly from their parent company. That seems to be us to a pretty good indication that the companies don’t think that what they are doing is above board.
Don’t Ignore The Message…
We oftentimes hear that people have ignored messages from SiteLock or their web host that the website contains malware or is otherwise hacked. That is a very bad idea, because if the website is hacked then the situation can get worse if you ignore it. For example, additional hackers might exploit the same vulnerability and they might do more damage to the website then the earlier hackers did. That being said, one of the issues we have found with SiteLock is that they will claim that websites have been hacked when they haven’t actually been, so that is why we recommend you a get a second opinion after being contacted.
…But Get a Second Opinion
You should get any information that SiteLock and or your web host will provide on the hack and then get in touch with a reputable hack cleanup company to discuss the situation, due to the fact that SiteLock is known to incorrectly claim websites are hacked in some instances. We are always happy to provide a free consultation on dealing with a hacked website and we always make sure a website is actually hacked before taking on a cleanup, as we have found that other issues are often confused as being hacks.
Make Sure Your Hack Cleanup is Done Properly
We are often brought in to re-clean hacked websites after someone else previously did that and then website got hacked again. While that isn’t always the fault of the company doing the previous clean up, we often find that the previous company had not done basic pieces of the cleanup, which would increase the likelihood that it would get hacked again. Making sure that the company is doing things correctly reduces the chances you will have the website hacked multiple times and possibly have to pay multiple companies in the end (the lower priced providers often don’t end up being the value they seemed at first).
The company doing the cleanup should tell you they are doing the following three basic elements of a proper cleanup:
- Clean up the malicious content. (This is the obvious one.)
- Secure the website. (This usually consists mainly of making sure the software on the website is up to date. If the company doesn’t have the expertise to do that, then they likely don’t have the expertise to properly clean up a website using that software either.)
- Determine, to the extent possible, how the website was hacked. (Websites don’t just get hacked and if you don’t fix the vulnerability that obviously leaves open the possibility it could be hacked again. Without determining how it was hacked you won’t know what the vulnerability that needs to be fixed actually is.)
Your Will Likely Be Overpaying SiteLock For SiteLock Services
We had long suspected that web hosts get a cut of services fees from SiteLock’s services, but when we found how much it was, it surprised us. According to prepared remarks for earnings call, in fiscal year 2014 the Endurance International Group reported receiving 55 percent of the revenue from their partnership with SiteLock. In practical terms that means the company actually provided the service is getting half the revenue from the service, or to put it another you are only getting about half the level of service you are paying for. So you are probably better off finding someone else to provide any services you are being offered from SiteLock.
SiteLock Provides A Service That Indicates They Don’t Do Proper Hack Cleanups
One of the upsells that SiteLock tries to get people to buy is an ongoing service that includes repeated manual hack cleanups, with prices in the thousands of dollars a year. If a website has been properly cleaned up the only way the website should get hacked again if some other vulnerability is discovered that could be exploited. The fact they offer a service that involves them repeatedly doing hack cleanups indicates that they are not properly securing websites, so you end paying a lot more than you should for a cleanup and your website is still left insecure. A recent situation where we were brought in to clean up the mess SiteLock left behind seems to confirm the don’t do proper cleanups.
SiteLock Lies About Who Provides Some of Their Services
As we have recently been looking closely at SiteLock we keep finding more troubling aspects of the company. One that we recently discovered is that they claim that they directly provide some of their services, while they are really provided by another company. In that case it involves sending all of a website’s traffic through another company systems, which is a pretty big concern. There is also the aspect that they are not honest, which is fairly important when dealing with a security company, especially one that can claim your website is hacked and get your web host to take actions against it.
Beware of SiteLock’s Protection Plans
Another thing that has come up repeatedly is that SiteLock sells plans that are supposed to protect that don’t actually protect them. Take one comment we received on a previous post on SiteLock:
Listen to this: Bluehost persuaded me to get Sitelock security for my website and I stupidly paid $500 for a year. This was in January. Yesterday, Sitelock alerted me to malware on my site that could result in terrible consequences. They would remove the malware for a one-time fee of $300! I contacted them to say, “WHAT WAS THE $500 for??” and a hostile character calling himself “sean” told me it was for “scanning.” This company needs to be stopped from continuing their predatory practices.
Not surprisingly SiteLock doesn’t present any evidence, much less independent third-party evidence, that their protection services provide any protection over taking basic security security measures.
In another instance we looked at recently a website with a protection plan was hacked again and at that point SiteLock informed the person running the website, that since the protection was correctly set up the hack must have been caused by something they were not responsible for.
While what we have seen is that these protection services from any company have a limited at best ability to protect and we don’t recommend them, before signing up for one, you should get evidence as to their efficacy.A Better Alternative to SiteLock
If your web host is pushing you to hire SiteLock to clean up a hacked website, we provide a better alternative, where we actually properly clean up the website if it is truly hacked or if isn't we will help you to get the issue resolved for free.
Before you do anything else though, you should check out our post on what you should know when you get contacted by or about SiteLock.