When it comes to SiteLock and their taking advantage of people, a critical component of that successfully happening is their partnerships with various web hosting providers. These partnership do not seem to be based on the web hosting companies thinking that SiteLock is really great company to help out people with security issues (from everything we have seen over several years they don’t even understand the basics of what they are supposed to being doing), instead the web host is getting significant amount of money when SiteLock sells services through their partnership. In the case of the parent company of Bluehost, the Endurance International Group, they disclosed to investors that they receive 55% of the revenue (they seem to unwilling to disclose that to the broader public, as one the company’s other web hosting brands won’t even acknowledge that they even are getting paid). In the case of Bluehost and the other web hosting brands owned by the Endurance International Group there is likely reason for the partnership, the majority owners of SiteLock are also the CEO and a board member of the Endurance International Group.
In theory this would likely lead to bad situation for customers, the web hosts have an incentive to treat a security issue in way that makes them the most money and SiteLock would necessarily be overcharging people, since over half the fee for the service doesn’t go them. In the real world things look a lot like that. Take for this instance, what is describe in an article from NBC’s San Francisco Bay area station when their problem solvers look into a Bluehost’s handling of hacked website:
But recently, Rose’s website was taken down. A message on the site read “temporarily unavailable.” She didn’t know how or why it happened, but she did know it would hurt business.
“It means we don’t get sales, so I don’t make money,” Rose said.
Scrambling to get her site back up, Rose called Bluehost, her hosting site, and was connected to SiteLock, a website security company.
Rose said SiteLock referenced an email it had sent her – that it detected malware on her site. Rose recalled the email, but had dismissed it as spam. After all, she didn’t do business with SiteLock; she’d never even heard of the company.
Still, Rose said SiteLock told her she had to pay upwards of $120 a month to fix the malware and get her site up and running again.
Over year that $120 a month plan would work out to $1440, which is much more than you normally pay to have a website cleaned and purchase a security service (the $648 that SiteLock would get would be more in the realm of reasonable).
When Bluehost was contacted by NBC had very different response:
Bluehost explained that SiteLock is a security partner, and it did in fact find malware on Rose’s site. So it took down the site so the malware wouldn’t spread to other websites hosted by Bluehost.
Bluehost acknowledged that the SiteLock email could be perceived as spam, so it’s working to evolve its email communications.
And eager to help out Rose, Bluehost jumped in and fixed her site for free. Boo Boo’s Best is back in business.
Thats right, Bluehost has the capability to clean up hacked websites themselves and it didn’t cost anything for the customer. Its telling how different the response from Bluehost was when what they are doing was having some light shined on. We have to wonder if they were concerned that if they didn’t get this cleared up quickly, then more digging might have be done and the reality of their partnership might get more exposure.
The takeaway seems to be if you run in to this situation you should make a public scene about it, or better yet, before that can ever happen move to a web host that isn’t partnered with SiteLock so you don’t risk running into this (properly securing your website would also limit the chance of this, but entirely as SiteLock is known to sometimes falsely claim website have been hacked).
A Better Alternative to SiteLock For Cleaning Up a Hacked Website
If your web host is pushing you to hire SiteLock to clean up a hacked website, we provide a better alternative, where we actually properly clean up the website.
This gets even worse. Unbeknownst to Bluehost and Sitelok I have 16 client accounts hosted with Bluehost. The supposed Malware that Sitelok notified me of was a PHP file titled “Greetings from Moscow.” The same file was in every account. I got suspicious so I hired a professional to track down the source. Because litigation is pending, and there is talk of assembling a class I can’t go into the details, but I will say (as a hypothetical) that when one entity of a business tells you that someone snuck into their offices in the middle of the night and damaged files that were in the companies custody, and then tells you that you are responsible so they take your business site offline until you hire their vendor to fix it, and you end up with a $1400 annual contract, that is a lawyers wet dream.
We have never seen any evidence of type of situation you are claiming here has actually happened and plenty of evidence that those types of claims are not accurate.
What is really important to note here is that Bluehost does not require you to hire SiteLock to clean up a hacked website before it is restored, only that it be cleaned. There has never been an issue with them restoring a website that we have been hired to clean instead of SiteLock.
Hear hear.