The last time we discussed GoDaddy’s partnership with SiteLock back in September it involved a situation where SiteLock managed to break a website they were supposed to be cleaning, GoDaddy was partly responsible for the website being hacked, and SiteLock failed to detect that GoDaddy issue due to their failure to do a basic part of a hack cleanup. Based on that an expansion of their partnership doesn’t seem like a good thing, but it is happening.
Today GoDaddy announced that they would now be offering SiteLock’s content data network (CDN) and web application firewall services (WAF) services. What they neglected to mention is that these services are not actually provided by SiteLock, but as we recently discovered, by another company, Incapsula. That is a rather important item to disclose since both of those services involve sending your website’s traffic through someone else’s systems. Having a company you have no involvement with having access to all of your website’s traffic obviously raises some serious issues. Even if you are not concerned with Incapsula having access to your traffic, it looks like SiteLock could switch to another provider at any time without you being aware of it.
Also missing from the press release is any evidence that SiteLock’s WAF actually provides any protection (which we haven’t seen provide elsewhere either). Instead you get unsupported claims as to the protection it supposedly provides. One claim included has actually been indirectly disputed by SiteLock. That claim being that it prevents backdoor access:
Trust that website content will be protected from potentially harmful spam comments, and backdoor access to website files will be blocked.
In previous post we looked at situation where a SiteLock customer using their firewall got hacked again and said that “SiteLock assures me that everything is set up correctly, and that the hacker must have a back door access point. They don’t cover that.”.
If you are actually looking to keep your website then these are things you should focus on, which are not things that any SiteLock services provides. You also would probably be best off not using a web host, like GoDaddy, that partners with SiteLock.
A Better Alternative to SiteLock For Cleaning Up a Hacked Website
If your web host is pushing you to hire SiteLock to clean up a hacked website, we provide a better alternative, where we actually properly clean up the website.
I used to be with Bluehost for domain and site hosting but as I live in the UK I moved my Domain and site hosting to Godaddy in the UK. within a few months my site was being blocked by a RED warning saying it had malware. I contacted Godaddy support and they said its best to pay for sitelock that will scan and remove all the malware from my site.
Then to get google to do a re scan of my site to removed the Big RED Malware banner.
This seemed to work ok but I am quite suspicious that Godaddy and Sitelock are in bed together and it is basically an extortion racket
As mentioned in the post GoDaddy and SiteLock publicly disclose that they have a partnership, so there isn’t any need to be suspicious that they “are in bed together”, they admit it. What GoDaddy doesn’t tell people is that the partnership involves them getting paid to push SiteLock. Another major web host disclosed they get 55% of the revenue of SiteLock services sold their partnership and GoDaddy likely has similar deal.
If Google was flagging the website for malware, then there is very little chance that the website didn’t have malware. In some cases though we have found part of the cause of the hack to be due to GoDaddy’s database security being broken, which is something that SiteLock either ignored or more likely missed due to them cutting corners during hack cleanups
From everything we have see SiteLock cuts corners when doing hack cleanups, so your website may not have been fully cleaned and secured. If GoDaddy’s deal is similar to the other web host’s you also likely significantly overpaid for what service you got, since a lot of it would be going to the web host that doesn’t do anything.