Don’t Ignore a Message From SiteLock or Your Web Host That Your Website Has Malware

When it comes to the poor state of web security we often find that security companies play an important role in that. That includes making up threats and telling people they need to take advanced security measure, while many, including those same companies are still failing to do the basics.

Another area we have seen this involves the security company SiteLock and their web hosting partners. We have written numerous posts about SiteLock’s bad practices, one of them being that they and their web hosting partners (who get paid handsomely to push their services) sometimes falsely claim that websites contain malware or have otherwise been hacked. What we have consistently said though is that you shouldn’t assume that the website isn’t hacked and recommended getting a second opinion (something we are happy to provide for free). Unfortunately people often conflate SiteLock’s many bad practices, with the idea that any claim by them or their partnered web hosts that a website is hacked as being false.

For example, yesterday we ran across someone on Twitter claiming that Bluehost was falsely stating a website had malware on it:

We asked how them how they determined that and the answer was they hadn’t actually done that:

We then tried to explain that while there are false claims made by them and the web hosting partners, the claims are often true and suggested that they get a second opinion from a security company (and letting them know we do that for free), at that point they blocked us.

If the website did contain malware, which seems to be of decent likelihood, then their tweets help perpetuate the issue.

Ignoring the Evidence

What makes the false claims is even more problematic is that it feeds in to an existing belief that we have often seen with people assuming that claims that their website are hacked are not true, even when coming from parties that have no profit motive (like Google).

When it comes to SiteLock and their web hosting partners we see two very different scenarios.

In some cases access to the website is shut off immediately and they haven’t provide any evidence of the supposed hack that lead to that happening, which makes the claim legitimately seem questionable.

In others they actually provide evidence, which should be easily checked, but is instead ignored. Take for example, someone, also hosted with Bluehost, that contacted us recently. They had been sent the following email by their web host:

[redacted],
Your [redacted] account has been deactivated due to the detection
of malware. The infected files need to be cleaned or replaced with clean
copies from your backups before your account can be reactivated.

Examples: /home1/[redacted]/public_html/config.php.suspected
/home1/[redacted]/public_html/post.php.suspected

/home1/[redacted]/public_html/administrator/components/com_weblinks/tables/s
ession.php

/home1/[redacted]/public_html/components/com_content/models/articles.php

To thoroughly secure your account, please review the following:
* Remove unfamiliar or unused files, and repair files that have been
modified.
* Update all scripts, programs, plugins, and themes to the latest
version.
* Research the scripts, programs, plugins, and themes you are using
and remove any with known, unresolved security vulnerabilities.
* Update the passwords for your hosting login, FTP accounts, and all
scripts/programs you are using. If you need assistance creating secure
passwords, please refer to this knowledge base article:
https://my.bluehost.com/hosting/help/418
* Remove unused FTP accounts and all cron jobs.
* Secure the PHP configuration settings in your php.ini file.
* Update the file permissions of your files and folders to prevent
unauthorized changes.
* Secure your home computer by using an up-to-date anti-virus program.
If you’re already using one, try another program that scans for
different issues.
You may want to consider a security service, such as SiteLock, to scan
your website files and alert you if malicious content is found. Some
packages will also monitor your account for file changes and actively
remove malware if detected. Click here to see the packages we offer:
https://my.bluehost.com/cgi/sitelock

Please remove all malware and thoroughly secure your account before
contacting the Terms of Service Department to reactivate your account.
You may be asked to find a new hosting provider if your account is
deactivated three times within a 60-day period.

Thank you,

Bluehost Support

http://www.bluehost.com
For support, go to http://my.bluehost.com/cgi/help

Over a month later they were notified by SiteLock that the website had been deactivated. Even then they didn’t look at the files that Bluehost had provided as examples of the malware infection, while questioning if they were really hacked.

When we took a look at the names of the files and their locations mentioned in that email, we noticed one of them wouldn’t normally be in that location in a Joomla website. That isn’t something we expect that the average person would know, but it does show how easy it should be for someone that has actual expertise with dealing hacked websites using the software running your website to double check the claims for you.

Looking at the content of the files, we think that even a layman would think that something was off with them. And for us it was obvious by just looking at them that they really were part of a hack and not a false positive, so we could easily confirm that the claim was actually true in this case.

Get a Free Consultation From Us

If you are have been contacted by SiteLock or a web host (whether a SiteLock partner or not) claiming your website is hacked, feel free to contact us to get a second opinion as to whether the website is really hacked and if it is we will provide you with a free consultation on how you can best deal with the issue. To provide that second opinion please provide us with the evidence SiteLock is providing to back up their claim.

If your web host is pushing you to use SiteLock you should be aware of a number of items before making any decisions and you should know that we can provide you with a better alternative for cleaning up the website for less money.

A Better Alternative to SiteLock For Cleaning Up a Hacked Website
If your web host is pushing you to hire SiteLock to clean up a hacked website, we provide a better alternative, where we actually properly clean up the website if it is truly hacked or if isn't we will help you to get the issue resolved for free.

Before you do anything else though, you should check out our post on what you should know when you get contacted by or about SiteLock.

9 thoughts on “Don’t Ignore a Message From SiteLock or Your Web Host That Your Website Has Malware”

  1. I have security on my site and recently one IP tried several different url page hit combinations.
    If someone even tries to access login on my site I block the IP address permanently.
    This is one of them today
    “All recent hits for IP address 184.154.36.182[smartscan04.sitelock.com]”

    Does this mean sitelock has a bot trying to login to my site? If so why would they do that?

    1. It isn’t clear how this question is relevant to the post, but that would be something that you want to ask SiteLock about as they are the one taking that action.

  2. I’ve heard so many complaints about SiteLock and their scammy ways. I steer clear of SiteLock, Bluehost, Hostgator or any other Bluehost owned hosting. Avoid them like an infectious disease or plague.

  3. My experience is just the opposite! I got an email this morning from Sitelock telling me they run a weekly check on a website that has been closed for well over a year! I have never seen an email from sitelock before, even when the website was up and running. Now that it’s been closed for over a year, they say they ran eight scans on two pages in the past week! They report no problems with the site! What kind of nonsense is this? p.s. the website was on Hostgator.

  4. Sitelock is pure scam and host gator is an enabler. They will be prosecuted oneday for all these scammy practices.

    I have moved my hosting to somewhere else. Because, A) I find them irritating and spam my emails B the couple of reports on vulnerability and malware findings seems to have originated from them, to sell us unnecessary service. Avoid hostgator, Blue-host, fatcow they are all together with this scam of referring site-lock and holding sites as ransoms.

    Hope this will help unaware victims.

  5. I got an email from SiteLock informing me that my website had been infected with malware. Indeed, that was the reason that my website was down. I contacted HostGator, my hosting company, which connected me to SiteLock. SiteLock informed me that they could remove the malware if I agreed to one of their protection plans ($60, $89, $110, or $150 per month, all to be paid one year in advance). I felt like my website was being held for ransom unless I paid these exorbitant fees. Fortunately, I did not agree to any of their plans. I will be moving my hosting to a different company that has no affiliation with SiteLock.

    1. HostGator only requires that the website be cleaned up for them to unsuspend it, not that you hire SiteLock to clean it up. They usually clearly state that in the emails they send out when suspending websites and we have never had any issue with them unsuspending a website after we have done a cleanup for someone.

      While moving to a new web host may be a good idea, that won’t do anything about the hack if it is in fact hacked. So there would still need to be a cleanup done. It would be better to clean it before you move it, not only so you don’t bring anything malicious to the hosting environment, but more importantly because there could be important information needed to best clean and secure the website that could be lost during the move.

Leave a Reply

Your email address will not be published.