SiteLock Review Shows the Problem of Relying on Customer Reviews To Determine Quality of Security Companies

We have frequently mentioned the fact that many security companies don’t know and or care much about security. That not surprisingly leaves the public with a lot of bad options when they are looking for someone with security expertise to help them deal with a hacked website or other security issues. So how can they find one of the few companies that don’t fall in to one of those categories? We don’t know of an easy way, but we do know that looking at customer reviews of security companies isn’t a good way to do that.

We frequently are brought in to re-clean hacked websites after another company had been brought in to do that. While that isn’t always the company’s fault, we have found that in almost every instance the company doing the cleanup either didn’t know what they were doing or intentionally cut corners. We know that because we always ask in these instances if the previous company had determined how the website was hacked (since if the vulnerability hasn’t been determined and fixed it would leave the website open to being hacked again), and the response is almost always that trying to determine how the website never even came up. Considering that is one of three main components of a proper hack cleanup, that shouldn’t be the case. In more than a few cases even at that point the person we are dealing with said that the previous company did a good job, which doesn’t seem accurate considering they didn’t do things properly and the website was hacked again. If people think they did a good job at that point, we would assume that even more would have said that right after the original work was completed.

To give you another example of this we thought something we ran across involving web security SiteLock is worth highlighting. Here is a review of SiteLock from August of last year that comes from the BBB page for them:

Sitelock has been a great and affordable toll to achieve… security challenges, and enabled idbasolutions.com to offer our visitors peace of mind. In one and only incident in 2012, Sitelock emailed us as soon as they detected that some malicious software had infiltrated our comment pages…they quickly deleted all malicious code.

The problem with that review is that the website isn’t actually secure and hasn’t been secure for some time. The website is running Joomla 1.5, for which supported ended in September of 2012, over four years ago.

You wouldn’t know that if you were to believe SiteLock, as of today they are claiming it is secure:

It would be easy for SiteLock to determine that the website was running outdated software and isn’t secure, as the source code of each page on the website contains the following line:

<meta name=”generatorcontent=”Joomla! 1.5 – Open Source Content Management” />

So the review’s claim that SiteLock services “offer our visitors peace of mind” is true, but it is because SiteLock is not telling the website’s visitors the truth.

Considering that SiteLock missed such an easy to spot issue, it isn’t hard to believe they might also miss more serious issues, and in fact our past experience shows that it isn’t a theoretical issue. So while the review is positive, the underlying reality is the opposite.

Considering that customers of security services are hiring them in the first place, it isn’t likely that many reviews come from someone who would actually be aware of a failure like SiteLock’s here, so many other reviews of them are probably unintentionally misleading others as well.


A Better Alternative to SiteLock For Cleaning Up a Hacked Website
If your web host is pushing you to hire SiteLock to clean up a hacked website, we provide a better alternative, where we actually properly clean up the website.

2 thoughts on “SiteLock Review Shows the Problem of Relying on Customer Reviews To Determine Quality of Security Companies”

  1. My hosting service uses SiteLock. I received an email from SiteLock telling me that one of my sites was infected with malware. I continued to receive emails and by the end of the week SiteLock said all 21 of my sites were infected.

    NOTE – MOST OF MY DOMAINS ARE EITHER REDIRECTS OR USED FOR EMAIL PURPOSES ONLY – THERE ARE NO ACTUAL FILES ON ANY SERVER ANYWHERE IN THE WORLD! IT’S LIKE YOUR DOCTOR TELLING YOU THAT YOU HAVE GALL STONES WHEN YOU DON’T EVEN HAVE A GALLBLADDER.
    I called my host and told them what was going on. They transferred me to their sitelock rep. He told me I was infected and they could take care of it. I asked him to email the information and I would review it. It felt more like SiteLock Marketing – $300 to clean and $20 a month per site to keep me protected. I downloaded all of my site files from the host to an external drive. I scanned that drive – CLEAN. I took the drive to a nearby company that deals with corporate security and they scanned it – CLEAN. I called my host back and told them what was going on and they said they would scan my sites themselves – CLEAN.

    I wrote a couple of reviews and that resulted in a call from SiteLock. I explained the situation and she proceeded to tell me that my sites were infected and sent me an email confirming their findings. I sent an email back and told her that if I ever hear from SiteLock again, I will contact my host, cancel my service and contact my attorney.

    1. From what we have seen when SiteLock says that there is malware on a website, they really mean that there is some indication that it is hacked, which doesn’t always mean that it contains actual malware.

      Just because a scan found the files clean doesn’t necessarily mean much. Anti-virus software, for example, isn’t normally designed to scan for malicious code from websites. Also from what we have seen software specifically designed to scan for malicious code on websites both misses a lot malicious code and produces lots of false positives.

      In this type of situation the best thing to do is get whatever evidence your web host and or SiteLock will provide on the claimed issue and then get a second opinion from another company that deals with hacked websites. We are always happy to do that for free and in most instances we can easily tell if the website is in fact hacked or it isn’t. In recent times the majority of the situation we are contacted about have involved website that were really hacked despite the website’s owner coming to us believing otherwise.

Leave a Reply

Your email address will not be published.