When it comes to the numerous issues with the web security company SiteLock one of the ones we found to be the strangest is their continued lying about the true provider of their content delivery network (CDN) and web application firewall (WAF) services. While they make it sound like they are providing themselves when mentioning the services, using phrases like “our IP addresses“, “SiteLock servers“, and even “SiteLock patent-pending technology” what we found was that services are actually provided by another company, Incapsula.
We can’t think of a good reason of for lying about who provides these services, but when mentioning this previously we mentioned a couple of reason why being dishonest about that is a troubling thing. First, trust is an important part of security, if SiteLock is willing to lie about this then what else might they lie about. Second, since both of these services involve sending a website’s traffic through the provider of the service’s systems, having a website’s traffic go through a company that the website’s owner doesn’t have a relationship with raises some serious security and privacy issues.
While helping someone resolve an issue with a website recently we ran across another issue caused by this. They were having a problem caused in part by the Incapsula WAF. While they were getting an error page from Incapsula served as part of the problem, they didn’t know where that was coming from or how they could remove Incapsula’s WAF since they didn’t know that the SiteLock service being used was actually Incapsula or even that they were was a connection between the two. If SiteLock was upfront about who really provides that service then it shouldn’t have been a mystery as to the source of the error page and the issue could have been more easily resolved.
A Better Alternative to SiteLock For Cleaning Up a Hacked Website
If your web host is pushing you to hire SiteLock to clean up a hacked website, we provide a better alternative, where we actually properly clean up the website.
I don’t work for incapsula, but this isn’t lying. If SiteLock has a whitelabel agreement with Incapsula to provide WAF and CDN services under their own trademark, then there is no issue. If SiteLock was soliciting investment based on a technology “they developed,” which turned out to be a whitelabeled service or another patented technology, then your claim would be valid.
There are a lot of reasons to relabel a product and in this case, my guess is GoDaddy or SiteLock are doing so to create value within their own marks. The easier way to prove your point would have been to simply run a number of ‘gets’ and then map the IPs back to the service provider.
I have many such relationships with my resellers, who simply are using their marks as way to add value and distance themselves from our sales people – it is a common practice. Incapsula has many certifications around PCI and other common standards practices and they are owned by one of the largest security firms (imperva), so if you have a reason to cast doubt on their trust, I think you should pick an unsigned provider like cloudflare or a basic offer like Amazon and cast doubt there. 🙂
Well I use Sitelock. I didn’t investigate as I should have before signing up. This article explains the error I just got when trying to connect a third party fullfullment to my woocommerce store. ugh
“We noticed that the security software “Incapsula” is blocking our API requests to your store. Please contact your server administrator.”
Sitelock should be a bit more transparent since when admins see “Incapsula” errors it is confusing.