SiteLock is Now Trying to Scam People Out of $70 to $100 a Month Due to Non-Malicious Files Created by cPanel

From our years of experience dealing with the cleanup of hacked websites the first thing legitimate providers would want to do when contacted is to make sure that the website that they are being contacted about is in fact hacked, as we have found that people experiencing just about any problem with a website can jump to the conclusion that it was caused by the website being infected with malware or otherwise hacked. Much of the security industry isn’t what we would call legitimate and the company that seems to be the farthest from legitimate is SiteLock, which has a well earned reputation for scamming people. Part of how they can stay in business despite that reputation is that they have “partnerships” with web hosts where the web host pushes their services and SiteLock in term provides them a large commission for services they can sell through that. That type of relationship is often to the disadvantage of customers of the web hosts, as a situation we were just consulted on shows.

Recently one of SiteLock’s partners, HostMonster, deactivated one of their customer’s websites due to claimed malware on the website. When the customer contacted the support department they were transferred to SiteLock and told the only way to get the website back up was to pay to pay them $70 to $100 a month (charged annually). In reality the web host only requires that the website be cleaned for them to reactivate it. In this case though the situation is much worse since there wasn’t any malware on it.

All of the files that were claimed to be malicious had names similar to .wysiwygPro_preview_edcf331f0ffc35r4b482f1d15a887w3b.php and had contents similar to this:

<?php
if ($_GET['randomId'] != "Qd8f8yQpZe0JyipHkqUDWIwUrHqUixgfdQfEvwy1fU29Q0V_3kf_mw01oJmeF_g6") {
    echo "Access Denied";
    exit();
}
 
// display the HTML code:
echo stripslashes($_POST['wproPreviewHTML']);
 
?>

Those are legitimate files created by an HTML editor that has come with the cPanel control panel offered by the web host. They are not malicious. The code in them is potentially susceptible to reflected cross-site scripting (XSS) due to outputting user input without escaping it, but someone would have to know both the apparently randomized name of the file and the apparently randomized additional value checked for that to even come in to play.

Based on the identifier given for them, “SL-PHP-JSINCLUDE-cu.UNOFFICIAL FOUND”, it appears that SiteLock is causing them to be falsely flagged as malicious.

Based on our years of seeing what SiteLock is up to, it seem possible that the incorrect flagging here is caused by SiteLock’s incompetence instead of actual malice, but in either case this is scam, since if they can’t correctly handle identifying malicious files then they shouldn’t be offering the services they are.

When we were contacted about the situation the first thing we did was to ask about the evidence provided by the web host to support the shutting down of the website and once we saw that, we were able to explain what was going on and help get this resolved for free instead of scamming money out of someone who was already attempted to be scammed.

Get a Free Consultation From Us

If you are have been contacted by SiteLock or a SiteLock partnered web host claiming your website is hacked, feel free to contact us to get a second opinion as to whether the website is really hacked and if it is we will provide you with a free consultation on how you can best deal with the issue. To provide that second opinion please provide us with the evidence SiteLock or the web host is providing to back up their claim.

If your web host is pushing you to use SiteLock you should be aware of a number of items before making any decisions and you should know that we can provide you with a better alternative for cleaning up the website for less money.

123 Reg’s Idea of Security Also Involves Leaving Websites to Get Hacked

Earlier this week we noted that GoDaddy’s idea of security involved leaving websites insecure and dealing with the after effects of that. They are not alone, as here is how another web host, 123 Reg, promotes a security service provided by their security partner SiteLock:

Malware is malicious code that can attack your website and cause security or performance issues.

Google has discovered that approximately 30,000 sites are affected by this malicious code every day and just 14% are protected, leaving 86% of websites vulnerable to attack. It sounds scary, but there is a way to protect your website.

SiteLock® from 123 Reg provides your website with a credible, state-of-the-art diagnostic system that scans for threats and identifies known malicious code, removing it from your website automatically. Giving you peace of mind in knowing that your site is malware free.

There are 110 million variants of malware in existence today. You can’t check your website every day in case you’ve been attacked. Let us do it for you.

Of course if SiteLock is detecting malicious code on your website then it has been affected by malicious code. Real protection would stop the malicious code from getting there in the first place.

What seems like it should also raise questions there is if the really were “110 million variants of malware in existence today”, what are the chances that SiteLock might miss some. The answer from an earlier post of ours is that in reality SiteLock misses malicious code that 123 Reg is able to spot themselves.

Even if they were good at spotting malware, if code is able to get on the website then its malicious impact could already have happened by the time it gets removed. For example if the malicious code copies all of an online store’s customer details, removing the malicious code isn’t going to undo it.

If you are looking to protect your website we recommend doing the security basics since those will actually stop the possibility of many attacks, while services that claim to protect websites present no evidence they are effective at all and we frequently had people coming to us looking for one of those that works after having used a service that didn’t prevent their website from being hacked. If your website has already been hacked, then the solution is to have it properly cleaned instead of security service.

SiteLock Falsely Claims That Website Hosted By Their Partner 123 Reg Is Malware Free

Over two years ago we noted the that then recently started partnership between the web host 123 Reg and the security company SiteLock was already producing the bad results expected that should have been expected based on SiteLock’s well earned reputation as being scammers. If the website we were contacted about earlier this week is any indication, things haven’t changed.

One of the more annoying aspects of the scam that is so much of the security industry is that after people get scammed by security companies like SiteLock that don’t even attempt to properly do the work they are being hired to do, people come to us wanting us to help them out for free since they already paid the scamming company (which we are not in the business of doing for what should be obvious reasons). That was the case with someone that contacted us after being told by 123 Reg that their website was hacked, hiring their partner SiteLock to clean it, and having SiteLock claim to have cleaned it up. While SiteLock claimed the website was the malware free, 123 Reg wouldn’t unsuspend the website to due them claiming their still was malicious code on it.

When we were contacted about the website it was suspended, so we couldn’t see what was going on with it, but when we went to check on the website a couple of days after we were initially contacted, we found that the website was no longer suspended and that clearly it still had malicious code on it since when trying to access the homepage we were redirected to a malicious website.

What this situation shows is that 123 Reg should certainly be aware that the security company they have partnered with isn’t getting things done. That they continue the partnership is a good indication that the partnership is based not on helping their customers get connected with a reputable security company, but instead is based on them getting paid to push their customers to hire SiteLock.

What is the most unfortunate element is that there really isn’t a solution apparent here. If people hired reputable companies like ours they could avoid this type of situation, but what we have found is that most people will ignore warnings about companies like SiteLock until after they have been scammed and then in situation like this they want someone else to help them for free.

GoDaddy’s Idea of Security Involves Leaving Websites to Get Hacked

If it were not for seeing the great value we can provide in quickly resolving hacking situations that have gone on for weeks or months, we likely wouldn’t have anything to do with the security industry, since it is such an awful industry, which seems to be largely built around taking advantage of people. One reoccurring example of that is that those in the security industry promote leaving websites insecure as security, instead of telling people what would actually keep websites secure (which doesn’t involve the services they are selling). As yet another example of that, here is how GoDaddy sells people on a security service that they charge up to 29.99 a month for:

Complete protection for complete peace of mind.

Website Security powered by Sucuri is advanced protection made simple. There’s no software to install, daily security scans run automatically and if there’s ever an issue our auto removal tools can’t fix, our security experts will repair it manually – no matter how long it takes and at no additional cost to you.

By repairing the issue, they are talking about cleaning up a hack, which shouldn’t happen since the website is supposed to be protected.

Also of note, with the claims made in that quote, is that our experience from often being brought in to re-clean websites after their security division, Sucuri, fails to get the job done, is that sometimes they will keep doing incomplete cleanups and in other instances they won’t come back in and will falsely claim that a website is clean when it isn’t. In either case what they don’t do is attempt to properly clean up the websites in the first place, which would negate the need for even discussing repeated cleanups.

Paying a Lower Yearly Fee for an Ongoing Website Security Service When You Have a Hacked Website is Not a Deal

When people have had their website hacked the unfortunate reality is that there are lot of people out there looking to take advantage of them. A lot of that involves telling people what they want to hear while knowing that you are lying to them. Based on what people say when contacting us, what a lot of people with hacked websites are looking for is a service that will protect their website from being hacked again. The reality we tell them is that while there are plenty of services that claim to do that, they don’t work (as an example of that, we often have people coming to us asking if we offer a service like that that works after using one that didn’t prevent their website from being hacked) and in fact the providers of them don’t even present any evidence that even tries to support that they do. The additional reality is that the companies behind these services usually don’t even try to do the work that could possibly make them work.

That last element is in some ways the most important when it comes to someone that already has a hacked website, since part of the work that these service don’t do to try to protect website also is important part of cleaning up a hacked website. Just last Friday we mentioned an example of that with a company named Sucuri, which had press coverage for something that wasn’t meaningful when the real story should have been that they were publicly admitting cutting corners with hack cleanups by not even trying to determine how the website got hacked. If you don’t know how websites are being hacked, you are going to have a hard time even trying to protect them. That they admitted to that isn’t really surprising to us because we have been dealing with the after effects of their improper clean ups and their failure to protect website from being hacked in the first place for years.

Recently we had someone contact us while looking for a better deal for a website service after their web host GoDaddy was trying to sell them on a $299 a year subscription for a service provided Sucuri, which GoDaddy owns, after they claimed their website was hacked. Paying less for a service that won’t properly deal with a hack, isn’t a better deal, since at any price it isn’t going to properly resolve the situation. Instead, if your website is hacked what needs to be done is to get it properly cleaned up. Properly cleaning up a hacked website involves three key components:

  • Cleaning up the hack.
  • Getting the website secured as possible (which which usually involves getting any software on the website up date).
  • Trying to determine how the website was hacked and fix that.

Once that has been done, then doing the security basics is what is going to do a better job than these services to keep your website from being hacked again.

If you want your hacked website properly cleaned up your best bet is to hire us. On the other hand, if you want to get ripped off, then check out the other companies out there, since a lot of them would love to take advantage of you.

Security Journalists Should Be Focused on Sucuri Failing to Properly Clean up Hacked Websites Instead of Non-Notable Malicious Code

When it comes to the poor state of web security what is badly needed is security journalism that exposes what the many unscrupulous security companies are up to and how they take advantage of their customers, instead what we have found is they act more as the marketing department for them.

One such security company that would apply to is Sucuri, which is company that we are frequently brought in to re-clean hacked websites after they have not even attempted to properly clean them. One of the things we have often found that they haven’t done is try to determine how the website has been hacked. That is a problem for the cleanup, since you need to know how the website was hacked to be insure that vulnerability has been fixed and because from what we have found is that often Sucuri is missing parts of the hack code that could have been spotted if they had done the work needed to try to determine how the website was hacked. But the larger issue with this company not doing that is that their main service is supposed to protect websites from being hacked in the first place, which, in all likelihood, is going to be difficult if you don’t know how they are being hacked.

Sucuri’s own marketing speaks to the fact that they don’t seem focused on actually protecting websites, as on their home page they tout a number of stats about the service, not one is related to effectiveness of protecting websites:

The number of cleanups might be an indication of their failure to do that, if many of those are cleanups of existing customer’s websites (assuming the stats are even true).

You don’t have to take our word that Sucuri doesn’t try to determine how websites are hacked. A recent article on security news website Threatpost, Stealthy Malware Disguises Itself as a WordPress License Key, mentions that in passing, when it should be the focus of the story. Instead the focus of the story is in itself not newsworthy, as it reports on Sucuri describing a dime a dozen situation where malicious code has been added to the functions.php file of a WordPress theme. What might be newsworthy is how that code got there, but Sucuri didn’t even attempt to determine that:

“We had no access to their logs to determine the root cause, but it’s generally caused by compromised admin accounts or downloading and using themes/plugins from untrusted sources,” Moe Obaid, security analyst at Sucuri, told Threatpost.

Getting access to the logs would have been basic part of the work of a proper cleanup and shouldn’t be difficult.

How this person would know how this type of hack generally happens if they are not doing the work to determine that seems like an obvious question to ask them, but it would appear the Threatpost wasn’t interested in digging deeper in to an employee of this company admitting to cutting corners in the work they are doing. (You also have to wonder why someone is called “security analyst” if they don’t actual do security analysis.) One explanation for the lack of critical coverage of the security industry in this instance in general by the Threatpost, it that it appears itself to be owned by a security company.

The Repercussions of Failing to Properly Cleaning Up Your Hacked Website is Not a SiteLock Scam

When it comes to the poor security of websites the unfortunate reality for a company like ours that actually try to improve security, is that much of the security industry is only really focused on taking advantage of people (whether intentionally or because they don’t have even a basic grasp of security) and many people with real security issues often are not interested in getting things properly dealt with, instead looking for magic fixes. The end result is that legitimate security companies suffer, while scammers that will sell people things that don’t work, but are marketing with fantastical claims, do.

On one side of that, take the company SiteLock, which we have seen taking advantage of people for years, by doing things like selling security services that claim provide incomparable security that don’t even attempt to actually secure websites or trying to sell unneeded security services based on phishing emails. Much of what they are up to could accurately be described as a scam, but in addition to having people come to us after being scammed by them, we often deal with people who have not being scammed by them yet, but only seem interested in claiming they are being scammed by them instead of being interested in actually dealing with a real security issue with their website.

One recent example of that came from someone that contacted us directly and also left a long comment on one of our posts about SiteLock. In their case what seems pretty likely to be going on is that they have not been properly cleaning up hacked website and then blaming their web host and SiteLock for the repercussions of that.

At the core of this is something we often hear about, but don’t quite understand since it seems to ignore clear information provided by web hosts and common sense.  Mentioned in their comment was that they were simply removing files listed by their web host as being malicious:

The few files I found in the scan report took like 3-minutes to remove and had nothing to do with the domain.

Doing that isn’t enough, as among other things, those files had to get on the website somehow, so you need to try to figure out how that is happening. Not all that surprisingly the issue then kept occurring, but that didn’t cause them to consider changing course.

The more important issue with that though is that their web host would usually mention when listing the files they noticed are malicious, that removing them is not enough, here for example the boiler plate text someone else that contacted us recently received from the same company along with the list of impacted files:

Please Note: While the content listed was specifically reported, it may not be a complete list of all infected content on your website. It is very common for additional infected content to exist and not be captured in our report. For this reason, we highly recommend that you review all of your website content as well as your entire cPanel account to help prevent further security issues and malware reports. Not doing so could leave your website vulnerable to another infection.

So you have someone repeatedly ignoring the advice of their web host, which relates to something else the web host warned about:

For the safety of our servers and your website visitors, repeated reports of malicious content on your account within 60 days of this initial notice will lead to necessary further actions, which may include permanent suspension.

When we replied to this person to point out that you can’t just remove the files and that we haven’t had any of the issues they are complaining about when we have been hired to do a proper cleanup, the just steamrolled forward with their belief that their web host and SiteLock were up to shady behavior. So our time was just wasted there as they were no closer to getting things properly resolved. Instead they said their next move was to move to a new web host, which wouldn’t resolve the hack, just cause a new web host having to deal with having a hacked website on their systems.

We really can’t emphasize enough that if your web host is telling you your website is hacked, after confirming the claim is accurate, you or someone else needs to properly clean up the website, otherwise you are likely to have additional problems that could have been avoided.

Bluehost and SiteLock Still Trying To Profit Off of Phishing Emails Being Sent to Bluehost Customers

In August of 2017 we first interacted with someone that had gotten a phishing email made to look like it was from Bluehost, who then when they contacted the real Bluehost was attempted to be sold on a security service they didn’t need since there wasn’t any issue with their website. More than a year later Bluehost and their security partner SiteLock continue to do that. The latest incident is absurd on its own since they were trying to sell someone security services they largely couldn’t effectively use since there website is hosted with Squarespace, so much of the SiteLock service wouldn’t even work and others wouldn’t be relevant in that situation.

Below is the phishing email. Interestingly the domain used for the phishing is also a Bluehost customer (maybe that is from someone that fell for a previous phishing email).

Hello, [redacted]

We are contacting you today because we have disabled your outbound email services temporarily. The reason for this is because you’ve got a forum that spammers were subscribing to to get messages sent out. They used a spam trap email address that actually resulted in our mail server getting blacklisted.

We need you to add protection to it so it isn’t being exploited in the future. You will need to contact us and let us know this has been resolved for us to restore your email services.

For protection, we ask that you require an account to subscribe to topic notifications if you haven’t already. We also ask that you add protection to your sign-up page so that spammers cannot automate it. You can do this by using a captcha or something similar to that.

To activate your account, please visit our BlueHost account reactivation center. Use the link below:
http://my.bluehost.com.3483e5ec0489e5c394b028ec4e81f3e1.[redacted]/account/6626/reactivation.html

Thank you,
BlueHost.com Terms of Service Compliance
http://www.bluehost.com
For support go to http://helpdesk.bluehost.com/
Toll-Free: (888) 401-4678

Below is the email that was sent by SiteLock trying to sell this person on the unneeded services after they had tried to get in touch with Bluehost. Bluehost apparently directs people over to SiteLock before even doing basic checking to insure that there is actually situation that could use SiteLock’s input. The person that received this is not named Vish (or anything close to that) despite it being address to someone with that name.

You’ll notice they claim that the website has been infected, despite that not being the case or even what the phishing email claimed.

Hi Vish

Thanks for taking the time to speak with me today. Like I mentioned before your website has been infected and we need to clean it as soon as possible before its suspended by the host. The reason your website was fount with malware is that you currently have no security measures in place to stop malware from entering your site.

The simple solution to protect your website is adding a firewall as well as a smart scanner. The smart scanner removes malicious content from your source coding before it infects the website. Also a Firewall blocks any malicious traffic and hacking attempts from entering your website in the first place, its the single most important preventative measure you can have for your website. What I did was attach a couple of documents that fully go over the features of our upgraded scanner and firewall. You can also go to www.sitelock.com to get further details and services. If you have any questions or concerns my contact info is below.

So to break everything down price wise, it’s $30 dollars a month for our secure starter which includes a Professional firewall and Premium scanner. You will get a free cleaning for the website with this that will save you $300.

Best regards,

Secure Starter $30.00/Mo
Premium Scanner and Professional Firewall
– Automated Malware Removal Tool (removes basic infections that do not directly effect the code of your site)
– Daily Malware, Spam and Network scanning to alert you to security issues
– Daily Cross-Site Scripting and SQL injection vulnerability scanning
– File Change Monitoring
– Application and Advisory scanning to alert you to possible vulnerabilities or suspicious items
– Protection of the website at the domain level
– Basic DDos Protection
– Illegal Resource Access Prevention
– Site acceleration due to Content Delivery Network (CDN) and Minification
– Firewall works with the SSL on the site
– Blocks Bad Bots (Bad Traffic) at the domain level
– Daily Traffic Stats (Shows Bots vs Real Human Visitors)
– Block Specific Countries from viewing your site(if requested)

Secure Speed $50.00/Mo
Premium Scanner and Premium Firewall
– Automated Malware Removal Tool (removes basic infections that do not directly effect the code of your site)
– Daily Malware, Spam and Network scanning to alert you to security issues
– Daily Cross-Site Scripting and SQL injection vulnerability scanning
– File Change Monitoring
– Application and Advisory scanning to alert you to possible vulnerabilities or suspicious items
– Protection of the website at the domain level
– Basic DDos Protection
– Illegal Resource Access Prevention
– Site acceleration due to Content Delivery Network (CDN) and Minification
– Firewall works with the SSL on the site
– Blocks Bad Bots (Bad Traffic) at the domain level
– Daily Traffic Stats (Shows Bots vs Real Human Visitors)
– Block Specific Countries from viewing your site(if requested)
– Protects against OWASP Top 10 (Common type of hacks and targeted attacks)

Secure Site $70.00/Mo with unlimited free manual cleans and vulnerability patching
Infinity Scanner and Premium Firewall
-Automated Malware Removal Tool (continual & non-stop scanning removes basic infections that do not directly effect the code of your site)
– Daily Malware, Spam and Network scanning to alert you to security issues
– Daily Cross-Site Scripting and SQL injection vulnerability scanning
– File Change Monitoring
– Application and Advisory scanning to alert you to possible vulnerabilities or suspicious items
– Protects against OWASP Top 10 (Common type of hacks and targeted attacks)
– Protection of the website at the domain level
– Basic DDos Protection
– Illegal Resource Access Prevention
– Site acceleration due to Content Delivery Network (CDN) and Minification
– Firewall works with the SSL on the site
– Blocks Bad Bots (Bad Traffic) at the domain level
– Daily Traffic Stats (Shows Bots vs Real Human Visitors)
– Block Specific Countries from viewing your site(if requested)
– Unlimited access to our Cyber Engineers to manually adjust your website coding if malware removal tool does not clean the malware
– Multiple (19) Vulnerability Testing on the site

OneHourSiteFix Introduces Arbitrary File Upload Vulnerability on Websites Using Their Service

We are often brought in to re-clean malware infected or otherwise hacked websites after other security companies have failed to get things fully cleaned up. Recently though we were brought in to deal with a high profile website (one where we were later contacted by the FBI during their investigation in to it) where not one, but two companies had failed to do anything meaningful to clean it up. One of them, Sucuri, we already were well aware likely wouldn’t do a good job based on everything we had seen in dealing repeatedly in cleaning up after them. The other company is one that we don’t have as much experience with, though from everything we have seen it wasn’t surprising they hadn’t handled the situation well, but something we noticed makes them much worse since they are introducing a serious security vulnerability on their customers’ websites when they are supposed to be cleaning them.

The company’s name is OneHourSiteFix. Just the name indicates they likely don’t do a good job since you are unlikely to be able to properly clean up most websites in that time frame. As we mentioned in a previous post related to strange claims they make, it seems impossible they could do what they claim to do in that time frame seeing as they claim to:

manually analyse EVERY element of your site – every row in your database and every line of your files is checked and cleaned

In the case of the high profile website they don’t appear to have accomplished anything positive. They did add a couple of files that actually introduced a serious security vulnerability, which we will discuss in a bit.

Another instance of interaction with their work came a couple of months ago when we got sent this email from them:

Hi there,

We have cleaned and replaced the hacked version of this site. Also, we have placed the website behind an enterprise grade web application firewall to ensure this site has a high level of protection against future attacks

https://www.virustotal.com/#/url/9eb38ae785eeeca21b344ead39cf595b0bdb5f991c60c6ac630e6e628bc34678/detection

Could you please review and remove the blacklisting as soon as possible ?

We don’t blacklist websites nor do anything close that. Looking at our logs we found that they landed on our website on page titled Sucuri SiteCheck Scanner Falsely Claims Our Website is Defaced, which has nothing to do with us blacklisting websites. You would have to be very confused to believe otherwise based on that page, but they did.

They seem to make a fair amount of strange requests like that, considering a quick search pulled up them requesting blacklist removals for websites well after that removal had already occurred.

With that complete lack of attention to detail what else we noticed about them isn’t surprising.

OneHourSiteFix Makes Their Customers’ Websites Vulnerable

At the point we brought in to clean that high profile website there were still files from OneHourSiteFix on the website in a directory named appropriately “ohsf”. In that directory was another directory named “upload”. That directory in turn contained a file that allowed anyone to upload arbitrary files to the website. The file used to handle that was recently in the news for the real but overstated security risk introduced by it. In this case there were no restrictions on what types of files could uploaded through that or who could upload files, so a hacker could use that to place malicious .php files on a website and gain full access to the website, which seems like something that a company that is supposed to be cleaning a website shouldn’t be making possible (even if it is hopefully only temporary).

What was also interesting in this situation is that Sucuri flagged a number of the files in “ohsf” directory as being “malware” and removed them, but didn’t notice that file with a serious security issues.

The Poor Quality of Web Security Products and Services Can Lead To a False Belief That Websites Have Been Hacked

We think a baseline requirement for using any web security product or service that claims to protect websites should be that there is evidence that the service is effective. That would preferably be evidence from independent testing. What we have found though is plenty of products and services not only don’t provide that, but their marketing materials actually indicate that the services fail to secure websites. For example, SiteLock’s idea of security seems to revolve around dealing with after effects of websites being hacked instead of stopping them from being hacked in the first place, which isn’t security.

Even with what SiteLock claims to do instead of securing the website, they don’t provide evidence they are effective at it. We have seen plenty of evidence to the contrary. The latest example is also a reminder of another issue we sometimes see with security products and services, they lead to people falsely believing that their website has been hacked, so instead of securing a website they lead to people to believe that the website insecure. That might be good for security companies since it can mean more businesses dealing from dealing phantom hacks and more fear leading to more purchases of services that don’t have to work, but it, like so much else from the security industry, is bad for everyone else.

The other day we were contacted by someone using SiteLock’s services, for a second opinion on a claim from them that a website was infected with malware. We were sent the following screenshot from SiteLock’s website:

While that does claim that the website contains malware, the signature listed, SiteLock-HTML-SEOSPAM-fkl, seems to actually indicate that there was spam content detected. From what we have seen SiteLock labels any indication that a website has been hacked as malware. We don’t know if they don’t what malware actually refers to or if this is done to make what they are detecting sound more concerning than it really is, but it is sometimes very misleading. In this case they also make this sound very concerning by claiming the severity is “Urgent”.

The sample provided for the supposed issue doesn’t appear to be related to malware or spam. Instead it is just shows a link to another page on the website and harmless HTML code generated by the WPBakery Page Builder plugin for WordPress. We also didn’t find any other indications of a spam hack on the website, so this “Urgent” situation seems to really be a false positive.

Considering that their service is supposed to provide “security” by detecting and removing malware, the poor quality of their scanner makes it unlikely that they could even accomplish effective detection, much less effectively remove what they find.

This was apparently the third time that SiteLock had claimed that there was malware on the website, based on the quality of the claim in this instance, it seems unlikely it was the only false positive.