Sucuri’s Scare Tactics on Display with Their Claim That the Washington Post’s Website Contains Malware

Back in March we put out a post about the, now GoDaddy owned, website security company Sucuri’s SiteCheck scanner falsely claiming that our website was “defaced” and that “malicious code was detected”. That claim was based on a page on our website being named “Hacked Website Cleanup – White Fir Design”.

We recently had someone contact us that ran across our post after having Sucuri make a similar false claim about their website. In their case they were contacted by their web host SiteGround with the Sucuri results. In looking in to what was going on we found a post on SiteGround’s blog from March announcing they were going to start doing that. What they say about Sucuri is disconcerting:

There are several reasons to change our scan partner from Armorize to Sucuri. First, Sucuri is one of the most respected companies in the website security field. In addition, we have been working in partnership with them for several years. We have relied on their expertise for solving numerous complex security issues. And last, but not least, many of our clients’ websites have also been cleaned by Sucuri from malicious code over the years. That is why it was only natural that we extend this already successful partnership and make it cover the daily site scans too.

If they are truly one of the most respected companies in the website security field, that doesn’t same much about the field. Not only has their scanner been quite bad for years, but what we have seen with their clean up of hacked website hasn’t been good either, an example of that involved a website they claimed clean despite compromising credit info entered on it. They also don’t seem to understand the basics of security. And about a year ago they accidentally made a good case for avoiding themselves.

But let’s get back to their scanner, which SiteGround is now helping to cause more people to interact with the results of.

Scare Tactics

If you go to the web page for Sucuri’s Scanner you will notice that just below where you enter an address to have it scanned, it states:

Disclaimer: Sucuri SiteCheck is a free & remote scanner. Although we do our best to provide the best results, 100% accuracy is not realistic, and not guaranteed.

That sound reasonable, the problem is that it doesn’t in any way match how they present results from it. Here is what it looks like when they think a web page contains malware, as can be seen with a page from the Washington Post’s website, which we happened to submit to test out something related to the false defacement claims:

Among the very scary sounding things they have on their are:

Warning: Malicious Code Detected on This Website!

Status: Infected With Malware. Immediate Action is Required.

Malware Detected Critical GET YOUR SITE CLEANED

Get Immediate Clean Up CLEAN UP MY SITE

Your site appears to be hacked. Hacked sites can lose nearly 95% of your traffic in as little as 24 to 48 hours if not fixed immediately – losing your organic rankings and being blocked by Google, Bing and many other blacklists. Hacked sites can also expose your customers and readers private and financial information, and turn your site into a host for dangerous malware and illicit material, creating massive liability. Secure your site now with Sucuri.

Though looking at the evidence presented to back that all up they seem a lot less sure there is even an issue as it is stated that “Anomaly behavior detected (possible malware)”.

When looking at the malware definition given, MW:ANOMALY:SP8, things are also unclear, as first they refer to what it detects as being “suspicious” and “possibly malicious”:

A suspicious block of javascript or iframe code was identified. It loads a (possibly malicious) code from external web sites that was detected by our anomaly behaviour engine. Those types of code are often used to distribute malware from external web sites while not being visible to the user.

But then states their “engine found it to be malicious”:

This is not a signature-based rule, but looks at anomaly behaviors on how the web site is being loaded. Our engine found it to be malicious (related to remote includes).

It isn’t reassuring that on one page they both claim detecting this would mean that something is malicious and that it is only possibly malicious.

Get a Second Opinion

We would strongly recommend that web hosts don’t do what SiteGround is doing here and further spreading Sucuri’s inaccurate results. It would probably be best to avoid any web host that does something like this as well, since it doesn’t show they have an interest in best helping their customers or that they are doing proper due diligence.

If you do get sent results by your web host that claim your website is hacked, whether they come from Sucuri or another company, we would recommend that you get a second opinion as to their veracity from a more trustworthy company that does hack cleanups. We are always happy to do that for free and we would hope that others would too.

If Wordfence Security Doesn’t Find Any Malicious Files on Your Website It Doesn’t Mean That It Isn’t Hacked

When it comes to WordPress security plugins, one is by far the most popular. That plugin being Wordfence Security, which has over 2+ million active installs according to (the next most popular one has 800,00+ active installs). At least some of its popularity is based on people believing that the plugins is much more capable than it really is.

Some of that belief is based on the company behind the plugins simply lying about its capabilities. For example, here is the second sentence of their description of the plugin on

Powered by the constantly updated Threat Defense Feed, our Web Application Firewall stops you from getting hacked.

Would it be possible for the plugin to stop some hacks? Sure, but it can’t possibly stop all hacks. For example, if the website is hacked through a compromise of the FTP login details or a server level breach, that is occurring below the level the plugin is operating, so it can’t stop that. While a security plugin could try to detect a change made by that hack, the hacker would also likely have the ability to remove, disable, or modify the plugin with the access they have as well. It isn’t hard to understand why Wordfence would lie about this, since people will believe it and other false claims they make.

Even in situations where the plugin might be able to provide protection, unless you are paying for their premium service, they will leave you vulnerable for 30 days or more after they add protection (their ability to do that would require them knowing about the vulnerability, which isn’t a given), so Wordfence knows that a blanket claim that the plugin will stop you from being hacked isn’t true.

The claims being made don’t always come from the makers of Wordfence. For example, last year we noted an instance when someone posted on the support forum looking for help with hacked website they were told by two people that Wordfence Security would fix it, despite the person looking for help having already said that they had tried to use it to fix the website.

The latest incident of a belief that Wordfence Security is more capable than it really is, involved someone who came to us looking for advice on a claim from their web host that their website had been hacked. They believed that their web host’s claim was false in part because Wordfence Security couldn’t find any malicious files on the website.

Our experience from people presenting us results from numerous different automated tools for detecting malicious code over the years, is that they miss a lot of malicious code and can produce some bad false positives. So you can’t rely on them to determine that a website isn’t hacked. Due to the false positives you can’t totally trust them to determine that a website is hacked, though we would have more confidence of a claim that a website is hacked than it isn’t based on their results.

In this case what the website’s owner hadn’t done was to ask the web host for evidence to back up their claim that the website was hacked. Instead of looking to Wordfence Security or another plugin/service to try to determine if a website is hacked in this type of situation that should be the first thing done. Once you have that evidence, if you are unable to determine if the evidence backs up the claim we would recommend that you get a second opinion from a company that deals with hacked websites. We are always happy to do that for free and we would hope that other would as well.

When we were sent one of the files from the website, we not only immediately recognized it contained malicious code, but it was something that would have been picked by our partially automated scanning for malicious code (a human reviews all the results this scanning produces to determine if the code is actually malicious code). So the website was actually hacked and Wordfence Security had just missed malicious files, despite containing fairly common malicious code.

Since Wordfence Security couldn’t even detect the malicious code, it also wouldn’t have been able to clean it up, a further reminder that Wordfence Security’s ability to clean up hacked websites is also limited.

What It Takes for SiteLock to Claim a Website is At Low Risk

One of the more recent activities from the web security SiteLock that seem like it could be classified as a scam, is a score, from “low” to “medium” to “high”, that is supposed to indicate how likely a website is to be hacked.

We first ran across it when a Forbes contributor wrote about how they were told that their website, which consists of a “static HTML page with a few images and a few locally hosted CSS, font and JavaScript files”, was at “medium” risk based on this score. When the author of the article raised question about this, SiteLock couldn’t even explain a way that the website could be hacked that was considered by their score despite claiming it was at “medium” risk of that happening. Another element that makes this seem like a scam was that SiteLock provided supposed percentages of the risk that that got to “medium” risk, which don’t seem believable. Most of the risk, 64%, came from the “Site size and the number of distinct components”, despite the website having only one page and no components that seem like they could have lead to the website being exploited.

With SiteLock claiming that website was at “medium” risk, we wondered what it would take for SiteLock to claim is at “high” risk. A couple weeks later we got the answer, when we were contacted by someone that had been notified that their website was at “high” risk based on the scoring. So what kind of website is at “high” risk? One that only contained static HTML pages, but it did have multiple pages, so maybe that is enough for them to make that claim.

The question that then left us with was what it would take for a website to receive a “low” risk score. The answer it seems, based on a recent tweet we ran across, is for a website where the domain name that isn’t even registered:

This isn’t the only recent issue we have seen with SiteLock and an unregistered domain name, as several weeks ago we discussed a claim from SiteLock that a website contained “critical” severity malware due to a link to an unregistered domain name.

In looking for other instances of the “SiteLock Platform Digest” show in that tweet, we ran across someone that had received it unsolicited and SiteLock tried to claim that it was sent due to a web host, despite the web host having nothing to do with SiteLock.

SiteLock and Their Web Hosting Partners Are Not Trying To Extort You

When it comes to information on web security a lot of it is incredibly inaccurate. A lot of that comes from security companies, as can be seen by looking over many of the posts on this blog detailing some of the many instances of that happening. They are not alone in this, much of the information put forward by the public is wrong as well.

One area where we have been seeing that as well dealing directly with people making such claims, involve baseless or outright false claims about the web security company SiteLock and their web hosting partners. What makes this stand out is there is so much bad stuff about them that is true and yet you have people making untrue claims of bad things they are supposed to be doing, but are not.

In some cases the true problems and the false ones might be related. Recently we discussed yet another instance of SiteLock falsely claiming that a website contained malware, this time it involved a link URL for blog post comment that linked to an unregistered domain name. We often see and hear people claiming that SiteLock or their web hosting partner have hacked their websites. We have yet to see any evidence of that or any a plausible explanation of how someone came to the conclusion that had occurred. It seem conceivable that some of those claims involved websites that SiteLock falsely claimed contained malware and the owner believed that it was infected, but thought that SiteLock did it (that might sound odd, but it doesn’t based on some of the interactions we have had with people making the claims).

Recently we have seen and heard from a many people claiming that SiteLock and their web hosting partners are holding websites hostage, holding them for ransom, or are engaged in extortion.

What these seems to underlie this is people reading previous claims along the same lines or not paying attention to what they are being told.

The reality is that while SiteLock’s web hosting partners will often disable a website if they believe malware is on it (and they are not always right) there is no requirement that you hire SiteLock to clean up the malware, as we mentioned before. Here for example is the text that Bluehost (whose parent company does business under the names A Small Orange, FatCow, HostGator, iPage, IPOWER, JustHost, and quite a few others) explains what needs to be done to have the website turned back on:

You will need to review your files and clean the account accordingly by removing all malicious files, not just the reported url. Once you have confirmed your files are clean and no longer a threat, please contact us again to have your account reactivated.

In dealing with lots of website that are in this situation there has never been any issue with the website being turned back on when we have cleaned up the website instead of SiteLock.

We also haven’t seen any issue where people could not get the access needed to move their website before it has been cleaned up.

In cases where website have incorrectly been disabled and we were ask to take a look at the claim, we are not aware of any situation where the web host did not the turn back on the website after it was pointed out there was false positive that lead to disabling.

If you have a website that SiteLock or their web hosting partners are claiming is hacked what we suggest you do is to get any evidence they will provide you about the issue and then get a second opinion on the situation. We are always happy to do that for free and we hope that other security companies, who are certainly aware of what is going on, would do that as well.

Someone that knows what they are doing will usually easily be able to tell if the website is in fact hacked and needs to be cleaned. If it is hacked, you would probably be best off not hiring SiteLock to clean it because not only do they overcharge for the quality of service they provide (due in part to how much of the fee is going to their web hosting partners), but also because they don’t properly clean up websites.

SiteLock Claimed Website Had Critical Severity Malware Due to Link to Unregistered Domain Name in Comment

On most days we now have multiple people contacting us in regards to claims made by SiteLock and their web hosting partners about the security of their websites. Those contacts broadly fall into to two categories these days.

The first involves websites that SiteLock and their hosting partners are claiming are hacked, which are in fact hacked, but seemingly due to their reputation and shady sales tactics, the websites’ owners believes that the websites are not hacked. In some cases we even are contacted by people claiming that SiteLock or their web host has hacked their website, though those claims have appeared to be completely baseless (we have seen zero evidence ever that SiteLock has hacked any websites).

The second category largely involves SiteLock and their web hosting partners making seemingly baseless claims that websites contain some vulnerability, are at high likelihood of being hacked, or have some other security issue. A recent source of many of those claims has been something referred to as the SiteLock Risk Assessment, which is supposed to provide a score of how likely a website is to be hacked based on “predictive model that analyses over 500 variables “, but the scores appear to be unconnected to reality.

The combination of those situations is not just bad for the people having to deal with the claims made by SiteLock and or their web host, but also for the general public since websites that are really hacked are not being seen as having the serious issue they have, due in part to the false claims also being made.

A recent example of the latter category stood out to us as a good example of the type of activity that has caused SiteLock to earn a reputation as scammers.

We were recently contacted by someone that had multiple calls and emails from SiteLock claiming their website contained malware. Below is one of the emails that was sent by SiteLock about this supposed issue:

Dear SiteLock Customer,

   My name is [redacted] and I’m a Security Consultant here at SiteLock Website Security.We are reaching out to you because one or more of the domains you own has malware on it and this issue needs to be resolved. As your website security provider you Do Not have the appropriate level of security to remedy/ remove and prevent these issues.

I’ve attempted to leave a message or left a message on the number in our records as well.

Contact me immediately and directly. We are able to assist you. [redacted] // [redacted]

Worth noting here is that SiteLock’s usage of “Security Consultant” is in fact a euphemism for a commissioned sales person, who likely doesn’t have any background in security.

When we were contacted about this, we asked if there had been any evidence provided to back up the claim that the website contained malware. One reason for doing that is that SiteLock labels all sorts of things that are not malware as being malware, so that makes providing a second opinion in many instances very difficult because the claimed issue could be one of many things.

The website’s owner had not been provided any yet and after SiteLock was asked for evidence, a couple of screenshots were provided. The first showed the following alert box:

What the “critical security issues” is supposed to be is shown in the second screenshot:

The most relevant portion is shown here:

So by malware on the website and “critical security issue” they really meant there was a link to another website. The link in question wasn’t something that was placed on the website as part of a hack of the website, instead the URL was the website provided with a comment on a post from 7 years before. So the claim didn’t seem at all accurate and the repeated contact by SiteLock seemed unreasonable, but it gets worse. We expected that at least the linked to domain, aspergerssyndromsymptomsblog, would contain something malicious, why else would they be claiming it was malware? But instead we found that the domain name isn’t even registered anymore. So a link from a comment to an unregistered domain caused SiteLock to claim a website contained malware.

The SiteLock employee that sent the email mentioned earlier was recently quoted in a SiteLock post saying the following:

The positivity and high energy makes me want come to work each day. We provide valuable products that help business owners succeed, without them having to worry about security issues. We also have great perks here, including free breakfast on Mondays and lunch on Fridays, an on-site gym and cafe, and an employee game room. I feel right at home!

In reality it appears that SiteLock is actually causing people to worry about security issues that don’t even exist and then trying to sell them solutions to protect them from non-existent issues.

123 Reg Sending Out Scammy Emails Based on Baseless SiteLock Risk Assessments

Earlier this month we discussed what seemed to be new attempt to scam people by the web security company SiteLock and their web hosting partners, using a supposed assessment of a website’s likelihood of attack. That post was based on information in an article written by a contributor at Forbes that had been contacted by their web host Network Solutions about the supposed risk of compromise of their website. The author of that article did a very good job of breaking down on how the claimed “comprehensive analysis” leading to risk score seems to be without a basis and we recommend reading that article.

The web host 123 Reg, which is now part of GoDaddy, has now started sending out emails based on the same assessment and the results are equally questionable. We were contacted by someone that received one of these that has a small website built on HTML files, so there is limited ability for it to be hacked when compared to, say, a website using CMS and a lot addons for the CMS. Despite that, the email claims that the “website is at high risk of vulnerabilities or compromise” and that “vulnerabilities are 12 times more likely to be exploited than the average website”, which is completely ridiculous. If you were to believe that there website is at high risk of being exploited then we can’t think of one that you wouldn’t.

Here is the email they are sending out:

Dear [redacted],

We take a proactive approach to protecting our customers’ website security. There are many factors that make a website vulnerable to hackers, and some sites are more vulnerable than others simply because of their software, plug-ins and passwords.

To help you understand where your website may be vulnerable, we have completed an automated scan of your website via the SiteLock Risk Assessment, a predictive model that analyses over 500 variables to determine a website’s likelihood of attack. The Risk Assessment is designed to score a website on a scale of low, medium or high.

After performing a comprehensive analysis of [redcated], we can confirm that your website is at high risk of vulnerabilities or compromise. When a website indicates a high risk score, vulnerabilities are 12 times more likely to be exploited than the average website, according to SiteLock data.

It is important that you act. For £0.99 per month, SiteLock ‘Find’ carries out a daily scan of your website. It can reveal where your website is vulnerable, and discover any malware. For £4.99 per month, SiteLock ‘Fix’ can also remove the malware from your site.

Find out more about SiteLock from 123 Reg

Alternatively, you can call us on 0330 221 1007 for more information.

Good website security comes down to teamwork. Here at 123 Reg, we do everything we can to keep your website safe server-side, and we urge you to do the same. A security breach can undo years of hard work in a matter of minutes. That is why, as a security precaution, we recommend you always upgrade outdated software like web applications or plugins to the latest versions when available.

Kind regards,

123 Reg Team

Based on everything we have seen so far these seems to be a rather naked attempt to sell security services based on scaring customers of web hosts under the guise of providing serious analysis of the security risk of the website. What makes it worse is that from what we have SiteLock services are not very good at providing protection, so the end result wouldn’t even be a good one even if the means is quite bad (as well as the company not doing much to help improved security for everyone in comparison something like our Plugin Vulnerabilities service).

One of the other people that received one of these emails raised another issue with them:

It should go without saying that no company involved with security should be doing something like this. SiteLock already has a well earned reputation for this type of thing. Who seems like they should be taking more heat for this is GoDaddy, as not only are they multi-billion dollar company, but they also provide security services under the brand Sucuri (which has lots of issues of its own).


Is SiteLock Not Even Saying What Website They Are Claiming is Vulnerable?

A few days ago we discussed a Forbes article about a report from the web security company SiteLock that claims be a score of how likely a website is to be compromised that seems to be based on nothing, as despite claiming a website had a “Medium” likelihood of compromised SiteLock couldn’t point to any way that the website would be compromised other than ones that are not considered in their score. In that post we noted that previously we have had people come to us after SiteLock had contacted and claimed that there was vulnerability on their website, but wouldn’t give them any details of it. It looks like they can provide even less information, as the following portion of an email sent to someone that was formerly a customer of one of their web hosting partners shows:

It is baffling that telling the owner of a website which one of their websites is claimed to have a vulnerability, without providing any details whatsoever of the vulnerability, is going to somehow expose the vulnerability.

What is a bit odd about this message is that Bluehost’s name is incorrectly capitalized as “BlueHost” with the “h” capitalized when it shouldn’t. It seems like you should get your partners name right, especially when that partner is ultimately run by SiteLock’s owners. Without seeing the rest of the email we can’t see if there is any indication that this actually another phishing email being sent to Bluehost customers, like the one we that came up last week when Bluehost was pushing someone to hire SiteLock to deal with a non-existent malware issue. Though that phishing email actually mentioned a specific website.

One alternate explanation that isn’t too far out there considering SiteLock’s track record and the fact this person isn’t even with the web host anymore is that there is no basis for the claim. By not mentioning a website they might hope to get more interest from webmasters than if they mentioned one and it wasn’t important.

SiteLock Likelihood of Compromise Reports Look Like Another SiteLock Scam

We have written a lot about the shady stuff involving the web security company SiteLock and the main complaint we have gotten about this is that because we also offer web security services (though very different from what they offer) that the information we provide is suspect. We can’t point to much written by others in a professional capacity because for the most part SiteLock has remained under the radar. But we now have something written by someone else that we can point to that shows the kind of activity that has caused “sitelock scams” to be one of the search predictions that Google provides when searching for SiteLock:

An article put out by Forbes last week describes something we have yet to have anyone contact us about, a report from SiteLock that is supposed to be “high-level security analysis by leveraging over 500 variables to score a website’s risk on a scale of low, medium and high”. The author of story was told that their website, which is “single-page static website with just a handful of files and no CMS or other editing software”, had a “Medium” “likelihood of compromise”. The author of the article noted they could only think of two ways that type of website could be compromised, but SiteLock told them that neither of those was consider when calculating the score:

The SiteLock representatives clarified that they do not check for or consider either password security or server vulnerabilities in their assessment and that their risk score is based exclusively on the characteristics of the site itself.

Considering that SiteLock was saying that there was a “Medium” risk of compromise how else did they think it could be compromised, they couldn’t even come up with an answer:

When asked how a remote attacker might then modify the files on a CMS-less single-page self-contained static website without either guessing/phishing/resetting the account password or finding a vulnerability in the server stack, a representative initially said they would work with their engineering team to send me some examples of how such a site could be compromised, but later said they would not be commenting further and did not respond to two subsequent requests for additional comment.

In light of the fact that the score seems to be baseless in this instance, it is worth noting the only detail of the score provided was:

The only detail of any kind offered by the report as to how it assessed my site at Medium risk was that 7% of the risk came from “Popularity: Number of visitors and overall social media presence,” 29% of the risk from “Presence of specific components” and 64% from “Site size and the number of distinct components.”

So SiteLock is making it appear that all of this is evidence based, they are giving percentages and claiming to leverage over 500 variables (we can’t even think of close to 500 variables that could possibly be used unless they are really stretching as what they count as a separate variable), but the reality is that the score seems to be baseless. The author of the piece had the expertise to see past the superficial evidence based nature of this, but SiteLock wouldn’t be doing this if they didn’t think that others would not be as knowledgeable.

This isn’t the first time that we have seen SiteLock put forward claims that websites are vulnerable based on false evidence or unsupported by evidence. In June we noted how they continued to use false information about the security of WordPress to claim websites were vulnerable. In other instances we have had people come to us after SiteLock has claimed there is some vulnerability on their website, but has refused to provide the details, instead only suggesting purchasing SiteLock services to resolve. That was also the case for the author the article.

When the web hosting partner that was passing along the score was asked what could be done to reduce it, the response was to purchase SiteLock services:

When asked what a company could do to reduce their risk score, Network Solutions noted that it offers two subscription monitoring services by SiteLock that scan a customer’s site each day, alerts them if their site has been compromised and automatically removes selected malware from infected files.

The web host would likely get a significant percentage of the fee for those services if they were purchased.

SiteLock gave a similar response:

When asked how a company might work to reduce their risk score from Medium to Low in the absence of any technical detail as to which of the 500 indicators were triggered for their site and if their subscription vulnerability scans did not reveal a known vulnerability, SiteLock offered that it has a commercial professional services team that can be hired in a consulting arrangement to review a site and determine if there are any concerns with its architecture or technical design.

In line with what we have seen in the past when caught doing questionable stuff, SiteLock claimed that they didn’t see anything wrong with what they are doing:

The company strenuously emphasized that it believes such a score is very useful and that many companies have found it of great use to them, but declined to provide more detail as to what companies have done with that information beyond simply subscribing to SiteLock’s products.

The Forbes article raises other issues with this situation that are also problematic and we would suggest you read the article.

Based on all of that it looks like these scores can be safely ignored, but with other claims from SiteLock about the security of websites that are backed by some level of evidence we recommend getting a second opinion before taking any action, as they are not all false. We are always happy to provide a free second opinion.

iPage’s Strange False Claim of Malware Being Detected on a Website

We get a lot of people that contact us looking for a second opinion as to a claim that their website contains malware coming from the SiteLock and or their web hosting partners. One of the latest included a head scratching claim in an alert from the web host iPage (the logo shown with that is SiteLock’s, so maybe they did the scan):

Malware has been detected on your site during a recent scan. 0 domain may be affected.

So there was malware detected on their site during a recent scan, but it impacted “0 domain”. Those seem like they are contradictory statements to us, but maybe something that doesn’t count as a domain was impacted?

What we suggested to the website’s owner was to contact iPage for more evidence because that wasn’t enough based on that to give a second opinion as to the veracity of the claim, though it seemed unlikely considering the website was built with the Weebly website builder provide by iPage.

The response they got from iPage was that the there was not any malware, but they were not provided with an explanation as to what had happened:

We apologize for any inconvenience caused. I have performed a scan of your account and it is malware free. Right now there is no alert regarding infection is shown in the ControlPanel.

If you receive an alert similar to this from iPage whether it actually lists a positive number of domains affected or not, our recommendation is to contact iPage for more information and then get a second opinion instead of signing up for a SiteLock service, which they are trying to sell you from that alert, right off the bat.

False Claim From Bluehost Phishing Email Leads to Bluehost Trying to Sell Unneeded SiteLock Service

On a daily basis we are contacted by people looking for a second opinion after their web host and or their web host’s security partner SiteLock claim that their website contains malware. While a lot of the time there really is some hack of the website that has occurred, though not necessarily involving malware, there are many instances where the claim turns out to be false. There have been many different reasons for that, one of the latest seems like it might be the worst the one yet, since the web hosting partner, Bluehost, tried to sell someone on a $1,200 a year security service from SiteLock based on false information from a phishing email that didn’t even claim there was malware on the website.

What we were told at first about the situation didn’t make sense to us. The website’s owner said they were told by their web host Bluehost that their website was using excessive MySQL resources and that the cause was malware. MySQL is database system and malware and other hacks rarely involve interaction with a database, so we didn’t understand where the belief that malware would be the cause would have come from. Looking at the website made things seem odder. The one possibility we could think of is if a hack added spam content to a website it could cause increased traffic to the website that in turn could increases MySQL resource usage. Not only did we not see any indication of that type of issue, but there was also the fact that the website was built with the Weebly website builder software, which seems unlikely to be hacked in that way or using much in the way of database resources.

After asking if Bluehost provided any more information that might make their conclusion that malware was the cause seem more reasonable, we were forwarded the following email that had started the situation:

Bluehost via

11:16 PM (12 hours ago)

Dear Bluehost customer [redacted]:

It has come to our attention that your site is using an excessive amount of MySQL resources on your BlueHost.Com account. This is causing performance problems on your website as well as for other customers that are on this server. It can cause our servers to crash and cause additional downtime.

Our research shows that server performance degrades when the MySQL usage is over 1,000 tables and/or 3 GB on a single account or 1,000 tables and/or 2 GB on a single database. In order to ensure optimal performance for your account and the others in your shared hosting environment, we request that you reduce the MySQL usage on your account to under these limits in 14 days.

You must confirm the current copy of our Terms of Service here:[redacted]
How to fix:[redacted]

Terms of Service Compliance Department
1958 South 950 East
Provo, UT 84606
Phone line: (888) 401-HOST Option 5 | Fax line: 801-765-1992

The very beginning of that caught our attention first, as it referenced “”, which seems like it shouldn’t be where an email from Bluehost should be coming from. A Google search on that showed that this email was part of an ongoing phishing campaign against Bluehost customers. Later on in the email the URLs being linked to are intend to look like it is Bluehost by starting “” and “”, but the rest of the domain is “”. The server that is hosted from is in Belarus.

Since this was a phishing email there was not anything wrong with the website. So that makes Bluehost’s claim that it was malware and that the SiteLock service should be purchased when they were contacted even odder. The Bluehost support person must not have checked to insure that the issue the customer was contacted about actually existed, despite a phishing campaign going on making false claims along those lines. Even then it doesn’t make sense to say this was malware based on the claimed MySQL resource usage issue. So what explains it?

Well it might have something to do with the fact that Bluehost gets 55% of the revenue from sales of SiteLock services through their partnership or that SiteLock’s owner also run the parent company of Bluehost, the Endurance International Group. Based on what have heard in the past it sounds like when support persons don’t know what is going on they may blame malware for what is going on and point people to SiteLock.

In any case, it is a good reminder to make sure to get a second opinion when you are contacted by SiteLock or their web hosting partners so that you don’t end up spending over a thousand dollars a year on something you don’t need. If you were really hacked you also don’t need to spend anywhere near that amount of money to get the website properly cleaned up (SiteLock doesn’t even properly clean up websites for their high fees).