GoDaddy’s Idea of Security Involves Leaving Websites to Get Hacked

If it were not for seeing the great value we can provide in quickly resolving hacking situations that have gone on for weeks or months, we likely wouldn’t have anything to do with the security industry, since it is such an awful industry, which seems to be largely built around taking advantage of people. One reoccurring example of that is that those in the security industry promote leaving websites insecure as security, instead of telling people what would actually keep websites secure (which doesn’t involve the services they are selling). As yet another example of that, here is how GoDaddy sells people on a security service that they charge up to 29.99 a month for:

Complete protection for complete peace of mind.

Website Security powered by Sucuri is advanced protection made simple. There’s no software to install, daily security scans run automatically and if there’s ever an issue our auto removal tools can’t fix, our security experts will repair it manually – no matter how long it takes and at no additional cost to you.

By repairing the issue, they are talking about cleaning up a hack, which shouldn’t happen since the website is supposed to be protected.

Also of note, with the claims made in that quote, is that our experience from often being brought in to re-clean websites after their security division, Sucuri, fails to get the job done, is that sometimes they will keep doing incomplete cleanups and in other instances they won’t come back in and will falsely claim that a website is clean when it isn’t. In either case what they don’t do is attempt to properly clean up the websites in the first place, which would negate the need for even discussing repeated cleanups.

Paying a Lower Yearly Fee for an Ongoing Website Security Service When You Have a Hacked Website is Not a Deal

When people have had their website hacked the unfortunate reality is that there are lot of people out there looking to take advantage of them. A lot of that involves telling people what they want to hear while knowing that you are lying to them. Based on what people say when contacting us, what a lot of people with hacked websites are looking for is a service that will protect their website from being hacked again. The reality we tell them is that while there are plenty of services that claim to do that, they don’t work (as an example of that, we often have people coming to us asking if we offer a service like that that works after using one that didn’t prevent their website from being hacked) and in fact the providers of them don’t even present any evidence that even tries to support that they do. The additional reality is that the companies behind these services usually don’t even try to do the work that could possibly make them work.

That last element is in some ways the most important when it comes to someone that already has a hacked website, since part of the work that these service don’t do to try to protect website also is important part of cleaning up a hacked website. Just last Friday we mentioned an example of that with a company named Sucuri, which had press coverage for something that wasn’t meaningful when the real story should have been that they were publicly admitting cutting corners with hack cleanups by not even trying to determine how the website got hacked. If you don’t know how websites are being hacked, you are going to have a hard time even trying to protect them. That they admitted to that isn’t really surprising to us because we have been dealing with the after effects of their improper clean ups and their failure to protect website from being hacked in the first place for years.

Recently we had someone contact us while looking for a better deal for a website service after their web host GoDaddy was trying to sell them on a $299 a year subscription for a service provided Sucuri, which GoDaddy owns, after they claimed their website was hacked. Paying less for a service that won’t properly deal with a hack, isn’t a better deal, since at any price it isn’t going to properly resolve the situation. Instead, if your website is hacked what needs to be done is to get it properly cleaned up. Properly cleaning up a hacked website involves three key components:

  • Cleaning up the hack.
  • Getting the website secured as possible (which which usually involves getting any software on the website up date).
  • Trying to determine how the website was hacked and fix that.

Once that has been done, then doing the security basics is what is going to do a better job than these services to keep your website from being hacked again.

If you want your hacked website properly cleaned up your best bet is to hire us. On the other hand, if you want to get ripped off, then check out the other companies out there, since a lot of them would love to take advantage of you.

GoDaddy Says That Version of PHP for Which Support Ended 3 Years Ago Meets Their Stability and Security Requirements

You would think that if a web host owned a security company they would be better than other web hosts when it comes to security. With GoDaddy that isn’t the case, though that might be explained by the fact that the security company they own Sucuri, seems to be completely incompetent. As yet another example of the security issues with GoDaddy, while dealing with a support issue on a website hosted with them we found that they were making this claim about PHP 5.4 on the Programming Languages page of their control panel on the website we were working on:

PHP version 5.4 is available and meets our stability and security requirements.

Support for PHP 5.4 ended in September of 2015.

To make thing more confusing if you click the question mark icon next to radio selector to use that version of PHP on the page a message box appears that states:

Version 5.4 is no longer actively supported.

So is the first claim inaccurate or do they have really low standards for “stability and security”?

GoDaddy’s Idea of Securing Websites Actually Involves Leaving Them Insecure and Trying to Deal with the After Effects of That

Yesterday we discussed GoDaddy’s usage of misleading claims to try to sell overpriced SSL certificates. Based on that it probably wouldn’t be surprising to hear that they would mislead people in other ways about security and that is exactly what we ran across while looking into things while working on that previous post.  When we clicked on the “Add to Cart” button for one of their SSL certificates, at the bottom of the page we were taken to, there was a “malware scan and removal” service offered to “Secure your site”:

The description of that is:

Defend your site against hackers and malware with automatic daily scans and guaranteed cleanup.

It shouldn’t be too complicated to understand what is wrong with that, though as we mentioned earlier today there seems to be a lot of confusion when it comes to what security services and products do.

If a website is secure it wouldn’t have malware or some other hack on it to detect or remove, so either GoDaddy doesn’t understand what they are providing or they are lying about.

The problem we see so often with this sort of service is that people will fail to do the things that will actually keep websites secure because they believe a service like this will actually keep a website secure.

Trying to deal with the after effects of having a website hacked instead of actually securing it introduces a lot of issues. One of those being that if a hacker uses the hack to exfiltrate customer data stored on the website a cleanup isn’t going to undo that.

What is a lot more important to note is that everything we have seen from the underlying provider of GoDaddy’s security services, Sucuri, is that they are not good at detecting and cleaning up hacks of websites. Their scanner seems, to put it politely, incredibly crude. Their employees seem to lack a basic capability to understand evidence that a website is hacked. And in what is most relevant to this specific service, we recently we brought in on a situation where their scanner had failed to detect that a website was hacked and then they repeatedly incompletely cleaned up the website, leaving it in a hacked state for a while. It was only after we were brought in to clean things up properly (which Sucuri doesn’t appear to even attempt to do) that it was finally cleaned and stayed that way.

GoDaddy Using Google’s Change to Label Non-HTTPS Websites as “Not Secure” in Chrome To Sell Overpriced SSL Certificates

Yesterday we discussed someone’s belief that their website would be useless in its current form due to a company’s blog post about Google making a change to their Chrome web browser to label non-HTTPS websites as “not secure”. Unrelated to that, yesterday we  got sent an email from GoDaddy touting purchasing SSL certificates from them to avoid websites being labeled that way by Chrome. Two things stood out with that. The first being that GoDaddy charges much more than you need to be paying for an SSL certificate, which will in part prevent a website from being labeled as “not secure”, but also that GoDaddy doesn’t seem to really understand what they talking about when it comes to HTTPS. That latter fact isn’t all that surprising considering GoDaddy’s poor security track record.

The subject of the email was “Your customers need SSL on their sites ASAP.”.

On the page linked to from the email, their lowest end SSL certificate, which would be the level you need to avoid the “not secure” label, the introductory price is 60 dollars if you pay for two years upfront and then after that 75 dollars:

With other providers you can pay a fraction of that price. It also looks like that used to be true with GoDaddy as well, as they have apparently significantly increased the prices they charge for SSL certificates over the years despite nothing that would have increased their costs.

Using Let’s Encrypt you can even get a free SSL certificate and there are plenty of web hosting providers that have the capability integrated into their control panels to allow setting those up. It’s worth nothing that GoDaddy’s security company has been a major sponsor or donor to Let’s Encrypt, which seems like a tacit endorsement of Let’s Encrypt .

That GoDaddy is overcharging for SSL certificates instead of being like other hosting providers and offering free SSL certificates seems worse to us when reading one of the three testimonials they chose to show on that page that touts them providing an affordable solution:

I received a call from product support to let me know Google was getting more rigid about “secure sites”. We were able to make the upgrades that I could afford, and make my site more mobile accessible AND secure.

Another testimonial seems more insidious since it gives the impression that GoDaddy is providing cheaper certificates than others instead of more expensive ones:

I’ve set up SSL certificates from various companies but will never use anyone but GoDaddy every again. It’s easy to set up, great support and at a fraction of the price it’s great all around!

That is a great example of why testimonials are not a great source of information because that one allows GoDaddy to make it seem like they providing a more reasonable priced product without having to lie. If they really were providing cheaper certificates they would have been able to present evidence to back that up.

Misleading Marketing

The email made the following claim:

SSL is not only the right thing to do for your customers, it’s also great for boosting their search rankings and getting more traffic to their sites.

No link was provided that backed up that claim. On the page to purchase an SSL certificate, the claim is made repeatedly in regards to Google search results, but again no evidence is provided.

Based on what Google has said it doesn’t sound like using HTTPS has much impact. Here is in part what Google said when the disclosed that usage was a ranking factor:

We’ve seen positive results, so we’re starting to use HTTPS as a ranking signal. For now it’s only a very lightweight signal—affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content—while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.

As far as we are aware they haven’t announced strengthening it and they seem to be using changes to Chrome to increase usage of HTTPS.

In another instance, a Google employee explained the impact as follows:

If you’re in a competitive niche, then it can give you an edge from Google’s point of view. With the HTTPS ranking boost, it acts more like a tiebreaker. For example, if all quality signals are equal for two results, then the one that is on HTTPS would get … or may get … the extra boost that is needed to trump the other result.

Importantly, if both websites were using HTTPS the impact on the ranking boost of either one would be nullified.

Misleading on that seems of less importance than a page they created just to promote buying their SSL certificates due to the change to Chrome.

There they claim that “A Not Secure label on your website can devastate your business.”:

No evidence is presented for that despite it being a serious claim.

What seems like a clear indication that they are not interested in informing people about what is happening, but selling something is another part of that page which states that using HTTPS will “shows visitors they’re safe with the little green lock in their address bar”:

The next HTTPS related change in Chrome, occurring in September, involves it downgrading what is shown for HTTPS pages:

Do They Know What an SSL Certificate Even Is?

Going back to the page for selling SSL certificates there is what is supposed to be an explanation of how a HTTPS connection works, but it seems to have been written by someone that isn’t familiar with it all:

An SSL certificate doesn’t “automatically creates a secure, encrypted connection with their browser”, instead the SSL certificate is just used to validate that a secure connection is being made with the intended website instead or with another party.

Among the other issues with that is that the level encryption is determined by the server and the web browser, not the SSL certificate.

GoDaddy might be able to justify a higher price for an SSL certificate if good customer service was provided, but considering how off the marketing material is, it is hard to believe that their customer service would be well informed about them.

GoDaddy (Owner of Sucuri) Still Using Server Software That Was EOL’d Over Six Years Ago

Last week we wrote a post about how the web security company Sucuri was hiding the fact that they are owned by the web host GoDaddy while promoting a partnership program for web hosts. Not mentioning that they are owned by a competitor of companies they are hoping to partner with seems quite inappropriate. It also seems problematic since GoDaddy has long track record of poor security, so that seems like material information that web hosts should have when considering partnering with Sucuri.

One example of GoDaddy’s poor security that we have noted before is that they are using a very out of date version of the database administration tool of phpMyAdmin. It turns out they are still doing that, as we found when doing some work on a client’s website hosted with them. While working on an upgrade we created a new database so that the database would be running a newer version of MySQL required by the new version of the software being upgraded. When we went to import the database we found the phpMyAdmin installation it is tied to is the same really out of date version of phpMyAdmin, 2.11.11.3:

The 2.11.x branch of phpMyAdmin reached end of life on July 12, 2011. After that date not fixes or security fixes were not released, so GoDaddy should not have been running that version after that.

Beyond the security concern with this, you have situation where GoDaddy isn’t even managing to update a customer facing piece of software at least every six years.

It also worth noting that GoDaddy is the employer of the head of WordPress security team (they are paying him for his work in that role). You really have to wonder how, if someone who truly cared much about security, they would be employed by a company that doesn’t seem to care about that. That they are willing to work for GoDaddy might go a long way to explain why the security team of WordPress continues to poorly handle things (it also raises questions about the propriety of having the head of the security team being an employee of a company that could profit off of WordPress seeming insecure).

Sucuri’s Lie of Omission Involving Their Ownership by GoDaddy

Last week we touched on a continued lie from the makers of the Wordfence Security plugin and mentioned the general problem of lying within the security industry. Not every lie involving the security industry involves something that is said, it can also be something not said.

As an example take what we noticed in a recent post by the web security company Sucuri promoting their partnership program for web hosts. What they neglect to mention despite being rather important, as we will get to, is that they are in fact owned by the web hosting company GoDaddy.

But before we get to that, the whole post is cringe worthy if you have followed our posts on the web security company SiteLock, whose business seems to largely built around partnerships with web hosts. Many of those web hosts are run by the majority owners of SiteLock, which might have given GoDaddy the idea to move from a partnership with SiteLock to do the same on their own.

At one of point in the Sucuri’s post they write the following:

We have found that doing active scans of your user base’s websites on a continual basis and doing outreach to help them better understand their security status is helpful in educating customers all while helping gain a better understanding of the overall health of accounts in the environment.

In the case of SiteLock, because SiteLock’s scanner isn’t very good that sort of thing has led to lots of people falsely being told that their websites have been hacked and then offered overpriced services to fix the non-issues. Sucuri’s scanner has also been bad for years, the most recent example of that we documented involved them claiming that Washington Post’s website contained malware. We noticed that while looking into a situation where someone was contacted by their web host with Sucuri’s results falsely claiming that their website hacked, much like they had falsely, but hilariously, claimed of ours not too long ago.

Elsewhere in Sucuri’s post they write:

They want a site that is fully secure and stays that way. From our experience, they don’t care about, or understand ambiguous services and up-sells. If it gets hacked, they want someone else to deal with it now, at an affordable cost. Once cleaned, they don’t want to be hacked ever again.

That isn’t what you are get with Sucuri, if one person that came to us after having Sucuri failed to take care of a credit card compromise on their website. Not only did Sucuri fail to detect an easy spot piece of malicious code, but kept telling them the website was clean despite the person telling Sucuri that credit cards were still being comprised on the website.

That ties in with something in the post:

A good website security provider also requires a customer-first approach that prioritizes time to resolution with respect to each customer’s level of technical ability. As an example, Sucuri is recommended by web professionals for our commitment to providing users with cutting-edge technology and excellent customer service.

Clearly the customer service was terrible in that situation. But the other striking element of this is that we were able to identify the issue without using any “cutting-edge technology”. Also, when it comes to security services, web professional are not necessarily who you would want a recommendation from, since they don’t necessarily have a good idea about security. Certainly any of them recommending Sucuri, based on what we have seen, would be someone that shouldn’t be providing that type of recommendation.

If what another recent example of poor security from Sucuri and GoDaddy take this recent example of Sucuri’s web application firewall (WAF) being bypassed by simply encoding a character as reported by ZDNet. That is an indication that the product is rather poor at what it is supposed to be doing, which isn’t surprising based on everything we have seen from this company (they don’t even seem to understand security basics). This also looks like another situation where they are not being honest, as the article states that:

For its part, GoDaddy said it patched the bug within a day of the security researcher’s private disclosure to the company.

But a quote from the company neglects to mention that it was fixed after they were notified of the issue

“In reviewing this situation, it appears someone was able to find a vulnerable website and manipulate their requests to temporarily bypass our WAF,” said Daniel Cid, GoDaddy’s vice-president of engineering.

“Within less than a day, our systems were able to pick up this attempt and put a stop to it,” he said.

What isn’t mentioned anywhere in the post is that SiteLock is owned by GoDaddy and therefore web host partnering are really partnering with a competitor and possible providing them with sensitive information.

That also isn’t mention on the linked to Sucuri Partner Program page.

What is mentioned there is that this is way for web hosts to make a lot of money:

As we have seen with SiteLock, that doesn’t lead to good things.

You also won’t find mention of the ownership on the about page on Sucuri’s website which states:

Sucuri, Inc. is a Delaware Corporation, with a globally-
distributed team spread over a dozen countries around
the world.

Beyond the fact that web hosts might not want to be partnering with a competitor in this way, there is the issue that GoDaddy has a bad reputation when it comes to security.

One element of that is obliquely mentioned in the Sucuri post when the write:

For example, cross-contamination over multiple shared hosting accounts used to be a major problem for large website hosting providers,  but this isn’t really a huge threat today.

One such provider that happened with was GoDaddy, which had ignored attempts by people we were helping to deal those hacks, to get them to do something about it before it became a major issue. GoDaddy then made ever changing claims as to the source of, but notable didn’t blame themselves.

In more recent times there have been issues with them distributing outdated and insecure software to their customers, using outdated and insecure software on their servers, being unable to properly control FTP access to websites, not providing a basic security feature with their managed WordPress hosting, and worst of all, screwing up the security of databases that lead to website that otherwise would not have been hacked, being hacked.

It isn’t really surprising with that type of track record that they would have bought a security company that inadvertently made a good case that you should avoid them. But that all would be a good reason why other web hosts would probably want to avoid getting involved in this if they truly care about their customers and that might be why it goes unmentioned.

123 Reg Sending Out Scammy Emails Based on Baseless SiteLock Risk Assessments

Earlier this month we discussed what seemed to be new attempt to scam people by the web security company SiteLock and their web hosting partners, using a supposed assessment of a website’s likelihood of attack. That post was based on information in an article written by a contributor at Forbes that had been contacted by their web host Network Solutions about the supposed risk of compromise of their website. The author of that article did a very good job of breaking down on how the claimed “comprehensive analysis” leading to risk score seems to be without a basis and we recommend reading that article.

The web host 123 Reg, which is now part of GoDaddy, has now started sending out emails based on the same assessment and the results are equally questionable. We were contacted by someone that received one of these that has a small website built on HTML files, so there is limited ability for it to be hacked when compared to, say, a website using CMS and a lot addons for the CMS. Despite that, the email claims that the “website is at high risk of vulnerabilities or compromise” and that “vulnerabilities are 12 times more likely to be exploited than the average website”, which is completely ridiculous. If you were to believe that there website is at high risk of being exploited then we can’t think of one that you wouldn’t.

Here is the email they are sending out:

Dear [redacted],

We take a proactive approach to protecting our customers’ website security. There are many factors that make a website vulnerable to hackers, and some sites are more vulnerable than others simply because of their software, plug-ins and passwords.

To help you understand where your website may be vulnerable, we have completed an automated scan of your website via the SiteLock Risk Assessment, a predictive model that analyses over 500 variables to determine a website’s likelihood of attack. The Risk Assessment is designed to score a website on a scale of low, medium or high.

After performing a comprehensive analysis of [redcated], we can confirm that your website is at high risk of vulnerabilities or compromise. When a website indicates a high risk score, vulnerabilities are 12 times more likely to be exploited than the average website, according to SiteLock data.

It is important that you act. For £0.99 per month, SiteLock ‘Find’ carries out a daily scan of your website. It can reveal where your website is vulnerable, and discover any malware. For £4.99 per month, SiteLock ‘Fix’ can also remove the malware from your site.

Find out more about SiteLock from 123 Reg

Alternatively, you can call us on 0330 221 1007 for more information.

Good website security comes down to teamwork. Here at 123 Reg, we do everything we can to keep your website safe server-side, and we urge you to do the same. A security breach can undo years of hard work in a matter of minutes. That is why, as a security precaution, we recommend you always upgrade outdated software like web applications or plugins to the latest versions when available.

Kind regards,

123 Reg Team

Based on everything we have seen so far these seems to be a rather naked attempt to sell security services based on scaring customers of web hosts under the guise of providing serious analysis of the security risk of the website. What makes it worse is that from what we have SiteLock services are not very good at providing protection, so the end result wouldn’t even be a good one even if the means is quite bad (as well as the company not doing much to help improved security for everyone in comparison something like our Plugin Vulnerabilities service).

One of the other people that received one of these emails raised another issue with them:

It should go without saying that no company involved with security should be doing something like this. SiteLock already has a well earned reputation for this type of thing. Who seems like they should be taking more heat for this is GoDaddy, as not only are they multi-billion dollar company, but they also provide security services under the brand Sucuri (which has lots of issues of its own).

 

Security Plugins and Plugins by Automattic Haven’t Been Updated To List Them as Compatible With WordPress 4.8

Back on May 31 we received an email from WordPress.org asking us, as developers of several plugins, to make sure that the plugin were listed as being compatible with the then upcoming WordPress 4.8. The beginning of the message reads:

Hello, White Fir Design!

WordPress 4.8 is scheduled to be released on June 8. Are your plugins ready?

After testing your plugins and ensuring compatibility, it only takes a few moments to change the readme “Tested up to:” value to 4.8. This information provides peace of mind to users and helps encourage them to update to the latest version.

As scheduled, that version was released on June 8.

While looking at something the other day we noticed that a security plugin had not been updated to list as being compatible with the new version. Looking at the plugins tagged security it turns out that many haven’t been two weeks after the release of that new version of WordPress. That doesn’t seem to be a great indication as to the state of security plugins, but more striking was that several of the most popular plugins tagged security that have not been updated come from the company Automattic, which is closely associated with WordPress.

First up being Jetpack by WordPress.com, which is tied with 6 other plugins for having the most active installs, 3+ million:

One of those other plugins with the most active installs is another Automattic plugin, which despite shipping with WordPress also isn’t listed with WordPress 4.8:

Getting back to the security tagged plugins, another Automattic plugin not listed as being compatible is VaultPress:

Among the other security tagged plugin that haven’t been updated to be listed as being compatible, you have iThemes Security:

You also have Sucuri Security, which still hasn’t even been listed as being compatible with WordPress 4.7, despite that being released in December:

The parent company of that plugin GoDaddy also hasn’t updated their other plugins to list them as compatible:

Also worth noting, considering SiteLock’s questionable involvement with WordPress, is the SiteLock Security plugin:

The SiteLock 911 Service Offered by GoDaddy Leaves Websites Open to Being Hacked Again

When it comes to cleaning up hacked websites, we are frequently brought in to re-clean websites after another company has previously been brought in and then the website gets hacked again. While it is not always the other company’s fault, what we have found is that almost always it involves a situation where the other company unintentionally or intentionally cut corners with the cleanup.

There are three basic components of a proper cleanup: removing the malicious content, getting the website secure as possible, and trying to determine how the website was hacked. We frequently see that only the first item, removing the malicious content, is done. That can leave the website open to being hacked again (and skipping over trying to determine how the website was hacked can also lead to not finding some of the malicious content that needs to be removed).

All of that brings us to the SiteLock 911 service that GoDaddy offers in conjunction with SiteLock. From what we have seen being brought to get things properly cleaned after this service has been used, corners are cut, leaving websites vulnerable. What isn’t clear if you were to look at the description of the service, is that is the case, so let’s take a closer at how the service is presented.

In describing how the service works they make it sounds like all of the components are happening:

Next we remove every bit of malware from your code. We also close security gaps and the backdoors that hackers use to break into your site.

There are a couple of fairly glaring issues with that. First backdoors would normally not be how hackers break into the website; instead backdoors are placed on the website through a vulnerability and then used to take further actions. If you remove the backdoor, but don’t fix the vulnerability it can just be placed there again. The other problem is that all of that fixing is supposed to happen with files that they copied of off the server and then placed back on the server, but that wouldn’t actually be how you would do much of the securing or determining the source of the hack. The securing usually involves getting the software up to date, which wouldn’t be done by just copying files (and based on what we have seen, isn’t something they do). The determining of the source involves reviewing the log files, which are stored separately on GoDaddy’ servers or in the case at least one type of account are not even stored.

In the FAQ, there is a rather odd answer to the question “Is the cleanup permanent?”:

Unfortunately, no. If the hacker automated the attack, it could keep happening. And SiteLock911 doesn’t protect against future attacks, so your site could get infected again. We offer preventive SiteLock plans with daily scans to keep your website malware-free.

This doesn’t really make any sense, as most hacks are automated and whether it could happen again depends on if the vulnerability that was exploited has been fixed. This answer alone should be a good indication that neither of the companies involved with this service have any idea about the basics of hacked websites (this isn’t the first time we have seen that coming from SiteLock). (The preventative SiteLock plans don’t actually do much, if anything, to protect websites from being hacked either.)

Another FAQ is also rather odd. In response to the question “Is it guaranteed to work?” it is stated that:

SiteLock911 malware cleaner handles most websites with ease but with new malware appearing all the time, there are no guarantees. If you happen to be afflicted with a brand new infection or hack, SiteLock will work with you to make sure your website is restored.

Whether the malware is new or old shouldn’t have any impact on being able to restore a website, instead the only limitation in the ability for a cleanup to restore a website to its previous form is if the hacker has removed or damage files or other content from the website. You can’t restore something that doesn’t exist, so either there would need to be another way to get a copy of the files/content or you can’t restore it. Something being new shouldn’t make a difference.

This seems like it may be a cover for SiteLock’s ongoing issues with damaging websites that they are supposed to be cleaning up at GoDaddy. That seems to be a fairly common issue based on the complaints we have seen on the web and the times we have been brought in to fix things up after them. While we frequently are brought in to re-clean websites after other companies have done a poor job, SiteLock is the only one where we have seen other company leaving behind broken websites. That is one of the many reasons we say that they are by far the worst company in the field.