SiteLock and Their Partners Including Bluehost and HostGator are Still Producing Bad Results

Earlier this week, we interacted with someone dealing with the mess that is having SiteLock brought in to clean up a malware infected website. They are not alone in that. Here was a review of them left on Trustpilot in October:

This is a company with no service and it’s a scam! It has been six weeks since I purchased their service and my site is down for the third time during their ‘monitoring’. I just keep receiving generic/automated emails about the removal of threats every two days or so while my website is still down!
I purchased it through Blue Host. I am puzzled as to why BH is recommending Site Lock. Service on both sides is mediocre or nonexistent. BH agents who barely spoke English were arguing with me with raised voices that I needed to be patient and wait until they had time to fix the website! I don’t want to use and be associated with either one of them! Site Lock is a scam and BH is not taking responsibility for recommending it. Thoroughly frustrated.

The person we were interacting with also is a customer of Bluehost. That reviewer wondered why they recommend SiteLock. The answer is pretty simple. Bluehost gets paid by SiteLock if they are hired.

It isn’t just Bluehost. Here was another review from October:

I was called up by “hostgator security” stating that my site had Malware. I asked them to revert it to a backup, and they said it would be $50 and no guarantee of fixing the malware, but I should use “Site Lock” instead. With 2 domains it would be $500, they would remediate the malware immediately, and then provide 12 months of monitoring service. Normally, I’d just handle malware myself, but I’ve got alot going on, so I decide to let these professionals handle it. I ask them what happens if my site goes down during this process, and they assure me that would not happen because the only files that would be removed is malware. I ask, ok, what if some kind of accident happens and it goes down anyway? “They will help you, they are on top of it.” Okay great. I pay the money, for the next 24 hours I get a dozen emails about site scans happening. I check the next day, and both of my websites will not load. I call the Site Lock number and they tell me there are 19 directories for which I have not paid for Sitelock, and he thinks the malware is hiding there, and I need to pay for service for each of those directories. 19 + 2 X $250 is $5,250, which is as silly, ridiculous, halfbaked and outrageous a number as is the premise that more site scans will fix the problem. I come to find out Hostgator and sitelock are two separate companies. This is not a professional team that works together to remediate malware, in my opinion. I call back the hostgator rep who sold me the services, which atleast I’m grateful he was easy to get a hold of, and I’m told he will open a ticket which may take up to 24 hours to get a response to. These are active business websites with advertising running to them. I should not have trusted Hostgator, and I should not have trusted Sitelock. After this is all over, I’m going to look at hosts who don’t charge to revert backups.

There were plenty of other Trustpilot recent reviews that are similar. This isn’t really news to us since we used to have a lot of interactions with people who had hired them to deal with hacked websites or who had web host were pushing to them to, where the same issues came up.

We don’t have good advice to give to those who have already hired SiteLock. But for those that haven’t, the best advice is to avoid them.

If someone else has good advice for those who have hired them and are experiencing problems, leave a comment below.

It Shouldn’t Take SiteLock Days to Remove Malware From a Hacked WordPress Website

In dealing with hacked websites, a company that we used to have come up a lot in conversations with clients was SiteLock. There have been many problems we have run across with them in past years. We were contacted this week by someone dealing with them after malware was detected on their website by Bluehost. Bluehost gets paid by SiteLock if you hire SiteLock to clean up the website, which is why they promote hiring them to clean it up. It isn’t because SiteLock does a good job of it.

That was on display with what this person was dealing with this week. They were now on the fifth day of SiteLock working on removing the malware from their hacked WordPress website (or at least they were supposed to be working on it). It shouldn’t take that long. It usually should take a few hours to do that clean up. At least when we are cleaning up a hacked WordPress website, that is how long it takes. That is with us doing a proper cleanup, whereas lots of providers, including SiteLock in our past experience, don’t do, so it should take less time than that.

We don’t have good advice to give to those who have already hired SiteLock. But for those that haven’t, the best advice is to avoid them.

If someone else has good advice for those who have hired them and are experiencing problems, leave a comment below.

SiteLock is Still Leaving Websites in a Broken State After Incomplete Malware Removals

It usually isn’t too difficult to properly clean up malware infected websites, but that doesn’t mean that security companies won’t cut corners. Here was someone recently looking for help after SiteLock had left their website broken after doing malware removal:

My website was recently hacked. I worked with the domain host and SiteLock to remove the malware. The site is now back, but not functioning properly. The formatting is generic and the menu is gone. Any help would be greatly appreciated.

That isn’t a new problem, that has been going on for years. Despite that, web hosts continue to partner with them because they pay the web hosts a significant amount of their fees. That probably helps to explain the result, since lots of the money being paid for the service isn’t being spent on the work.

If you hire us to remove malware from your website, we will make sure that everything is working again before we even charge you for the work.

HostGator and SiteLock Use a Raft of Falsehoods to Sell Unnecessary Security Service

When it comes to the selling of web security services, it is common for those to be sold using with clear falsehoods. We recently highlighted an example of that with a service called Malcare. But the breadth of the falsehoods that were used recently to get $300 out of a customer of the web host HostGator for a SiteLock service stands out.

The customer contacted HostGator support about dealing with the website not showing up as being secure despite a SSL certificate being purchased. They weren’t sure if they were then dealing with someone from SiteLock or HostGator, which sounds a bit odd, since you wouldn’t think that you would contact your web host and be transferred to another company, but that has at least in the past been the case of web hosts, like HostGator, who are partnered with SiteLock. The conversation they then had was described to us and it sounds in line with what have heard in the past and seen when provided transcripts of the conversions.

They were told that the website contained malware, when they responded that was the old website at different web host (they replacing everything because of the website being hacked), they were told that the malware was tied to the domain name and redeployed to the new website to find vulnerabilities. They were told that a firewall needed to be put on the website, for $300, to stop the website from being infected the way the old one was and that the Google search results would be cleaned. As to evidence of the claim of malware, they were pointed the search results for the website, which showed pharmaceutical spam.

There are a lot of falsehood packed in there, which include:

Google’s search results are not real time, so spam pages showing up there doesn’t necessarily mean there is anything at issue with current state of a website, unless they are from a crawl just done. Spam pages are also different than malware.

Even if there were spam pages, they wouldn’t cause the website to not be listed as secure, since that isn’t impacted by that. Potentially a hack could cause pages to not be secure, if say, they added code to existing pages that accesses a website over HTTP instead of HTTPS.

SiteLock couldn’t clean up Google’s results. If the website is still hacked, then cleaning that up would eventually lead to Google’s results no longer showing the spam pages. If it is clean now, then they would just need to wait for Google to refresh them.

Malware isn’t tied to a domain name. If someone is flagging the website as containing malware, that could be tied to the domain name, but that isn’t tied to it being listed as secure as far as we are aware, as that relates to something else.

If there are vulnerabilities, you would want to fix them, not put a firewall around the website, since among other things, there isn’t evidence that firewalls like SiteLock’s would actually effectively protect against those vulnerabilities and plenty that they wouldn’t. Also, hackers are always trying to exploit vulnerabilities on websites, that has nothing do with a domain name being tied to malware.

So almost nothing they said was true and none of it actually addressed the issue that support was being contacted about in the first place. You might think that conduct like this would have some repercussions, but right now neither journalists nor government regulators have shown an interest in it.

SiteLock is Now Trying to Scam People Out of $70 to $100 a Month Due to Non-Malicious Files Created by cPanel

From our years of experience dealing with the cleanup of hacked websites the first thing legitimate providers would want to do when contacted is to make sure that the website that they are being contacted about is in fact hacked, as we have found that people experiencing just about any problem with a website can jump to the conclusion that it was caused by the website being infected with malware or otherwise hacked. Much of the security industry isn’t what we would call legitimate and the company that seems to be the farthest from legitimate is SiteLock, which has a well earned reputation for scamming people. Part of how they can stay in business despite that reputation is that they have “partnerships” with web hosts where the web host pushes their services and SiteLock in term provides them a large commission for services they can sell through that. That type of relationship is often to the disadvantage of customers of the web hosts, as a situation we were just consulted on shows.

Recently one of SiteLock’s partners, HostMonster, deactivated one of their customer’s websites due to claimed malware on the website. When the customer contacted the support department they were transferred to SiteLock and told the only way to get the website back up was to pay to pay them $70 to $100 a month (charged annually). In reality the web host only requires that the website be cleaned for them to reactivate it. In this case though the situation is much worse since there wasn’t any malware on it.

All of the files that were claimed to be malicious had names similar to .wysiwygPro_preview_edcf331f0ffc35r4b482f1d15a887w3b.php and had contents similar to this:

<?php
if ($_GET['randomId'] != "Qd8f8yQpZe0JyipHkqUDWIwUrHqUixgfdQfEvwy1fU29Q0V_3kf_mw01oJmeF_g6") {
    echo "Access Denied";
    exit();
}
 
// display the HTML code:
echo stripslashes($_POST['wproPreviewHTML']);
 
?>

Those are legitimate files created by an HTML editor that has come with the cPanel control panel offered by the web host. They are not malicious. The code in them is potentially susceptible to reflected cross-site scripting (XSS) due to outputting user input without escaping it, but someone would have to know both the apparently randomized name of the file and the apparently randomized additional value checked for that to even come in to play.

Based on the identifier given for them, “SL-PHP-JSINCLUDE-cu.UNOFFICIAL FOUND”, it appears that SiteLock is causing them to be falsely flagged as malicious.

Based on our years of seeing what SiteLock is up to, it seem possible that the incorrect flagging here is caused by SiteLock’s incompetence instead of actual malice, but in either case this is scam, since if they can’t correctly handle identifying malicious files then they shouldn’t be offering the services they are.

When we were contacted about the situation the first thing we did was to ask about the evidence provided by the web host to support the shutting down of the website and once we saw that, we were able to explain what was going on and help get this resolved for free instead of scamming money out of someone who was already attempted to be scammed.

Get a Free Consultation From Us

If you are have been contacted by SiteLock or a SiteLock partnered web host claiming your website is hacked, feel free to contact us to get a second opinion as to whether the website is really hacked and if it is we will provide you with a free consultation on how you can best deal with the issue. To provide that second opinion please provide us with the evidence SiteLock or the web host is providing to back up their claim.

If your web host is pushing you to use SiteLock you should be aware of a number of items before making any decisions and you should know that we can provide you with a better alternative for cleaning up the website for less money.

123 Reg’s Idea of Security Also Involves Leaving Websites to Get Hacked

Earlier this week we noted that GoDaddy’s idea of security involved leaving websites insecure and dealing with the after effects of that. They are not alone, as here is how another web host, 123 Reg, promotes a security service provided by their security partner SiteLock:

Malware is malicious code that can attack your website and cause security or performance issues.

Google has discovered that approximately 30,000 sites are affected by this malicious code every day and just 14% are protected, leaving 86% of websites vulnerable to attack. It sounds scary, but there is a way to protect your website.

SiteLock® from 123 Reg provides your website with a credible, state-of-the-art diagnostic system that scans for threats and identifies known malicious code, removing it from your website automatically. Giving you peace of mind in knowing that your site is malware free.

There are 110 million variants of malware in existence today. You can’t check your website every day in case you’ve been attacked. Let us do it for you.

Of course if SiteLock is detecting malicious code on your website then it has been affected by malicious code. Real protection would stop the malicious code from getting there in the first place.

What seems like it should also raise questions there is if the really were “110 million variants of malware in existence today”, what are the chances that SiteLock might miss some. The answer from an earlier post of ours is that in reality SiteLock misses malicious code that 123 Reg is able to spot themselves.

Even if they were good at spotting malware, if code is able to get on the website then its malicious impact could already have happened by the time it gets removed. For example if the malicious code copies all of an online store’s customer details, removing the malicious code isn’t going to undo it.

If you are looking to protect your website we recommend doing the security basics since those will actually stop the possibility of many attacks, while services that claim to protect websites present no evidence they are effective at all and we frequently had people coming to us looking for one of those that works after having used a service that didn’t prevent their website from being hacked. If your website has already been hacked, then the solution is to have it properly cleaned instead of security service.

SiteLock Falsely Claims That Website Hosted By Their Partner 123 Reg Is Malware Free

Over two years ago we noted the that then recently started partnership between the web host 123 Reg and the security company SiteLock was already producing the bad results expected that should have been expected based on SiteLock’s well earned reputation as being scammers. If the website we were contacted about earlier this week is any indication, things haven’t changed.

One of the more annoying aspects of the scam that is so much of the security industry is that after people get scammed by security companies like SiteLock that don’t even attempt to properly do the work they are being hired to do, people come to us wanting us to help them out for free since they already paid the scamming company (which we are not in the business of doing for what should be obvious reasons). That was the case with someone that contacted us after being told by 123 Reg that their website was hacked, hiring their partner SiteLock to clean it, and having SiteLock claim to have cleaned it up. While SiteLock claimed the website was the malware free, 123 Reg wouldn’t unsuspend the website to due them claiming their still was malicious code on it.

When we were contacted about the website it was suspended, so we couldn’t see what was going on with it, but when we went to check on the website a couple of days after we were initially contacted, we found that the website was no longer suspended and that clearly it still had malicious code on it since when trying to access the homepage we were redirected to a malicious website.

What this situation shows is that 123 Reg should certainly be aware that the security company they have partnered with isn’t getting things done. That they continue the partnership is a good indication that the partnership is based not on helping their customers get connected with a reputable security company, but instead is based on them getting paid to push their customers to hire SiteLock.

What is the most unfortunate element is that there really isn’t a solution apparent here. If people hired reputable companies like ours they could avoid this type of situation, but what we have found is that most people will ignore warnings about companies like SiteLock until after they have been scammed and then in situation like this they want someone else to help them for free.

The Repercussions of Failing to Properly Cleaning Up Your Hacked Website is Not a SiteLock Scam

When it comes to the poor security of websites the unfortunate reality for a company like ours that actually try to improve security, is that much of the security industry is only really focused on taking advantage of people (whether intentionally or because they don’t have even a basic grasp of security) and many people with real security issues often are not interested in getting things properly dealt with, instead looking for magic fixes. The end result is that legitimate security companies suffer, while scammers that will sell people things that don’t work, but are marketing with fantastical claims, do.

On one side of that, take the company SiteLock, which we have seen taking advantage of people for years, by doing things like selling security services that claim provide incomparable security that don’t even attempt to actually secure websites or trying to sell unneeded security services based on phishing emails. Much of what they are up to could accurately be described as a scam, but in addition to having people come to us after being scammed by them, we often deal with people who have not being scammed by them yet, but only seem interested in claiming they are being scammed by them instead of being interested in actually dealing with a real security issue with their website.

One recent example of that came from someone that contacted us directly and also left a long comment on one of our posts about SiteLock. In their case what seems pretty likely to be going on is that they have not been properly cleaning up hacked website and then blaming their web host and SiteLock for the repercussions of that.

At the core of this is something we often hear about, but don’t quite understand since it seems to ignore clear information provided by web hosts and common sense.  Mentioned in their comment was that they were simply removing files listed by their web host as being malicious:

The few files I found in the scan report took like 3-minutes to remove and had nothing to do with the domain.

Doing that isn’t enough, as among other things, those files had to get on the website somehow, so you need to try to figure out how that is happening. Not all that surprisingly the issue then kept occurring, but that didn’t cause them to consider changing course.

The more important issue with that though is that their web host would usually mention when listing the files they noticed are malicious, that removing them is not enough, here for example the boiler plate text someone else that contacted us recently received from the same company along with the list of impacted files:

Please Note: While the content listed was specifically reported, it may not be a complete list of all infected content on your website. It is very common for additional infected content to exist and not be captured in our report. For this reason, we highly recommend that you review all of your website content as well as your entire cPanel account to help prevent further security issues and malware reports. Not doing so could leave your website vulnerable to another infection.

So you have someone repeatedly ignoring the advice of their web host, which relates to something else the web host warned about:

For the safety of our servers and your website visitors, repeated reports of malicious content on your account within 60 days of this initial notice will lead to necessary further actions, which may include permanent suspension.

When we replied to this person to point out that you can’t just remove the files and that we haven’t had any of the issues they are complaining about when we have been hired to do a proper cleanup, the just steamrolled forward with their belief that their web host and SiteLock were up to shady behavior. So our time was just wasted there as they were no closer to getting things properly resolved. Instead they said their next move was to move to a new web host, which wouldn’t resolve the hack, just cause a new web host having to deal with having a hacked website on their systems.

We really can’t emphasize enough that if your web host is telling you your website is hacked, after confirming the claim is accurate, you or someone else needs to properly clean up the website, otherwise you are likely to have additional problems that could have been avoided.

Bluehost and SiteLock Still Trying To Profit Off of Phishing Emails Being Sent to Bluehost Customers

In August of 2017 we first interacted with someone that had gotten a phishing email made to look like it was from Bluehost, who then when they contacted the real Bluehost was attempted to be sold on a security service they didn’t need since there wasn’t any issue with their website. More than a year later Bluehost and their security partner SiteLock continue to do that. The latest incident is absurd on its own since they were trying to sell someone security services they largely couldn’t effectively use since there website is hosted with Squarespace, so much of the SiteLock service wouldn’t even work and others wouldn’t be relevant in that situation.

Below is the phishing email. Interestingly the domain used for the phishing is also a Bluehost customer (maybe that is from someone that fell for a previous phishing email).

Hello, [redacted]

We are contacting you today because we have disabled your outbound email services temporarily. The reason for this is because you’ve got a forum that spammers were subscribing to to get messages sent out. They used a spam trap email address that actually resulted in our mail server getting blacklisted.

We need you to add protection to it so it isn’t being exploited in the future. You will need to contact us and let us know this has been resolved for us to restore your email services.

For protection, we ask that you require an account to subscribe to topic notifications if you haven’t already. We also ask that you add protection to your sign-up page so that spammers cannot automate it. You can do this by using a captcha or something similar to that.

To activate your account, please visit our BlueHost account reactivation center. Use the link below:
http://my.bluehost.com.3483e5ec0489e5c394b028ec4e81f3e1.[redacted]/account/6626/reactivation.html

Thank you,
BlueHost.com Terms of Service Compliance
http://www.bluehost.com
For support go to http://helpdesk.bluehost.com/
Toll-Free: (888) 401-4678

Below is the email that was sent by SiteLock trying to sell this person on the unneeded services after they had tried to get in touch with Bluehost. Bluehost apparently directs people over to SiteLock before even doing basic checking to insure that there is actually situation that could use SiteLock’s input. The person that received this is not named Vish (or anything close to that) despite it being address to someone with that name.

You’ll notice they claim that the website has been infected, despite that not being the case or even what the phishing email claimed.

Hi Vish

Thanks for taking the time to speak with me today. Like I mentioned before your website has been infected and we need to clean it as soon as possible before its suspended by the host. The reason your website was fount with malware is that you currently have no security measures in place to stop malware from entering your site.

The simple solution to protect your website is adding a firewall as well as a smart scanner. The smart scanner removes malicious content from your source coding before it infects the website. Also a Firewall blocks any malicious traffic and hacking attempts from entering your website in the first place, its the single most important preventative measure you can have for your website. What I did was attach a couple of documents that fully go over the features of our upgraded scanner and firewall. You can also go to www.sitelock.com to get further details and services. If you have any questions or concerns my contact info is below.

So to break everything down price wise, it’s $30 dollars a month for our secure starter which includes a Professional firewall and Premium scanner. You will get a free cleaning for the website with this that will save you $300.

Best regards,

Secure Starter $30.00/Mo
Premium Scanner and Professional Firewall
– Automated Malware Removal Tool (removes basic infections that do not directly effect the code of your site)
– Daily Malware, Spam and Network scanning to alert you to security issues
– Daily Cross-Site Scripting and SQL injection vulnerability scanning
– File Change Monitoring
– Application and Advisory scanning to alert you to possible vulnerabilities or suspicious items
– Protection of the website at the domain level
– Basic DDos Protection
– Illegal Resource Access Prevention
– Site acceleration due to Content Delivery Network (CDN) and Minification
– Firewall works with the SSL on the site
– Blocks Bad Bots (Bad Traffic) at the domain level
– Daily Traffic Stats (Shows Bots vs Real Human Visitors)
– Block Specific Countries from viewing your site(if requested)

Secure Speed $50.00/Mo
Premium Scanner and Premium Firewall
– Automated Malware Removal Tool (removes basic infections that do not directly effect the code of your site)
– Daily Malware, Spam and Network scanning to alert you to security issues
– Daily Cross-Site Scripting and SQL injection vulnerability scanning
– File Change Monitoring
– Application and Advisory scanning to alert you to possible vulnerabilities or suspicious items
– Protection of the website at the domain level
– Basic DDos Protection
– Illegal Resource Access Prevention
– Site acceleration due to Content Delivery Network (CDN) and Minification
– Firewall works with the SSL on the site
– Blocks Bad Bots (Bad Traffic) at the domain level
– Daily Traffic Stats (Shows Bots vs Real Human Visitors)
– Block Specific Countries from viewing your site(if requested)
– Protects against OWASP Top 10 (Common type of hacks and targeted attacks)

Secure Site $70.00/Mo with unlimited free manual cleans and vulnerability patching
Infinity Scanner and Premium Firewall
-Automated Malware Removal Tool (continual & non-stop scanning removes basic infections that do not directly effect the code of your site)
– Daily Malware, Spam and Network scanning to alert you to security issues
– Daily Cross-Site Scripting and SQL injection vulnerability scanning
– File Change Monitoring
– Application and Advisory scanning to alert you to possible vulnerabilities or suspicious items
– Protects against OWASP Top 10 (Common type of hacks and targeted attacks)
– Protection of the website at the domain level
– Basic DDos Protection
– Illegal Resource Access Prevention
– Site acceleration due to Content Delivery Network (CDN) and Minification
– Firewall works with the SSL on the site
– Blocks Bad Bots (Bad Traffic) at the domain level
– Daily Traffic Stats (Shows Bots vs Real Human Visitors)
– Block Specific Countries from viewing your site(if requested)
– Unlimited access to our Cyber Engineers to manually adjust your website coding if malware removal tool does not clean the malware
– Multiple (19) Vulnerability Testing on the site

The Poor Quality of Web Security Products and Services Can Lead To a False Belief That Websites Have Been Hacked

We think a baseline requirement for using any web security product or service that claims to protect websites should be that there is evidence that the service is effective. That would preferably be evidence from independent testing. What we have found though is plenty of products and services not only don’t provide that, but their marketing materials actually indicate that the services fail to secure websites. For example, SiteLock’s idea of security seems to revolve around dealing with after effects of websites being hacked instead of stopping them from being hacked in the first place, which isn’t security.

Even with what SiteLock claims to do instead of securing the website, they don’t provide evidence they are effective at it. We have seen plenty of evidence to the contrary. The latest example is also a reminder of another issue we sometimes see with security products and services, they lead to people falsely believing that their website has been hacked, so instead of securing a website they lead to people to believe that the website insecure. That might be good for security companies since it can mean more businesses dealing from dealing phantom hacks and more fear leading to more purchases of services that don’t have to work, but it, like so much else from the security industry, is bad for everyone else.

The other day we were contacted by someone using SiteLock’s services, for a second opinion on a claim from them that a website was infected with malware. We were sent the following screenshot from SiteLock’s website:

While that does claim that the website contains malware, the signature listed, SiteLock-HTML-SEOSPAM-fkl, seems to actually indicate that there was spam content detected. From what we have seen SiteLock labels any indication that a website has been hacked as malware. We don’t know if they don’t what malware actually refers to or if this is done to make what they are detecting sound more concerning than it really is, but it is sometimes very misleading. In this case they also make this sound very concerning by claiming the severity is “Urgent”.

The sample provided for the supposed issue doesn’t appear to be related to malware or spam. Instead it is just shows a link to another page on the website and harmless HTML code generated by the WPBakery Page Builder plugin for WordPress. We also didn’t find any other indications of a spam hack on the website, so this “Urgent” situation seems to really be a false positive.

Considering that their service is supposed to provide “security” by detecting and removing malware, the poor quality of their scanner makes it unlikely that they could even accomplish effective detection, much less effectively remove what they find.

This was apparently the third time that SiteLock had claimed that there was malware on the website, based on the quality of the claim in this instance, it seems unlikely it was the only false positive.