Recently something we had written about the web security company SiteLock was linked to in thread that starts out with someone discussing the conflicting reviews of SiteLock:
Just had a word press site hacked. Out host suspended our site and recommended site lock to clean it up. I looked at online reviews of their service. There are reviews that say they’re good, and reviews that say they are a scam. They say that you pay to have your site cleaned and then monthly to protect it. There are numerous reviews saying that even with the monthly fees, their sites still got hacked, and they were charged hundreds of dollars to fix it again. If these reviews are true, I want a better solution. What would you do? Are the reviews true?
As we monitor the reviews of SiteLock to keep track of what they are up to since we are frequently contacted by people looking for help after being contacted by them or having hired them, we thought it would be worth touching on what explains those conflicting reviews.
Positive Reviews
The positive reviews of SiteLock mostly fall in to two categories. The vast majority of recent reviews are by people that are pushed by SiteLock to provide a review after any interaction with them. We really do mean any interaction. Here for example are two reviews shown on the review website consumeraffairs.com from the same day, giving SiteLock five stars for helping them to update credit card information:
I contacted SiteLock because I needed to update my credit card information. I was delighted by the speed and helpful service I received from the support team. I would highly recommend SiteLock for their valuable products and services, which are consistently stellar.
Tyrell was very helpful in walking me through updating my credit card billing information online. He was also very courteous and patient while he waited as I entered my information. It would be a pleasure to work with Tyrell again.
That doesn’t seem like something people would do on their own all that often. More importantly, that really doesn’t tell you anything about how good or bad the service is, just that this company is interested in making sure it keeps getting paid.
It isn’t even clear that the people leaving those reviews would be aware of that website as a company that pays consumeraffairs.com a monthly fee, as SiteLock does, is provided various methods to have reviews collected:
ConsumerAffairs also helps Accredited Members collect reviews through Facebook, email, feedback cards, targeted phone calls and through its website.
Well come back to what else that SiteLock’s paying that website provides them in a bit, but first there are second set of positive reviews. Those largely look to be made up of people who generally believe that SiteLock is providing a good service and have left a review on their own. Considering that even many people in the security industry don’t have a good understanding of security, it wouldn’t be surprising to hear that these positives reviews from the public are not necessarily providing a good picture of what SiteLock really provides. For example, one five star review of SiteLock we used as an example of that last year, actually indicated that SiteLock was leaving a website insecure. That isn’t surprising since as we mentioned more recently, SiteLock’s own marketing material indicates they think that security doesn’t involve keeping a website secure, but dealing with the after effects of leaving it vulnerable.
Negative Reviews
If you were to look at the most recent one star reviews of SiteLock on consumeraffairs.com what you would notice is that you have to go back months to see one where the one star rating is shown. The most recent ones either say “Insufficient response received” or “No response received”. The reason for that is that by SiteLock being a paying customer of consumeraffairs.com they can challenge reviews and they in fact have challenged every single recent negative review. The reason for that is that by doing they can get the low ratings excluded from the overall rating:
While ConsumerAffairs never changes star ratings at a company’s request, a consumer may choose to change a star rating after resolving a complaint. In addition, if a consumer does not respond to a request for more information, or the consumer’s complaint is resolved privately with the company, or the factual basis for a complaint is unresolved, the consumer’s star rating may not be displayed and will not be included in a company’s overall star rating.
The business model of that website and other review websites looks to be built on companies paying them to present a positive image of the company.
What seems to be a telling indication that negative reviews are the ones of value is that all the most helpful reviews are currently negative ones.
That doesn’t mean that those reviews are accurate either. Just as the natural positives reviews can be inaccurate due to a lack of understanding of security, plenty of the negative reviews we have seen are also inaccurate. For example, we have seen numerous negative reviews that claim that SiteLock hacked websites. We have also had people contacting us that claim the same thing. We have never seen any evidence to support that despite it being such a serious allegation and plenty of evidence to the contrary.
If you want to a summary of what SiteLock really offers, this review on consumeraffairs.com from May 23 does a great job of that:
It’s my opinion that SiteLock is exhibiting predatory sales tactics. In my case they sold me on the service to monitor and protect my website from malware for a subscription fee. They are aggressive. But the worst part is that malware infected my site again and I called SiteLock for help since I’m a paying customer. Even though they originally sold me on the effectiveness of their products they told me they were not going to be able to remove the new malware and it would cost $300 to remove it. They also were trying to sell me on more services. It’s just my opinion but then I believe they set up a system to catch people when they are most vulnerable then charge them a lot to get their website working again. The support people that I talked to are salespeople. Look elsewhere folks. Save yourself the wasted time, money and the headaches that come with choosing the wrong company to protect your website.
One thing that we would note about that is that we are not aware of any company that provides a service that will provide effective protection of a website. If you are looking for something like that we would recommend instead you do the things that are going to actually keep your website secure, but otherwise you would want to look for one that present evidence, preferably from independent testing, that shows that is effective (if someone finds a company that provides that we would love to hear about that).
If your website is already hacked, before focusing on the things that will protect it going forward, it should be properly cleaned, which involves three key components:
- Cleaning up the hack.
- Getting the website secured as possible (which which usually involves getting any software on the website up date).
- Trying to determine how the website was hacked and fix that.
From what we have seen SiteLock usually doesn’t attempt to do the last two and doesn’t do all that good a job of the first. Unfortunately, based on our experience frequently being brought in to re-clean up hacked websites they are far from the only company that is not even attempting to properly clean up hacked websites.
That SiteLock doesn’t attempt to determine how websites were hacked explains in part why they are not good at protecting websites from being hacked either as they wouldn’t even know what to protect against.