Bluehost Still Trying To Sell Unneeded SiteLock Security Services Based on Phishing Emails

Back in August we discussed a situation where the web host Bluehost had tried to sell one of their customers a $1,200 a year SiteLock security service based on the customer having received a phishing email that was supposed to have come from Bluehost. It obviously didn’t paint too good a picture of Bluehost, as despite it seeming that these phishing emails were rather common, they didn’t even do any basic checking on the claimed situation in the phishing email before trying to sell someone on an expensive security service that didn’t even have seem to have a connection to the issue mentioned in the email.

Fast forward to this month and it is still happening. We recently had someone contact us a looking for advice after having gotten an email they thought was from Bluehost about malware on their website and then when they contacted the real Bluehost, it was recommended that they spend $49 a month on a SiteLock service that was supposed to fix that. Before we even looked at the email that was supposed to have come from Bluehost, things seemed off since the person that contacted us said that the whole account had been disabled, but in our experience Bluehost only shuts off access to the websites, not other forms of access to the account. That seems like something a Bluehost employee should have also been aware of.

Looking at the email (shown below) we could see it was a phishing email as one of the links in it was to the website instead of

Your account has been temporarily deactivated due to the detection
of malware. The infected files need to be cleaned or replaced with clean
copies from your backups before your account can be reactivated.




To activate your account, please visit our BlueHost account reactivation center. Use the link below:

To thoroughly secure your account, please review the following:
* Remove unfamiliar or unused files, and repair files that have been
* Update all scripts, programs, plugins, and themes to the latest
* Research the scripts, programs, plugins, and themes you are using
and remove any with known, unresolved security vulnerabilities.
* Remove all cron jobs.
* Secure the PHP configuration settings in your php.ini file.
* Update the file permissions of your files and folders to prevent
unauthorized changes.
* Secure your home computer by using an up-to-date anti-virus program.
If you are already using one, try another program that scans for
different issues.
You may want to consider a security service, such as SiteLock, to scan
your website files and alert you if malicious content is found. Some
packages will also monitor your account for file changes and actively
remove malware if detected. Click here to see the packages we offer:

Please remove all malware and thoroughly secure your account before
contacting the Terms of Service Department to reactivate your account.
You may be asked to find a new hosting provider if your account is
deactivated three times within a 60-day period.

Thank you,

Bluehost Support
For support, go to

That all seems like a good reason to not use Bluehost. As for SiteLock it isn’t like they are an innocent victim in this, as the majority owners of SiteLock also run the Endurance International Group (EIG), which is the parent company of Bluehost and numerous other web hosts. SiteLock also pays a majority of the their inflated prices to web hosts, which certainly could create an incentive to sell unneeded services.

This is also a good example of why anyone contacted by SiteLock or one of their web hosting partners about supposed malware issue or other type of hack of their website should get a second opinion from another security company (something we provide for free and we hope that other companies would as well), since we were able to quickly identify what was going on and let this person know as well and saved them a lot money.

SiteLock’s SMART Scan Failed To Deal with Issue Causing Cross-Site Browser Warning

One of the problems we have seen with the web security company SiteLock is that they label all sorts of things as being malware, making it hard for anyone else to determine what they might be referring to and therefore if the claim is valid. Sometimes their claims seem absurd, like the time they claimed a link to a non-existent domain name in a comment on a blog post was “critical” severity malware.

That type of issue could be an indication that their tools are overly sensitive or that they produce poor results. Something we just helped someone deal with reiterates what we have seen in the past,which is that it looks like the issue is the later.

We were contacted by someone for whom their website was being reported by the Chrome web browser as being dangerous and SiteLock’s  SMART (Secure Malware Automatic Removal Tool) Scan had been unable to fix the issue for them. They were looking for  quote from us to clean up the website.

When visiting the website in the Chrome web browser the following warning was being shown:


We have blacked out the domain listed, but the domain was the most important thing in the message because it wasn’t the domain of the website we were contacted about. Instead Google was warning about content from another website that was being served on this website, which is referred to as a cross-site warning.

In looking at the homepage’s content we found that the only content being loaded from that domain name was an image. When that image was removed the warning also went away.

That was easy for us to spot, but it was something that SiteLock’s tool wasn’t able to detect, while at the same time the tool flagged other things it seems like it shouldn’t.

This situation also shows why it is a good idea to come to us if you think you have a hacked website, because the first thing we do is to make sure the website is actually hacked and then we provide a free consultation on how best to deal with the issue. In this case that meant it didn’t cost this person anything more than whatever they had already paid SiteLock, to get this resolved. As once we saw what the issue was, we could tell them they simply needed to remove the image being loaded from that other website to resolve this.

SiteLock Using Trustpilot to Try to Deceive Public as to How SiteLock’s Customers Really Feel About Them

We frequently deal with people that come to us looking for help after having an interaction with the web security company SiteLock or their web hosting partners. To be able to better understand what is going on with their sitaution, we occasionally check up on various websites where people leave reviews of SiteLock as that helps us to keep up with the various shady stuff that SiteLock is up to.

Earlier this year we noticed that there started to be a massive influx of positive of reviews for SiteLock on one of those website, Trustpilot. That seemed unnatural as we continued to hear from people that were describing situations that have lead to scams to be a commonly associated word with SiteLock at the same rate:

It also was out of line with the amount of and view being expressed in reviews we saw being left at other websites.

The other thing that stood out was that most of the reviews seemed to be people who were describing just interacting with SiteLock, which could have explained some of why they had positive comments about them as many of the problems are only realized later.

One of the recent reviews seems to explain at least some that, as the review starts:

I prefer to leave a review when I am ready but SiteLock insisted so here is my experience thus far.

The rest of the review is rather detailed, so that claim seems unlikely to be made up:

I became a customer after being hit by defacement hackers. They were able to get my site back up after a few hours. Their customer service is good in the sense that they walked me through their portal and call me to provide updates.

At present I feel like they are trying to get more money out of me after I have already paid quite a bit. They want me to pay an additional monthly fee per site to upgrade my firewall once I get a new SSL certificate due to Google’s new requirements.

As having compatible firewalls with Google’s SSL certificate is a requirement now, I feel it should be part of the basic package and I should NOT have to pay more to get a firewall that is compatible. If a firewall isn’t compatible and will shut my site down, what am I paying for? Why even bother selling something that doesn’t work? The basics should be enough to keep my site functional! I shouldn’t have to pay additional just to get a firewall that will keep my site functional.

The claim of insisting that people leave a review is out of line with what Trustpilot believes about SiteLock’s involvement with that website:

What we also recently noticed is that SiteLock is trying to get some of the negative reviews removed. For example, as of few days ago one of the reviews was hidden with a message that SiteLock had reported the review for “for breach of Trustpilot guidelines”:

That review is now visible with an indication that review relates to a verified order (it is the only review on the first page of results that has that designation), which according to Trustpilot indicates that the reviewer “has sent documentation to Trustpilot showing an experience with SiteLock”:

So what did SiteLock not want people to see? Well this:

This service is totally a waste of time …

This service is totally a waste of time and money. Once they have you locked in to their contact that’s the last you will ever hear from them. Do yourself a favor and hang up when they call. Not much more than a scam business in my opinion!

Some of the other recent reviews that SiteLock doesn’t appeared to have tried to take down seem equally bad to us, but maybe the accurate reference to them scamming people is what made the difference here.

SiteLock Claims Are Not Always False

While SiteLock has well earned poor reputation that doesn’t mean that if they or one their partnered web host with a claim that your website is infected with malware or is otherwise hacked that isn’t true, as we have seen many people incorrectly assume. What we would recommend you do in that situation is to get a second opinion as to the whether the website is in fact hacked. For someone to be able to do that, you should first get any evidence that the web host and or SiteLock will provide, which usually is something that should have already been provided to you. We are always happy to provide that second opinion for free and we would hope that others would as well.

The SiteLock Platform Digest Looks Like Another SiteLock Scam

Back in August we ran across a Forbes article about what appeared to new element of the web security company SiteLock’s scamming people, their Risk Assessment Score. That is supposed to be a score based on:

a predictive model that analyses over 500 variables to determine a website’s likelihood of attack. The Risk Assessment is designed to score a website on a scale of low, medium or high.

In the case of the writer of the Forbes article, they were told that there website was at “medium risk” despite being a “single-page static website with just a handful of files and no CMS or other editing software”. When they asked how the website could be compromised they didn’t get an answer:

a representative initially said they would work with their engineering team to send me some examples of how such a site could be compromised, but later said they would not be commenting further and did not respond to two subsequent requests for additional comment.

What also seemed rather odd considering there were supposed to be “over 500 variables” that were used to calculate this, it didn’t include a couple of possible sources of compromise that were possible with that type of website:

The SiteLock representatives clarified that they do not check for or consider either password security or server vulnerabilities in their assessment and that their risk score is based exclusively on the characteristics of the site itself.

The lack of the latter seems like it might have something to do with the fact that most of SiteLock’s business comes through partnerships with web hosts (many of them run by the majority owners of SiteLock).

A couple of weeks later we were contacted by someone that had gotten told by their web host 123 Reg, which is a GoDaddy brand, that their website “high risk” based on SiteLock assessment. That further pointed to this assessment not being legitimate as this website was very similar to the previously mentioned one. Once again it was a static website, though it did contain multiple pages.

At the end of September we ran across what seemed to be an example of what it might take to get “low risk”, which was having a website that didn’t exist. In that instance the score came from something we had not heard of before, the SiteLock Platform Digest.

We have recently been contacted by more people that have been getting this and it looks like so much of what SiteLock does, scammy.

This is sent out as an email with the subject, “SiteLock Weekly Risk Score and Website Scanning Results”.

As example of what this involves here is one recent one that one of the people that contacted us received:

Not only were they told that they were at “high risk”, but they also were told that they had 37 issues found. To find out what these supposed issues were they would have to sign up for a $150/year “premium scan” service, which was promoted as also including a firewall service (one that SiteLock lies about who actually is behind). Making a claim that the website is at risk and then not providing the details doesn’t exactly make this or SiteLock seem like they are legitimate.

For someone else that contacted us, they were given some information on what was supposed to be the cause of their website being at “high risk”, but it was clearly wrong. They were told the issue was that their WordPress installation and plugins were out of date. The problem with that was that SiteLock was claiming they were using WordPress 4.7.2, which would be out of date, when they were running WordPress 4.8.2, which isn’t out of date. When they brought that up with SiteLock representative they were told that this most recent data they had. Considering this is supposed to be done weekly that seems odd considering that usually minor WordPress updates happen automatically and WordPress 4.7.3 was released in March, so that would seem likely to be a rather old result (if it was even a result for this website). Curiously with another website where they have a SiteLock service the score “is always good”.

What we also found interesting was what is written on the page that those emails link to find out more information on these emails.

One of things that we noticed on that page is that there scores don’t consider that a website could be less likely to be compromised than the average website:

Low Risk Score — Your website is as likely or 1x more likely, to be compromised than the average website based on complexity, composition and popularity.

That doesn’t make sense as for there to be an average when it comes to likelihood of compromise, it would follow that there would be some that were less likely as well as those that were more likely.

The other scores also don’t make sense as the “medium risk” is supposed to involve websites that are “6x more likely to be compromised” and the “high risk” is supposed to involve “12x more likely to be compromised”. How is possible that all websites would be 1x, 6x, or 12x more as likely to be comprised than the average website. Surely there would be ones that would fall between and below those if this was legitimate, which it doesn’t seem to be.

Another element that seems off in this whole thing is that these scores are supposed to involve “over 500 variables”, but based on the following question and answer state it also doesn’t consider security solutions being used:

Q: How can my website be High Risk if I’m using SiteLock?

A: This is because your risk score and security solutions are independent of one another. Typically, the more complex and feature-rich a website is, the higher the risk score will be. Knowing your risk score can help you take the appropriate proactive measure to securing your site.

You really have to wonder what variables, if any, are actually supposed to be used to come up with the score.

Ignoring the SiteLock Platform Digest

The best advice we can give in general is to ignore the results of this report since everything we have seen so far makes it seem the intent of it is to scare you in to purchasing SiteLock security services and not to provide you any useful information.

When it comes to SiteLock services that are supposed to protect your website we have yet to see them provide any evidence, much less any based from independent testing, that they actually are effective (that is equally true for other providers). So buying services based of this report of that score is unlikely to provide you much, if any, protection. You are much better off making sure you are doing the basics that will actually help to protect your website.

It also important to note that even SiteLock isn’t claiming that the score or their count of issues is actually an indication that the website has been hacked, as some people that have contacted us have believed.

SiteLock’s Poor Cleanup Leads to Website Being Down Long After It Should Have Been Back Up

We continued to be troubled by companies and other entities that would get involved with the web security company SiteLock, as even a quick check would show how they are taking advantage of their customers. Unfortunately you have far too many web hosts and WordPress that continue to do that. Is the money SiteLock is providing them really worth the damage they are helping to cause?

We recently ran into yet another example of the mess they cause not just for those that unfortunately hire them, but for the public as they their action in this situation would lead to website remaining hacked (and leading to more of the negative impact the hack causes) after it should have been fixed.

We were recently contacted by someone that said that multiple websites in an account they had with the web host Bluehost had been shut down due to malware and they were looking for some sort of help.

It wasn’t clear what clear what kind of help they were looking for as the message just said “Help!” after mentioning that the websites had been taken down. That isn’t much to go on, so we first asked them what evidence Bluehost had presented that the websites were hacked, seeing as we have seen some rather bad false positives coming from Bluehost in particular, and in general from SiteLock partnered web hosts. That being said, these days the majority of websites we are contacted about in this type of situation are in fact hacked. Usually Bluehost and other web hosting brands of the Endurance International Group (EIG) (which is run by the majority owners of SiteLock) will provide a list of files that are impacted or some example files or URLs that have been impacted along with the email informing the customer that their account has been disabled. For someone that knows what they are doing, that evidence is usually enough to determine if the claim is legitimate or not.

The response we got didn’t answer our question. Instead the person that contacted us responded that they were having the websites transferred to another hosting provider because they felt like the deal between Bluehost and SiteLock was a scam. We then explained that if the websites were hacked that it would not be a good idea to do that, as it could make it harder to properly clean up the websites, since transferring the websites could cause both data on the files (most importantly the last modified date) and the logging for the website during the time of the hack to no longer be available. That information can sometimes be important to make sure all of the files have been cleaned and is very important to determine how the website was hacked and therefore what needs to be done to fix it and make sure it doesn’t happen again.

After notifying them of that as well as mentioning that assuming this was a scam was not a good idea, since the majority of time in this type of situation we have been seeing that they websites were hacked, they told us they thought the websites were hacked. So they were moving websites they thought were hacked to get around their web host having taken an action to protect the public (though also possibly to get people more likely to hire SiteLock as well).

What they also mentioned was that they had in fact tried to get the website cleaned before doing that. The problem is they hired SiteLock and not surprisingly based on everything we have seen over multiple years, the website wasn’t actually cleaned up properly. Instead of SiteLock working to get things properly resolved here after they failed the first, they wanted more money, $200 a month to manually clean out malware. The fact that SiteLock is offering a service that will continually remove malware, is on its own a good indication that they don’t properly clean up hacked websites, as when done properly the website shouldn’t need to be continually cleaned up.

After that we told them again that moving the websites was not a good idea and that it likely would take longer to get them backup by doing that, which they said was their main concern, than getting them properly cleaned up. At that point they said they would take their chances.

Taking their chances on that turned out to be a bad bet. We usually are able to clean up hacked websites in a few hours and while there is some variability in how long it then take Bluehost and EIG brands to then restore access, it would usually be done within 24 hours (and possible happen in much sooner than that). When went to take a look the next day to see what had happened so far, we found that the website was still being hosted by Bluehost and not accessible. Another day later we took another look and the result was the same.

Properly Handling Such a Situation

As if there was another reminder needed, this situation is good example of why everyone should avoid SiteLock. At best you might get lucky their poor cleanups don’t lead to your website being hacked again right away, but you are going to greatly overpay for what you are getting. On top of that SiteLock often tries to lock in to people in to unneeded ongoing services that people have variety of problems trying to cancel later on.

If you are contacted by a SiteLock partnered web host with a claim that your website is infected with malware or is otherwise hacked, we would recommend that first get a second opinion as to the whether the website is in fact hacked. For someone to be able to do that, you should first get any evidence that the web host and or SiteLock will provide, which usually is something that should have already been provided to you. We are always happy to provide that second opinion for free and we would hope that others would as well.

If the website is hacked then what we would recommend, if you can afford it, is to hire someone that properly cleans up hacked website to do that for you. A proper cleanup involves three basic components: removing anything added by the hacker, security the website (which usually mainly involves getting the software up date), and trying to determine how the website was hacked. In a lot of cases it actually costs less to hire us to properly clean up a website than it would to hire SiteLock for their improper hack cleanup.

We have repeatedly seen that people try to instead clean it up themselves and cause themselves more problems, as they often don’t even know how or what to clean up (we recently have had a lot of people contact who have incorrectly just deleted the example files their web host listed). That often leads to continue problems which are then exacerbated by them purchasing security products and services that claim they will protect websites from being hacked, but don’t live up to that (which isn’t surprising since we have yet to run across one that is promoted with evidence much less evidence from an independent testing, that it is effective). At that point they are bringing us in to clean things, which if they had just done that in the first placed would have lead to the issue being quickly resolved and them spending less money.

SiteLock Report Leads to False Claims About the Security of WordPress Websites

One of the problems when it comes to improving security is there is so little accurate information out there. Often times security companies are putting out misleading or outright false claims. When their information is repeated by security journalists the quality of it usually degrades from the already often low quality. As example of what happens when security journalists repeat security companies’ claims was something we recently ran across related to SiteLock.

In an article on CISO MAG the following claim was made that seem unlikely to be true:

SiteLock’s analysis also showed that a website’s content management system had an impact on overall security. Forty-four percent of websites using WordPress CMS had not been updated for over a year at the time of filing this report.

We went to look into that because that because it seemed like it would be a good example of SiteLock getting stuff wrong, but in looking at the report what SiteLock actually claim was very different. What they said hasn’t been updated in a year are plugins in the Plugin Directory:

44% of plugins in the WordPress repository have not been updated in over a year

It is important to note that doesn’t mean that those plugins are somehow insecure, though if plugins are not at least being updated to list them being compatible with newer versions of WordPress there is a greater chance that if there is a security vulnerability found that it will not be fixed promptly or at all (though in reporting many vulnerabilities to WordPress plugin developers through our Plugin Vulnerabilities service even very recently updated plugins are not always fixed in a timely manner or at all).

Making that incorrect claim seem odder is the beginning of the next paragraph of the CISO MAG article:

Nearly seven in 10 infected WordPress websites had the latest security patches installed, but were compromised because of vulnerable plugins.

If “nearly 7 in 10 had the latest security patches” then it wouldn’t make much sense that 44 percent of them hadn’t been updated in the last year.

The claim that the website “compromised because of vulnerable plugins” is also not what the report says. Instead it says:

69% of infected WordPress websites were running the latest security patches for WordPress core at the time of compromise.

This data illustrates that even when running a version of WordPress with all of the latest security patches, a vulnerable plugin or theme can just as easily lead to a compromise.

Looking at the rest of the report there were a couple of other WordPress related items that stood out. The first thing is a mention of “publications” that “inaccurately implied that WordPress websites which aren’t running the newest version of WordPress are insecure”:

NOTE: Many publications have inaccurately implied that WordPress websites which aren’t running the newest version of WordPress are insecure. As of the end of Q2 2017, the WordPress community actively provided security fixes for all versions of WordPress from v3.7 to the current v4.8. Our research takes into account each security patch release for every version of WordPress in Q2 2017. For example, WordPress v3.7.21 contains all of the same security fixes implemented in the current version, v4.8. In theory, this makes v3.7.21 as safe as v4.8.

We are not sure what publications they are referring to, but one security company comes to mind, SiteLock, which has been falsely claiming that websites are insecure when running the latest version of older versions of WordPress. We first noticed this back in September of last year and SiteLock was clearly aware of that post, but as of at least June they were still doing this.

Another element of the report repeats a WordPress related falsehood from SiteLock that we debunked in April:

Fake Plugins: Trend Maricopa

In what SiteLock Research would call an “oldie but a baddie,” we saw a trend in the first week of April that centered on the return of an old trick targeting WordPress websites where malware disguised itself as a legitimate forum plugin in the WordPress plugin directory. This ruse, while easily dispatched by specialized malware detection systems, would just as easily escape the concern of an untrained eye. Fake plugin malware iterations continue to be developed and deployed because, quite simply, most people don’t notice them. In a world where the majority of website owners don’t take a proactive approach to malware prevention or remediation, persistent infections continue to be common.

The reality is the supposed legitimate plugin, WordPress SEO Tools, has never existed, whether in the Plugin Directory or otherwise. We don’t understand why SiteLock is continuing to peddle that falsehood when it is so easy to confirm it to be false.

What It Takes for SiteLock to Claim a Website is At Low Risk

One of the more recent activities from the web security SiteLock that seem like it could be classified as a scam, is a score, from “low” to “medium” to “high”, that is supposed to indicate how likely a website is to be hacked.

We first ran across it when a Forbes contributor wrote about how they were told that their website, which consists of a “static HTML page with a few images and a few locally hosted CSS, font and JavaScript files”, was at “medium” risk based on this score. When the author of the article raised question about this, SiteLock couldn’t even explain a way that the website could be hacked that was considered by their score despite claiming it was at “medium” risk of that happening. Another element that makes this seem like a scam was that SiteLock provided supposed percentages of the risk that that got to “medium” risk, which don’t seem believable. Most of the risk, 64%, came from the “Site size and the number of distinct components”, despite the website having only one page and no components that seem like they could have lead to the website being exploited.

With SiteLock claiming that website was at “medium” risk, we wondered what it would take for SiteLock to claim is at “high” risk. A couple weeks later we got the answer, when we were contacted by someone that had been notified that their website was at “high” risk based on the scoring. So what kind of website is at “high” risk? One that only contained static HTML pages, but it did have multiple pages, so maybe that is enough for them to make that claim.

The question that then left us with was what it would take for a website to receive a “low” risk score. The answer it seems, based on a recent tweet we ran across, is for a website where the domain name that isn’t even registered:

This isn’t the only recent issue we have seen with SiteLock and an unregistered domain name, as several weeks ago we discussed a claim from SiteLock that a website contained “critical” severity malware due to a link to an unregistered domain name.

In looking for other instances of the “SiteLock Platform Digest” show in that tweet, we ran across someone that had received it unsolicited and SiteLock tried to claim that it was sent due to a web host, despite the web host having nothing to do with SiteLock.

SiteLock and Their Web Hosting Partners Are Not Trying To Extort You

When it comes to information on web security a lot of it is incredibly inaccurate. A lot of that comes from security companies, as can be seen by looking over many of the posts on this blog detailing some of the many instances of that happening. They are not alone in this, much of the information put forward by the public is wrong as well.

One area where we have been seeing that as well dealing directly with people making such claims, involve baseless or outright false claims about the web security company SiteLock and their web hosting partners. What makes this stand out is there is so much bad stuff about them that is true and yet you have people making untrue claims of bad things they are supposed to be doing, but are not.

In some cases the true problems and the false ones might be related. Recently we discussed yet another instance of SiteLock falsely claiming that a website contained malware, this time it involved a link URL for blog post comment that linked to an unregistered domain name. We often see and hear people claiming that SiteLock or their web hosting partner have hacked their websites. We have yet to see any evidence of that or any a plausible explanation of how someone came to the conclusion that had occurred. It seem conceivable that some of those claims involved websites that SiteLock falsely claimed contained malware and the owner believed that it was infected, but thought that SiteLock did it (that might sound odd, but it doesn’t based on some of the interactions we have had with people making the claims).

Recently we have seen and heard from a many people claiming that SiteLock and their web hosting partners are holding websites hostage, holding them for ransom, or are engaged in extortion.

What these seems to underlie this is people reading previous claims along the same lines or not paying attention to what they are being told.

The reality is that while SiteLock’s web hosting partners will often disable a website if they believe malware is on it (and they are not always right) there is no requirement that you hire SiteLock to clean up the malware, as we mentioned before. Here for example is the text that Bluehost (whose parent company does business under the names A Small Orange, FatCow, HostGator, iPage, IPOWER, JustHost, and quite a few others) explains what needs to be done to have the website turned back on:

You will need to review your files and clean the account accordingly by removing all malicious files, not just the reported url. Once you have confirmed your files are clean and no longer a threat, please contact us again to have your account reactivated.

In dealing with lots of website that are in this situation there has never been any issue with the website being turned back on when we have cleaned up the website instead of SiteLock.

We also haven’t seen any issue where people could not get the access needed to move their website before it has been cleaned up.

In cases where website have incorrectly been disabled and we were ask to take a look at the claim, we are not aware of any situation where the web host did not the turn back on the website after it was pointed out there was false positive that lead to disabling.

If you have a website that SiteLock or their web hosting partners are claiming is hacked what we suggest you do is to get any evidence they will provide you about the issue and then get a second opinion on the situation. We are always happy to do that for free and we hope that other security companies, who are certainly aware of what is going on, would do that as well.

Someone that knows what they are doing will usually easily be able to tell if the website is in fact hacked and needs to be cleaned. If it is hacked, you would probably be best off not hiring SiteLock to clean it because not only do they overcharge for the quality of service they provide (due in part to how much of the fee is going to their web hosting partners), but also because they don’t properly clean up websites.

SiteLock Claimed Website Had Critical Severity Malware Due to Link to Unregistered Domain Name in Comment

On most days we now have multiple people contacting us in regards to claims made by SiteLock and their web hosting partners about the security of their websites. Those contacts broadly fall into to two categories these days.

The first involves websites that SiteLock and their hosting partners are claiming are hacked, which are in fact hacked, but seemingly due to their reputation and shady sales tactics, the websites’ owners believes that the websites are not hacked. In some cases we even are contacted by people claiming that SiteLock or their web host has hacked their website, though those claims have appeared to be completely baseless (we have seen zero evidence ever that SiteLock has hacked any websites).

The second category largely involves SiteLock and their web hosting partners making seemingly baseless claims that websites contain some vulnerability, are at high likelihood of being hacked, or have some other security issue. A recent source of many of those claims has been something referred to as the SiteLock Risk Assessment, which is supposed to provide a score of how likely a website is to be hacked based on “predictive model that analyses over 500 variables “, but the scores appear to be unconnected to reality.

The combination of those situations is not just bad for the people having to deal with the claims made by SiteLock and or their web host, but also for the general public since websites that are really hacked are not being seen as having the serious issue they have, due in part to the false claims also being made.

A recent example of the latter category stood out to us as a good example of the type of activity that has caused SiteLock to earn a reputation as scammers.

We were recently contacted by someone that had multiple calls and emails from SiteLock claiming their website contained malware. Below is one of the emails that was sent by SiteLock about this supposed issue:

Dear SiteLock Customer,

   My name is [redacted] and I’m a Security Consultant here at SiteLock Website Security.We are reaching out to you because one or more of the domains you own has malware on it and this issue needs to be resolved. As your website security provider you Do Not have the appropriate level of security to remedy/ remove and prevent these issues.

I’ve attempted to leave a message or left a message on the number in our records as well.

Contact me immediately and directly. We are able to assist you. [redacted] // [redacted]

Worth noting here is that SiteLock’s usage of “Security Consultant” is in fact a euphemism for a commissioned sales person, who likely doesn’t have any background in security.

When we were contacted about this, we asked if there had been any evidence provided to back up the claim that the website contained malware. One reason for doing that is that SiteLock labels all sorts of things that are not malware as being malware, so that makes providing a second opinion in many instances very difficult because the claimed issue could be one of many things.

The website’s owner had not been provided any yet and after SiteLock was asked for evidence, a couple of screenshots were provided. The first showed the following alert box:

What the “critical security issues” is supposed to be is shown in the second screenshot:

The most relevant portion is shown here:

So by malware on the website and “critical security issue” they really meant there was a link to another website. The link in question wasn’t something that was placed on the website as part of a hack of the website, instead the URL was the website provided with a comment on a post from 7 years before. So the claim didn’t seem at all accurate and the repeated contact by SiteLock seemed unreasonable, but it gets worse. We expected that at least the linked to domain, aspergerssyndromsymptomsblog, would contain something malicious, why else would they be claiming it was malware? But instead we found that the domain name isn’t even registered anymore. So a link from a comment to an unregistered domain caused SiteLock to claim a website contained malware.

The SiteLock employee that sent the email mentioned earlier was recently quoted in a SiteLock post saying the following:

The positivity and high energy makes me want come to work each day. We provide valuable products that help business owners succeed, without them having to worry about security issues. We also have great perks here, including free breakfast on Mondays and lunch on Fridays, an on-site gym and cafe, and an employee game room. I feel right at home!

In reality it appears that SiteLock is actually causing people to worry about security issues that don’t even exist and then trying to sell them solutions to protect them from non-existent issues.

123 Reg Sending Out Scammy Emails Based on Baseless SiteLock Risk Assessments

Earlier this month we discussed what seemed to be new attempt to scam people by the web security company SiteLock and their web hosting partners, using a supposed assessment of a website’s likelihood of attack. That post was based on information in an article written by a contributor at Forbes that had been contacted by their web host Network Solutions about the supposed risk of compromise of their website. The author of that article did a very good job of breaking down on how the claimed “comprehensive analysis” leading to risk score seems to be without a basis and we recommend reading that article.

The web host 123 Reg, which is now part of GoDaddy, has now started sending out emails based on the same assessment and the results are equally questionable. We were contacted by someone that received one of these that has a small website built on HTML files, so there is limited ability for it to be hacked when compared to, say, a website using CMS and a lot addons for the CMS. Despite that, the email claims that the “website is at high risk of vulnerabilities or compromise” and that “vulnerabilities are 12 times more likely to be exploited than the average website”, which is completely ridiculous. If you were to believe that there website is at high risk of being exploited then we can’t think of one that you wouldn’t.

Here is the email they are sending out:

Dear [redacted],

We take a proactive approach to protecting our customers’ website security. There are many factors that make a website vulnerable to hackers, and some sites are more vulnerable than others simply because of their software, plug-ins and passwords.

To help you understand where your website may be vulnerable, we have completed an automated scan of your website via the SiteLock Risk Assessment, a predictive model that analyses over 500 variables to determine a website’s likelihood of attack. The Risk Assessment is designed to score a website on a scale of low, medium or high.

After performing a comprehensive analysis of [redcated], we can confirm that your website is at high risk of vulnerabilities or compromise. When a website indicates a high risk score, vulnerabilities are 12 times more likely to be exploited than the average website, according to SiteLock data.

It is important that you act. For £0.99 per month, SiteLock ‘Find’ carries out a daily scan of your website. It can reveal where your website is vulnerable, and discover any malware. For £4.99 per month, SiteLock ‘Fix’ can also remove the malware from your site.

Find out more about SiteLock from 123 Reg

Alternatively, you can call us on 0330 221 1007 for more information.

Good website security comes down to teamwork. Here at 123 Reg, we do everything we can to keep your website safe server-side, and we urge you to do the same. A security breach can undo years of hard work in a matter of minutes. That is why, as a security precaution, we recommend you always upgrade outdated software like web applications or plugins to the latest versions when available.

Kind regards,

123 Reg Team

Based on everything we have seen so far these seems to be a rather naked attempt to sell security services based on scaring customers of web hosts under the guise of providing serious analysis of the security risk of the website. What makes it worse is that from what we have SiteLock services are not very good at providing protection, so the end result wouldn’t even be a good one even if the means is quite bad (as well as the company not doing much to help improved security for everyone in comparison something like our Plugin Vulnerabilities service).

One of the other people that received one of these emails raised another issue with them:

It should go without saying that no company involved with security should be doing something like this. SiteLock already has a well earned reputation for this type of thing. Who seems like they should be taking more heat for this is GoDaddy, as not only are they multi-billion dollar company, but they also provide security services under the brand Sucuri (which has lots of issues of its own).