SiteLock | White Fir Design Blog

SiteLock Will Try To Sell You Services You Don’t Need and Can’t Use

Over the last year or so, as we have seen and heard more about the web security company SiteLock’s practices, it has become more clear that a lot of what they are doing can reasonably described as scamming. Take for example a recent issue brought up on the customer complaints section of their BBB page, which starts with the complainant being contacted by one of SiteLock’s sales people (who are commissioned, which will be relevant in a moment):

The… details are as follows: I spoke to someone back in October after Sitelock called me warning that I needed more security on my websites. Sitelock was very persistent, with an employee calling me and leaving messages daily until I finally agreed to speak with him. After being convinced that there was a danger to my domain during a very long conversation with one of the employees, I agreed to move forward although the price seemed outrageous, and was then passed on to the billing department.

All of this sounds like numerous other stories we have heard when people contact us after interacting with SiteLock (most of them have luckily avoided signing up for something from SiteLock before contacting us to get a second opinion) and we have read online. A legitimate security company wouldn’t keep calling someone like this, but a commissioned sales person is likely mainly interested in getting a commission, not in what a legitimate security company would do.

Based on that what comes next isn’t surprising, but it is interesting that others at SiteLock are clearly aware that something wrong is going on:

The woman at the billing department actually pointed out to me that my sites were hosted on Shopify, and therefor would not be eligable for Sitelock security as they were being hosted by Shopify’s own very protected servers and were actually not at risk in any way, nor could Sitelock be of use to me. She told me I did not need the service I was sold.

There is something quite wrong when the billing department seems to be more aware of whether some can use services than the sales people that are selling them, which gets back to the issue of scamming going on (the sales person gets a commission whether the service is used or not).

Unfortunately, that didn’t end their interaction with SiteLock:

I chose to believe that the original employee who called me telling me my sites were in danger was not intending anything dishonest, but that he didn’t realize where my sites were hosted and gave me the wrong information. I no longer think this was an honest mistake after being repeatedly charged. I told the woman in billing that, obviously, I agreed that I did not need to go through with the subscription, and it was cancelled. Since that time, I have been repeatedly billed, totalling $1023.99, and I’m sure I will again be billed next month as Sitelock has not responded to my requests for refunds and termination of any services.

This isn’t the first time we have heard of how hard SiteLock makes it to cancel services once they have gotten you signed up, which seems quite intentional at this point.

Part of SiteLock’s response to this is rather incredible:

We always put our customers first, and strive to deliver exceptional customer satisfaction.

Do they think that people will believe that selling a very expensive service that someone didn’t need based on what seem to be lies, is in anyway putting customers first?

It appears this customer was able to get the situation resolved to their satisfaction, so if you are in the same situation it looks like filing a complaint with the BBB could resolve the issue (if it does, please let us know in the comments section below). You should also make sure to leave a review there as well, so people looking into their service know what is really going on.

Journalists Spread SiteLock’s Fake Claim Involving Nonexistent Legitimate Plugin

When it comes to security journalism, there doesn’t seem to be much actual journalism going on. Instead much of what passes for news coverage these days simply involves repeating the claims of security companies, without doing any fact checking of those claims. This would be a problem just based on the low quality of information coming from security companies, but it looks to us that security companies have realized that in getting coverage what matters is not the truth but saying something that a journalist think they can get clicks by repeating.

A good case in point of journalist simply repeating a security company’s claims we ran across recently was a claimed trending WordPress security issue. Beyond the fact that no evidence was presented that actually backs up the claim that the issue was trending or that the issue was is some way actually significant (and deserved to be covered instead of another issue), something else stood out to us. In the security companies SiteLock’s post on this issue, they claim a “fake” plugin involved in the issue is a forgery of a legitimate plugin:

It is a forgery of a legitimate search engine optimization plugin, WordPress SEO Tools.

In coverage of the issue, that claim was repeated by journalists. Here is how it was reported in the Threatpost’s article:

The fake WP-Base-SEO plugin is a forgery of a legitimate search engine optimization plugin, WordPress SEO Tools.

Here is how it was reported in Infosecurity Magazine’s article:

Dubbed WP-Base-SEO, the plugin is a forgery of a legitimate search engine optimization plugin, called WordPress SEO Tools, according to SiteLock, the firm that originally uncovered the threat.

Finally here how it was reported in SC Magazine’s article, this time without naming the claimed legitimate plugin:

The fake plugin is called WP-Base-SEO and is based on a legitimate SEO module so it is easily overlooked during security scans and seems to be a viable tool by a web team intent on boosting its traffic, said a research team at SiteLock.

The problem with all this is that the supposed legitimate plugin WordPress SEO Tools doesn’t exist. If you do a Google search on the name or on WP SEO Tools it doesn’t bring up results for a plugin with that name. Looking at the Subversion repository that underlies the Plugin Directory, where most plugins are found, there are not entries for a plugin with the slug wordpress-seo-tools or wp-seo-tools.

This should have been something that journalists could have easily checked and if they had look into that they might have realized something was amiss here.

In a quick check over this, something else also stands out to us. While the reason for this issue getting covered is that the “fake” plugin is supposed to be trending, it looks as it might be rather old (or at least based on something that hasn’t been updated in a long time). That is particular noticeable in the screenshot provided by SiteLock of the plugin’s header comments:

The copyright there is 2013, though on its own wouldn’t mean much, what is more noticeable in dating this is this the Plugin URI, which is http://wordpress.org/extend/plugins/. If you visit that URL now you are redirected to https://wordpress.org/plugins/, which is the address of the Plugin Directory. So why would the URL include “extend” when it doesn’t exist the URL you are redirected to? The answer is that the “extend” used to be part of the URL, but that was removed on May 22, 2013 (the switch to HTTPs occurred in 2014). Based on that it is entirely possible this malicious plugin isn’t a new issue, just being promoted that way so that a security company could get coverage.

The SiteLock 911 Service Offered by GoDaddy Leaves Websites Open to Being Hacked Again

When it comes to cleaning up hacked websites, we are frequently brought in to re-clean websites after another company has previously been brought in and then the website gets hacked again. While it is not always the other company’s fault, what we have found is that almost always it involves a situation where the other company unintentionally or intentionally cut corners with the cleanup.

There are three basic components of a proper cleanup: removing the malicious content, getting the website secure as possible, and trying to determine how the website was hacked. We frequently see that only the first item, removing the malicious content, is done. That can leave the website open to being hacked again (and skipping over trying to determine how the website was hacked can also lead to not finding some of the malicious content that needs to be removed).

All of that brings us to the SiteLock 911 service that GoDaddy offers in conjunction with SiteLock. From what we have seen being brought to get things properly cleaned after this service has been used, corners are cut, leaving websites vulnerable. What isn’t clear if you were to look at the description of the service, is that is the case, so let’s take a closer at how the service is presented.

In describing how the service works they make it sounds like all of the components are happening:

Next we remove every bit of malware from your code. We also close security gaps and the backdoors that hackers use to break into your site.

There are a couple of fairly glaring issues with that. First backdoors would normally not be how hackers break into the website; instead backdoors are placed on the website through a vulnerability and then used to take further actions. If you remove the backdoor, but don’t fix the vulnerability it can just be placed there again. The other problem is that all of that fixing is supposed to happen with files that they copied of off the server and then placed back on the server, but that wouldn’t actually be how you would do much of the securing or determining the source of the hack. The securing usually involves getting the software up to date, which wouldn’t be done by just copying files (and based on what we have seen, isn’t something they do). The determining of the source involves reviewing the log files, which are stored separately on GoDaddy’ servers or in the case at least one type of account are not even stored.

In the FAQ, there is a rather odd answer to the question “Is the cleanup permanent?”:

Unfortunately, no. If the hacker automated the attack, it could keep happening. And SiteLock911 doesn’t protect against future attacks, so your site could get infected again. We offer preventive SiteLock plans with daily scans to keep your website malware-free.

This doesn’t really make any sense, as most hacks are automated and whether it could happen again depends on if the vulnerability that was exploited has been fixed. This answer alone should be a good indication that neither of the companies involved with this service have any idea about the basics of hacked websites (this isn’t the first time we have seen that coming from SiteLock). (The preventative SiteLock plans don’t actually do much, if anything, to protect websites from being hacked either.)

Another FAQ is also rather odd. In response to the question “Is it guaranteed to work?” it is stated that:

SiteLock911 malware cleaner handles most websites with ease but with new malware appearing all the time, there are no guarantees. If you happen to be afflicted with a brand new infection or hack, SiteLock will work with you to make sure your website is restored.

Whether the malware is new or old shouldn’t have any impact on being able to restore a website, instead the only limitation in the ability for a cleanup to restore a website to its previous form is if the hacker has removed or damage files or other content from the website. You can’t restore something that doesn’t exist, so either there would need to be another way to get a copy of the files/content or you can’t restore it. Something being new shouldn’t make a difference.

This seems like it may be a cover for SiteLock’s ongoing issues with damaging websites that they are supposed to be cleaning up at GoDaddy. That seems to be a fairly common issue based on the complaints we have seen on the web and the times we have been brought in to fix things up after them. While we frequently are brought in to re-clean websites after other companies have done a poor job, SiteLock is the only one where we have seen other company leaving behind broken websites. That is one of the many reasons we say that they are by far the worst company in the field.

Another Reason Why SiteLock’s Lying About Incapsula Being The True Source of Their WAF and CDN is a Problem

When it comes to the numerous issues with the web security company SiteLock one of the ones we found to be the strangest is their continued lying about the true provider of their content delivery network (CDN) and web application firewall (WAF) services. While they make it sound like they are providing themselves when mentioning the services, using phrases like “our IP addresses“, “SiteLock servers“, and even “SiteLock patent-pending technology” what we found was that services are actually provided by another company, Incapsula.

We can’t think of a good reason of for lying about who provides these services, but when mentioning this previously we mentioned a couple of reason why being dishonest about that is a troubling thing. First, trust is an important part of security, if SiteLock is willing to lie about this then what else might they lie about. Second, since both of these services involve sending a website’s traffic through the provider of the service’s systems, having a website’s traffic go through a company that the website’s owner doesn’t have a relationship with raises some serious security and privacy issues.

While helping someone resolve an issue with a website recently we ran across another issue caused by this. They were having a problem caused in part by the Incapsula WAF. While they were getting an error page from Incapsula served as part of the problem, they didn’t know where that was coming from or how they could remove Incapsula’s WAF since they didn’t know that the SiteLock service being used was actually Incapsula or even that they were was a connection between the two. If SiteLock was upfront about who really provides that service then it shouldn’t have been a mystery as to the source of the error page and the issue could have been more easily resolved.

Manual Website Malware Removal Doesn’t Involve Manually Scanning Every File

In looking over a company’s marketing material about why they were a better alternative to SiteLock (which isn’t really difficult considering the many ways that SiteLock is a terrible company), there was a rather absurd claim made:

SiteLock likes to push their “manual” malware removal. However, with the average WordPress having about 1,900 files, can you imagine trying to manually scan that many files and have any kind of accuracy? I believe it’s a strategy for them to have such high prices.

In reality manual website malware removal doesn’t involve someone manually looking over every file on a website, which would be a waste of time. Instead it means that a human is involved in the process of reviewing the files and deciding what needs to be cleaned. One of the important reasons you don’t want a cleanup done with a fully automated process (as this company is promoting that they do and which SiteLock actually makes a big deal of doing as well), is that malicious code added to the website can provide important information on the source of the hack. Cleaning up the malicious code on a website, but not fixing the source of the hack, leaves the website open to being hacked again. We would guess that most people with hacked websites don’t want to have their website needing to be repeatedly cleaned, so they would want to have someone do a cleanup that actual does the work to determine how the website was hacked and then fixes it, instead of paying less upfront and then needing repeated cleanups.

To a large degree reviewing files on a WordPress website involves comparing the files to a clean copy of the files. In the download for the current version of WordPress, 4.7.3, there are 1473 files, so for a WordPress website with 1900 files, a large majority would be checked by simply doing a file comparison of those core WordPress files.

It also worth mentioning that the a major reason why SiteLock’s prices are so high has to do with them paying their web hosting “partners” large portion of the service’s fee, not how they do cleanups (which involves them cutting corners).

Positive SiteLock Review Praises Them for Leaving Website Insecure

When it comes to finding a web security company to help deal with a hack or other security issue with a website you have a lot of bad options, as from what we have seen most security companies don’t know and or care about security. One of the results of that is that often these companies don’t even try to properly clean up hacked websites.

We are often brought in to re-clean hacked websites after another company did a cleanup and the website was then re-hacked. In that situation the first question we always ask is if the previous company determined how the website was hacked, since if the source isn’t found and fixed it could be exploited again. The answer is almost always that doing that never even came up. Considering that doing that is one of three basic components of a proper cleanup, either the company doesn’t understand what the service they are offering should even include or they are intentionally cutting corners.

One company that doesn’t do things properly is SiteLock and more troubling they use their corner cutting to try to get people locked in to long term contracts. You would think that a website getting repeatedly hacked due to that would only lead to only negative reviews, but one recent review for them on the BBB page for the company actually praised them for this:

Sitelock has been there for me in the middle of the night when my blog was compromised several times this year. I am a one woman team and it is great to know that I have Sitelock always there for me making sure I am all safe and secure. It is so wonderful to have a live person to talk to when you need it 24/7. Now on to my gluten-free baking and blogging!

We don’t understand how having a website compromised several times only two months in year could be paired with a claim that the company that dealt with the issue is keeping it “safe and secure”, but it happened here.

That is good reminder that you can’t rely on reviews of web security companies to point to a security company that can actual provide with a good result, because they are often praised despite providing a bad outcomes. We have even had clients that come to us to re-clean websites saying the previous company did a good job, despite needing us to re-do the work. In some cases like this one you might notice the inconsistency, but in others the details needed to spot that the praise is misplaced are missing.

Is SiteLock Providing Their Customers Access to All Accounts on GoDaddy Servers?

In looking over complaints about the web security company SiteLock a lot of things come up over and over, take for instance the end of a review of them from earlier this month at the website ConsumerAffairs:

Worst case scenario: a site will become infected with malware. Again, I get the auto-email with no clue to which site is infected. You have to upgrade your account to get it cleaned and then it never stays clean. It continues to get infected every few months and they do nothing to help you prevent or fix it. The one site that I’ve had this happen to, I ended up upgraded to the manual clean & monitoring service. Instead of them cleaning it when it happens, they send that email (you know the one, without any clue as to which domain it is referring) and then I have to call them to request it to be manually cleaned. AGAIN. They don’t just automatically do it, like the service implies. I cannot tell you what a frustrating phone call it is. They have no email or chat support and you are stuck to a phone call with someone who is trying to earn commission and has no interest in supporting you. DON’T USE THEM.

A lot of that isn’t surprising if you follow our blog, as we have discussed that usually when you get in contact with SiteLock you are dealing with a commissioned sales person (and how that looks to lead to untrue information being told to potential customers), the fact they cut corners when doing cleanups and leave websites insecure. It could actually have been worse as this review involved websites hosted at GoDaddy and we have previously discussed instances where websites cleaned through their partnership with SiteLock have left the websites broken.

What was new in this review was the claim of the prior paragraph of the review:

Once I find the account with the issue to reconnect, it is an absolute nightmare to do so. You have to enter the FTP info, then sift through EVERY SINGLE Godaddy site on the server to find yours (I’m not kidding, and I’m sure you can imagine there are a lot of sites on Godaddy’s server – why I have access to every single one of them via SiteLock seems like a security issue in itself). It’s an extremely tedious, SLOW and frustrating process.

It isn’t clear what level of access they are referring to there and what could be done with it, but there shouldn’t be any access to unrelated accounts at all (especially through a security service).

If you have more information on what access they are providing through that please leave a comment on this post or get in touch with us.

SiteLock and Bluehost Falsely Claimed a Website Contained Malware Due to SiteLock’s Poor Scanner

When it comes to the web security company SiteLock, one of the frequent complaints is that they and their web hosting partners falsely claim that websites have malware on them. After that happens the web hosting company frequently suspends access to the website and pushes the customer to hire SiteLock to clean up not existent malware. We thought it would be useful to look at an example of this we were recently consulted on, as those dealing with the possibility of a false claim should know a number of things when dealing with it.

This situation involved the web host Bluehost. Bluehost is one of many brands the company Endurance International Group (EIG) does business under. Some other major ones are A Small Orange, FatCow, HostGator, iPage, IPOWER, and JustHost. The company’s web hosting brands are very open about having a partnership with SiteLock, what they have, at least in the past, refused to acknowledge publicly is that partnership involves EIG getting 55 percent of revenue for SiteLock services sold through that partnership (that information was disclosed to investors). That obviously raises some serious questions and it probably explains in large part a lot of the problems that arise from that partnership. What they also don’t disclose to their customers is that the majority owners of SiteLock are also a member of the board and the CEO of EIG, so they are well aware of SiteLock’s practices.

What we have repeatedly said is that if you get contacted by SiteLock or one of their web hosting partners claiming that the website is infected or otherwise is hacked, is that should not ignore it. While there are plenty of situations like the one discussed here where there is a false claim, the claim is also often true. For a hacked website, the longer you wait to do properly clean it up, the bigger the problem can be. Instead we recommend that you first get any information that SiteLock and or the web host will provide and then get a second opinion as to whether the website is hacked. We are always happy to provide that and we would hope that other security companies would as well (when someone contacts us about a hacked website we always make sure it is actually hacked before taking on a cleanup).

One of the reasons for getting a second opinion is that someone familiar with hacked websites should understand how to easily check the validity of the claims made. While someone not familiar with the situation might try doing checks that won’t necessarily be very useful. In this situation one the things the website’s owner did was to download a copy of the website’s files and run them through a malware scanner. That likely is going to fail to identify many files that contain malicious code because a malware scanner for a computer isn’t designed to detect those files (our experience is that scanners designed to scan website files don’t produce great results either).

When we were provided the information that the website’s owner had received, the first element that caught our eye was this result of SiteLock’s malware scanner:

What was shown was rather odd as the malware scanner claimed to have detected a defacement hack (labeled as “SiteLock-PHP-HACKEDBY-klw”), which isn’t malware. So at best the scanner was incorrectly labeling a hacked website as containing malware, when it had a different issue.

More problematic is that it looks like they might are flagging websites as being defaced just because they have text that says “hacked by” something. That could produce some rather bad false positives, since this post itself could be claimed to contain malware simply by using that phrase. They also mark that detection as having a severity of “Urgent”, despite that.

So was the website defaced as that scan seemed to indicate? The website was taken down by the point we were contacted, which wouldn’t need to be done just because there was a defacement and makes it harder for someone else to check over things (whether intentional or not, it seems like something that makes it easier to push someone to hire SiteLock to resolve the issue). Looking at the Google cache of the website’s homepage though, we were able to see what happened.

The website’s page contains a section that shows RSS feeds items from other websites. One of those websites had been impacted by a vulnerability in outdated versions of WordPress that allowed defacing posts and the results of that defacement was showing on this website:

That “hacked by” text on showing there didn’t mean this website was infected with malware or otherwise hacked and the website didn’t pose any threat. That is something that anyone from Bluehost or SiteLock familiar with hacked websites should have spotted by looking over the website for a few seconds, but clearly that didn’t happen, even when they suspended access to the website. Both of them have an incentive to not check to make sure the website is hacked, since they have monetary interest in selling security services in this situation even though they are not needed. As we mentioned recently it appears that when you are in contact with SiteLock you are dealing with a commissioned sales person, not a technical person, so they might not even understand what is actually going on either (one situation we looked at recently would strongly seem to indicate that as a possibility).

Looking at the files that Bluehost had listed as being infected, they were just cached copies of the content from the website that had the RSS feed section in them. So there wasn’t any malware in them.

It also seems that no one from Bluehost or SiteLock bothered to contact the other website to let them know that there website was actually hacked, seeing as it was quickly fixed after we notified them of the issue they had.

At this point the website’s owner is planning to move to a new web host, which doesn’t seem like a bad idea (we think that people should avoid web hosts that have partnered with SiteLock even if they have yet to run into this type of situation).

SiteLock Review Shows the Problem of Relying on Customer Reviews To Determine Quality of Security Companies

We have frequently mentioned the fact that many security companies don’t know and or care much about security. That not surprisingly leaves the public with a lot of bad options when they are looking for someone with security expertise to help them deal with a hacked website or other security issues. So how can they find one of the few companies that don’t fall in to one of those categories? We don’t know of an easy way, but we do know that looking at customer reviews of security companies isn’t a good way to do that.

We frequently are brought in to re-clean hacked websites after another company had been brought in to do that. While that isn’t always the company’s fault, we have found that in almost every instance the company doing the cleanup either didn’t know what they were doing or intentionally cut corners. We know that because we always ask in these instances if the previous company had determined how the website was hacked (since if the vulnerability hasn’t been determined and fixed it would leave the website open to being hacked again), and the response is almost always that trying to determine how the website never even came up. Considering that is one of three main components of a proper hack cleanup, that shouldn’t be the case. In more than a few cases even at that point the person we are dealing with said that the previous company did a good job, which doesn’t seem accurate considering they didn’t do things properly and the website was hacked again. If people think they did a good job at that point, we would assume that even more would have said that right after the original work was completed.

To give you another example of this we thought something we ran across involving web security SiteLock is worth highlighting. Here is a review of SiteLock from August of last year that comes from the BBB page for them:

Sitelock has been a great and affordable toll to achieve… security challenges, and enabled idbasolutions.com to offer our visitors peace of mind. In one and only incident in 2012, Sitelock emailed us as soon as they detected that some malicious software had infiltrated our comment pages…they quickly deleted all malicious code.

The problem with that review is that the website isn’t actually secure and hasn’t been secure for some time. The website is running Joomla 1.5, for which supported ended in September of 2012, over four years ago.

You wouldn’t know that if you were to believe SiteLock, as of today they are claiming it is secure:

It would be easy for SiteLock to determine that the website was running outdated software and isn’t secure, as the source code of each page on the website contains the following line:

So the review’s claim that SiteLock services “offer our visitors peace of mind” is true, but it is because SiteLock is not telling the website’s visitors the truth.

Considering that SiteLock missed such an easy to spot issue, it isn’t hard to believe they might also miss more serious issues, and in fact our past experience shows that it isn’t a theoretical issue. So while the review is positive, the underlying reality is the opposite.

Considering that customers of security services are hiring them in the first place, it isn’t likely that many reviews come from someone who would actually be aware of a failure like SiteLock’s here, so many other reviews of them are probably unintentionally misleading others as well.

When You Get In Touch With SiteLock You Are Dealing With a Commissioned Sales Person

As we have found out more about the web security company SiteLock over time a lot of things that we previously heard and saw about them have come to make more sense.

One those things was we found out that is that when you get in touch with SiteLock you are likely dealing with a commissioned sales person. That seems to go a long way to explaining, for example, why when people who are already paying for SiteLock protection services get hacked that the response from SiteLock is to try to sell them additional services or even more expensive services similar to what they already have, as that person interest in selling them something, not in trying to resolve what went wrong with the protection SiteLock was supposed to be providing. That also leads to other issues, like dealing with someone that either doesn’t understand much about security, leading them to make rather ominous sounding claims, or saying things they know to be untrue to try to scare people in to spending more.

Something else we ran across recently seems to show how those commissioned sales people view potential customers, who in many cases have just had their websites hacked or access to their website blocked based on a claim that the website is hacked (which is not always true), which seems in line with what we mentioned in the previous paragraph. In a review of the company by a salesperson on Glassdoor they said this:

If you are willing to work weekends you will make a TON of money!
My commission checks in sales range from minimum $3500-$7300.
The only company where we’ll never be able to call all the leads if we tried. So many untouched leads because the market for our product is so large.

So people who are dealing with a stressful situation are simply leads to them.

Not surprisingly with how they sell people on their services they have a lot of customers that are canceling as mentioned in another review on Glassdoor:

Company has a high churn rate with regards to customers which directly impacted bonuses of their employees. (Myself included) There were 2(back-to-back) months where our inbound sales team did not receive our commissions despite passing our monthly goal as a team entirely.

That is even though they make it rather difficult to cancel their service and even though you are apparently dealing with sales people even when you try to cancel the service.

Avoiding SiteLock

If your web host is pushing you to use SiteLock due to a claim that your website is hacked then your best bet, from everything we have seen and heard, is to simply avoid using them, as the commissioned sales people are only tip of the iceberg with the bad experience many people come away with. While they do push SiteLock, if you ask the web host they will let you know that SiteLock is not required to do the cleanup.

Seeing as your web host likely gets a majority of what you pay to SiteLock (one major web hosting company that is run by SiteLock’s owners disclosed to investors that they receive 55% of the revenue from their partnership) despite not doing the work, you are necessarily going to overpay when going with SiteLock.

For the type of low quality cleanups that we have seen them providing you can find an equivalent service from many other providers for much less than they charge and we provide a high quality cleanup that often costs less than SiteLock charges (we will first check to make sure your website is hacked, so you are not paying for an unneeded cleanup).