What we recently have been noticing over and over in looking over the marketing materials for website security services is that they claim to protect websites from being hacked and almost immediately contradict that claim. As yet another example of that, we were recently looking at a WordPress security plugin named Sitesassure WP Malware Scanner and as discussed over at the blog for our Plugin Vulnerabilities service we noticed that among other issues, it is insecure and contained a vulnerability (security software with security vulnerabilities of their own is a common occurrence from what we have seen). That plugin seemed to be largely a way to promote the security company Sitesassure.
On the homepage of Sitesassure they promote a service they offer with the claim “DONT GET HACKED AGAIN”:
We could find no evidence presented on their website that service was effective at all. When making a claim like that there really should be evidence from independent testing that backs up the claim. If their WordPress plugin is any indication they don’t have much of a grasp security, which seems like prerequisite for being able to have a service that could possibly provide that protection.
Everything we have seen from numerous different angles indicates that services like that don’t in fact provide the claimed protection. That includes plenty of people coming to us asking if we offer a service like that, which works, after using one that didn’t and that the providers of them often prominently promote that the service includes hack cleanups. That is the case with this service as well, as scrolling down the website just a bit from the claim that the website won’t get hacked again there is another part of the promotion for that service:
If the website won’t get hacked again with that service then there shouldn’t be anything to clean up.
Right after that they seem to water down the claim even more by moving the goal line from keeping the website from being hacked, to just it not going down after that occurs:
(While they claim WordPress is a specialty of theirs, they consistently improperly capitalize it, which seems like a good indication it is actually something they are not all too familiar with.)
If you really want to fight back the best thing would be to do is the basics of securing websites as those will actually prevent most hacks, which would make hacking have less of a payoff for the hackers.
If a website has already been hacked the important thing to do is make sure that the website is properly cleaned. From what we have seen providers of services like that usually don’t even attempt to do that, which doesn’t seem that surprising considering that they seem to think it is acceptable to market a security service in a way that they are aware is not true.
When looking for a company to properly clean things up these are things you want to hear from them that they do:
- Clean up the hack.
- Get the website secured as possible (which which usually involves getting any software on the website up date).
- Try to determine how the website was hacked and fix that.
We always do those things when doing a cleanup. When those things haven’t been done by other companies it has frequently lead to us being brought in to re-clean websites.