On a fairly regular basis we are contacted by people looking for advice after being contacted by the security company SiteLock. From what we have seen a lot of the claims that SiteLock and their representatives make are misleading or false and seem to be intended to get people to sign up for unneeded services.
In some cases the claims are obviously false, like when they falsely claimed that a website contained “critical” severity malware due to having a link to an unregistered domain name.
In other cases the claims sound impressive, but they fall apart upon inspection. That was the case with SiteLock’s “likelihood of compromise” scores, which are promoted as being based on “high-level security analysis by leveraging over 500 variables to score a website’s risk on a scale of low, medium and high”. When a Forbes contributor reached out to SiteLock for an explanation on how their website that supposedly had a “Medium” “likelihood of compromise” could even be compromised in way that was considered by SiteLock’s analysis, they claimed they would and then stopped responding:
When asked how a remote attacker might then modify the files on a CMS-less single-page self-contained static website without either guessing/phishing/resetting the account password or finding a vulnerability in the server stack, a representative initially said they would work with their engineering team to send me some examples of how such a site could be compromised, but later said they would not be commenting further and did not respond to two subsequent requests for additional comment.
One of the claims we have yet to see any evidence that there is any basis behind it, are claims that websites have some undetailed vulnerability, which are made in emails like this:
Because website security is important, your hosting provider has provided you with a complimentary scanner from SiteLock that proactively checks for malicious threats and vulnerabilities. This scan regularly reviews your website plugins, themes and content management system (CMS) for potential vulnerabilities.
During a recent scan, a vulnerability was detected on your website.
For details on the findings, including the location of the vulnerability and remediation options, please contact SiteLock today. We would be happy to walk you through your dashboard and talk to you about next steps. Our security consultants are available 24/7 to answer your questions.
Call 844-303-1509 or email firstname.lastname@example.org
A recent positive review of SiteLock we ran across certainly seems to give more weight to possibility that there really vulnerabilities that they have discovered. Here is the review:
I responded to your email letting me know I had vulnerabilities on my websites. After our conversation everything was taken care of to thwart those vulnerabilities with your premium firewall. David was very helpful in making me understand how the firewall will benefit me. Thank you!
If there were really were vulnerabilities, what would need to done to take of the vulnerabilities would be to fix them. A firewall wouldn’t fix them. At best it might limit the ability to exploit them, but SiteLock doesn’t provide evidence that their TrueShield Web Application Firewall is effective at all (they might not have any idea if it is since the service is provided by another company, something they lie about) and in some cases that type of firewall can be easily bypassed entirely. It also worth noting here that as far as we are aware when you get in touch with SiteLock you are talking to a commissioned sales person, not a technical person with security expertise, so they likely wouldn’t know if what they are selling someone is actually beneficial or not to that person.
What we previously have seen with this type of email made it seem like the claims could be baseless, as among other things they have even sent message where the didn’t even say what website was supposed to have been impacted. The review seems in line with that, as it looks like it is just a way to get people to contact them and then sell them on security services that are not actually even focused on protecting websites from being hacked.
As we said the last time we mentioned these emails, you could probably safely ignore these messages, but if you want extra assurance you could contact SiteLock and ask for evidence of their claim (though we have heard in the past that they wouldn’t provide that) or check to make sure you are doing the important things to keep your website secure, like keeping your software up to date. While we don’t recommend it, we also offer a security review to check over things like if software you are using is known to be insecure.