{"id":2894,"date":"2016-09-22T15:47:49","date_gmt":"2016-09-22T21:47:49","guid":{"rendered":"http:\/\/www.whitefirdesign.com\/blog\/?p=2894"},"modified":"2016-09-22T15:47:49","modified_gmt":"2016-09-22T21:47:49","slug":"sitelock-promoted-services-to-wordpress-com-users-that-are-not-relevant-to-them","status":"publish","type":"post","link":"https:\/\/www.whitefirdesign.com\/blog\/2016\/09\/22\/sitelock-promoted-services-to-wordpress-com-users-that-are-not-relevant-to-them\/","title":{"rendered":"SiteLock Promoted Services To WordPress.com Users That Are Not Relevant to Them"},"content":{"rendered":"<p>In a recent post about how <a href=\"http:\/\/www.whitefirdesign.com\/blog\/2016\/09\/16\/wordpress-giving-legitimacy-to-sitelock-by-allowing-them-to-sponsor-and-attend-wordcamps\/\">WordPress is giving the web security SiteLock unwarranted legitimacy by allowing them to be involved in WordCamps<\/a>, conferences dedicated to WordPress, we mentioned that one of the reasons it didn&#8217;t seem great to have them was that\u00a0<a href=\"http:\/\/www.whitefirdesign.com\/blog\/2016\/09\/06\/sitelock-spreading-false-information-about-wordpress-security-to-their-customers-through-their-platform-scan-for-wordpress\/\">they are falsely labeling WordPress website as having vulnerabilities due to their lack of understanding of how WordPress handles security updates<\/a>. It turns out their lack of knowledge of WordPress extends further, leading to trying to sell people services that are not relevant to them, as we found while looking for information for another post.<\/p>\n<p>In a March post entitled\u00a0<a href=\"https:\/\/wpdistrict.sitelock.com\/blog\/this-week-in-exploits-increased-wordpress-com-security\/\">This Week in Exploits: Increased WordPress.com Security<\/a>\u00a0on SiteLock&#8217;s\u00a0WordPress focused\u00a0The District blog, SiteLock\u00a0mentioned that WordPress.com had enabled HTTPS for those using custom domain names. For those not familiar, WordPress.com is a blog hosting service powered by\u00a0the WordPress software. It has some rather notable differences\u00a0with self hosted WordPress installations, some of which we will note in a bit. It seems that SiteLock is not familiar with the differences the WordPress.com service and the WordPress software, but that didn&#8217;t get in the way of them trying to use the blog post to sell people on unneeded services.<\/p>\n<p>After a paragraph mentioning the HTTPS change, they pivot to selling their service:<\/p>\n<blockquote><p>If you\u2019re a WordPress.com user, one way to take advantage of WordPress.com\u2019s exemplary efforts is to go further and enhance the security of your WP.com site with protection services.<\/p><\/blockquote>\n<p>First they promote a web application firewall:<\/p>\n<blockquote><p>The first and probably most fundamental upgrade to your site\u2019s security is to implement a web application firewall, or WAF. With a simple DNS change and SSL cert approval, SiteLock <a href=\"https:\/\/wpdistrict.sitelock.com\/products\/?prod=waf\">TrueShield WAF<\/a> protects sites, WordPress.com or otherwise, from malicious traffic, suspicious bots, scrapers and spam comments. The PCI-compliant TrueShield WAF supports SSL and Extended Validation SSL. Service packages depend upon protection capabilities desired.<\/p><\/blockquote>\n<p>Considering how the WordPress.com service works it isn&#8217;t clear what value that would provide. Much of that would likely already be being done WordPress.com and if there was some vulnerability discovered it should impact\u00a0the whole service, so you would expect that it would be quickly fixed across the service. The marketing materials for that also don&#8217;t present any evidence as to the efficacy of its protection provided by that in general, much less when used with\u00a0WordPress.com.<\/p>\n<p>Next SiteLock is promoting malware scanning:<\/p>\n<blockquote><p>The next upgrade to WordPress.com security is a malware scan. The SiteLock <a href=\"https:\/\/wpdistrict.sitelock.com\/products\/?prod=malwareScanning\">Malware Scan<\/a> crawls websites looking for malicious code and links and immediately alerts the site owner if any are found. The Malware Scan runs daily to find malware early and keeps sites off of blacklists, and results can be viewed in the SiteLock Dashboard or downloaded as CSV for analysis and remediation.<\/p><\/blockquote>\n<p>This doesn&#8217;t seem to be to useful for the WordPress.com service since\u00a0<a href=\"https:\/\/en.support.wordpress.com\/code\/\">you can not use JavaScript code on it:<\/a><\/p>\n<blockquote><p>Users are not allowed to post JavaScript on WordPress.com blogs. JavaScript can be used for malicious purposes. As an example, JavaScript has taken sites such as MySpace.com and LiveJournal offline in the past. The security of all WordPress.com blogs is a top priority for us, and until we can guarantee scripting languages will not be harmful, they will not be permitted.<\/p>\n<p>JavaScript from trusted partners, such as YouTube and Google Video, is converted into a WordPress shortcode when a post is saved.<\/p><\/blockquote>\n<p>Since\u00a0malware on a website is usually JavaScript based (or in some other format not permitted by WordPress.com) there couldn&#8217;t be malware on WordPress.com blog and you also couldn&#8217;t have your website flagged for malware since, again, there couldn&#8217;t malware on these websites in the normal course of things.<\/p>\n<p>Next up they try create a connection between spam and the &#8220;dreaded \u2018reported attack site\u2019 screen&#8221;:<\/p>\n<blockquote><p>Speaking of blacklists, the final security upgrade is a spam scan. The SiteLock Spam Scan monitors all industry-leading search engine and spam blacklists for the customer\u2019s domain and, again, immediately alerts the customer to any adverse reports. This allows the quickest way to remediation if the worst happens, reducing, if not eliminating, customer interaction with the dreaded \u2018reported attack site\u2019 screen.<\/p><\/blockquote>\n<p>The Reported Attack Site screen refers to something that has been shown on the Firefox web browser when Google has detected malware on a website, not spam, which is something SiteLock should know. From this description isn&#8217;t clear what spam they are scanning for, since it could refer to spam emails or spam content on a website.\u00a0In looking around for more information on what the Spam Scan actually does, it looks like it actually checks lists of email address claimed to be sending spam, so it isn&#8217;t clear what the search engine reference in this refers to. Unless you use your own domain with WordPress.com and send email through it (which wouldn&#8217;t be through WordPress.com) this wouldn&#8217;t be relevant.<\/p>\n<p>Finally SiteLock brings up their plugin for WordPress:<\/p>\n<blockquote><p>Security is vital. Easy security management is a must. <a href=\"https:\/\/wordpress.org\/plugins\/sitelock\" target=\"_blank\">SiteLock Security Plugin for WordPress<\/a>provides complete website security management and allows users to access their SiteLock Dashboard from within WordPress. Highlights include real-time updates ensuring minimal latency between identifying and correcting issues, identifying specific vulnerabilities in order to remediate them as quickly as possible and managing SiteLock Trust Seal settings.<\/p><\/blockquote>\n<p>That will not work on WordPress.com blogs, since you can&#8217;t install plugins on them.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In a recent post about how WordPress is giving the web security SiteLock unwarranted legitimacy by allowing them to be involved in WordCamps, conferences dedicated to WordPress, we mentioned that one of the reasons it didn&#8217;t seem great to have them was that\u00a0they are falsely labeling WordPress website as having vulnerabilities due to their lack &hellip; <a href=\"https:\/\/www.whitefirdesign.com\/blog\/2016\/09\/22\/sitelock-promoted-services-to-wordpress-com-users-that-are-not-relevant-to-them\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;SiteLock Promoted Services To WordPress.com Users That Are Not Relevant to Them&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25],"tags":[39,88],"class_list":["post-2894","post","type-post","status-publish","format-standard","hentry","category-bad-security","tag-sitelock","tag-wordpress-com"],"_links":{"self":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2894","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/comments?post=2894"}],"version-history":[{"count":4,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2894\/revisions"}],"predecessor-version":[{"id":2899,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/posts\/2894\/revisions\/2899"}],"wp:attachment":[{"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/media?parent=2894"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/categories?post=2894"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.whitefirdesign.com\/blog\/wp-json\/wp\/v2\/tags?post=2894"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}