We recently have been taking a close look at the practices of the web security SiteLock after finding that not only were they providing poor quality services (as is par for the course for web security companies), but a lot of what they look to be doing falls more closely to outright scamming. We thought it would be useful to show how some of what we have found comes in to play to their interactions with a customer. To do that lets look at a recent complaint from one of SiteLock’s customers that hits on a number of issues with what SiteLock is doing.
After their website had been hacked in February of last year SiteLock sold them on one of their services:
[L]ast February we purchased “SiteLock Premium” for $500/year. I was told this was the best security product available. With it, I would have a firewall that would prevent any further attacks. And since it runs “in the cloud” it would actually make our site faster. We were assured that SiteLock has never been hacked and even if we are hacked, our site would be cleaned.
There are a number of issues we see with that.
We are not sure how SiteLock’s website never being hacked (if that were even true) would mean that their customer’s website wouldn’t be hacked, but that would seem to require the same practices being done on both, but that isn’t the case as we will get to in a later in the post.
Then there is the issue that as best we can tell SiteLock’s web application firewall (WAF) isn’t actually their own, instead there are reselling Incapsula’s WAF service. That raises several issues. One is that SiteLock promotes the service as if they are providing it, if they would lie about that, you can reasonably wonder what else they are not being honest about. Since the service involves sending the website’s traffic through the CDN, that means all the traffic is flowing through a company the SiteLock’s customers are not even aware of, much less have a relationship with. Finally you have to wonder if SiteLock is even aware of how good or bad the WAF is at protecting against attacks, since it isn’t actually something they run.
Another serious issue is that SiteLock failed to do a basic part of a proper hack cleanup, making sure that they software is brought up to date. In this case the website is still using Joomla 2.5:
That version of Joomla reached end of life on December 31, 2014 and therefore was not receiving further security updates. So any cleanup in 2015 should have included upgrading to a supported version of Joomla. (It is important to note that SiteLock is certainly not alone in doing this important part of hack cleanup, many providers cut corners like this.)
By comparison SiteLock does keep their website up to date. Both their blog and their WordPress focused sub-domain, wpdistrict.sitelock.com, are using the latest version of WordPress:
Keeping the software running your website up to date is going to provide real protection, whereas other security services may not (we haven’t seen SiteLock present any evidence that their services provide better protection then doing the security basics). Its telling that SiteLock does that for their own website, but doesn’t for their customers.
More Money
One of the things we frequently see brought up with SiteLock is after purchasing one security services that was supposed to protect the website and then doesn’t, they want to sell your more expensive services (that was even mentioned by someone who praising their service (and then deleted their post for some reason)). Remember that this person was sold a $500 a year plan that they say SiteLock claimed was the “best security product available”, then the website got hacked again and they are pushing a $720 a year plan:
We were recently informed by SiteLock that our site had sustained a Pharma attack that had inserted links directly into our code. This attack could not be automatically cleaned their software could not remove the malware systematically without risking bringing down our site. The SiteLock technician suggested that we purchase their “Infinity Scan” product for $60 /month. That product includes manual cleaning of our site.
Again there are multiple issues raised here.
You can start with the fact that SiteLock makes a big deal about their automated malware removal in their marketing material, but never mention that it can have the serious problem of taking down a website. It also seems to us that in an instance where it isn’t up to task they shouldn’t be charging extra to deal with the situation, as it is unable to do what it is promoted to do (and considering their track record you would also have to wonder if they sometimes claim it couldn’t to get more money from people).
The other troubling aspect of this is that they have a service that provides manual hack cleaning on a repeated basis. If a website is properly cleaned then it shouldn’t get re-hacked, so unless you are not taking basic security measures or get unlucky and have get hacked thorough multiple zero-day vulnerabilities in a year you shouldn’t need multiple cleanups in one year. The fact that they provide this would be a red-flag on it own that they don’t do proper hack cleanups, but we already knew that SiteLock doesn’t proper clean up hacked websites, so you don’t have to wonder about that.
What would seems to have happened here seems to be another example of that. So how did SiteLock explain how the website was hacked again after they were brought in:
Now, after we’ve been hacked yet again, I find out that is not true. SiteLock assures me that everything is set up correctly, and that the hacker must have a back door access point. They don’t cover that. Bluehost doesn’t cover that. I’m screwed.
The backdoor access must have either existed when SiteLock was first brought in to deal with the website and should have been handle during the cleanup or was gained after the were supposed to protecting the website. In either case we don’t understand how that wouldn’t be on them. The explanation seems to be that since things were set up correctly it couldn’t be their fault, which doesn’t make any sense to us.
Also worth noting here is that their web host, Bluehost, who pushes SiteLock services as one of their “partners”, is ultimately run by the owners of SiteLock and looks to be getting a majority of the money from services sold through their partnership (which explains the high price of SiteLock’s services and the low quality for the amount paid). That isn’t something they publicly disclose and something that one of the other web hosting owned by the same company, Hostgator, wouldn’t even acknowledge is after it was pointed out those facts were coming from their parent company.
A Better Alternative to SiteLock For Cleaning Up a Hacked Website
If your web host is pushing you to hire SiteLock to clean up a hacked website, we provide a better alternative, where we actually properly clean up the website.
I have a Bluehost account through which I used to host my website and domain registration. From about 2016 I no longer hosted my site through them and only had the domain through them. Today I noticed some strange large amounts being taken out of my account. When logged in I saw that from 2016-7 they have been charging me for SiteLock! Something I never asked for or wanted. As I say, they have not hosted my site for at least 6 years. Hundreds of dollars/pounds have been taken out of my account as they have my card number. It’s a total scam! You can’t speak to anyone to complain. Finally after an hour waiting on the ‘chat’ someone shows up. He tells me sorry, we can’t give you any refund. The last large amount of over £400 was taken over 9 months ago so it doesn’t qualify. Like I say, I never asked for this service nor needed it. Surely there exists a body who can put pressure in them. This is criminal! There is no way to complain or speak to any human being. What to do