The Truth Behind Conflicting SiteLock Reviews

Recently something we had written about the web security company SiteLock was linked to in thread that starts out with someone discussing the conflicting reviews of SiteLock:

Just had a word press site hacked. Out host suspended our site and recommended site lock to clean it up. I looked at online reviews of their service. There are reviews that say they’re good, and reviews that say they are a scam. They say that you pay to have your site cleaned and then monthly to protect it. There are numerous reviews saying that even with the monthly fees, their sites still got hacked, and they were charged hundreds of dollars to fix it again. If these reviews are true, I want a better solution. What would you do? Are the reviews true?

As we monitor the reviews of SiteLock to keep track of what they are up to since we are frequently contacted by people looking for help after being contacted by them or having hired them, we thought it would be worth touching on what explains those conflicting reviews.

Positive Reviews

The positive reviews of SiteLock mostly fall in to two categories. The vast majority of recent reviews are by people that are pushed by SiteLock to provide a review after any interaction with them. We really do mean any interaction. Here for example are two reviews shown on the review website consumeraffairs.com from the same day, giving SiteLock five stars for helping them to update credit card information:

I contacted SiteLock because I needed to update my credit card information. I was delighted by the speed and helpful service I received from the support team. I would highly recommend SiteLock for their valuable products and services, which are consistently stellar.

Tyrell was very helpful in walking me through updating my credit card billing information online. He was also very courteous and patient while he waited as I entered my information. It would be a pleasure to work with Tyrell again.

That doesn’t seem like something people would do on their own all that often. More importantly, that really doesn’t tell you anything about how good or bad the service is, just that this company is interested in making sure it keeps getting paid.

It isn’t even clear that the people leaving those reviews would be aware of that website as a company that pays consumeraffairs.com a monthly fee, as SiteLock does, is provided various methods to have reviews collected:

ConsumerAffairs also helps Accredited Members collect reviews through Facebook, email, feedback cards, targeted phone calls and through its website.

Well come back to what else that SiteLock’s paying that website provides them in a bit, but first there are second set of positive reviews. Those largely look to be made up of people who generally believe that SiteLock is providing a good service and have left a review on their own. Considering that even many people in the security industry don’t have a good understanding of security, it wouldn’t be surprising to hear that these positives reviews from the public are not necessarily providing a good picture of what SiteLock really provides. For example, one five star review of SiteLock we used as an example of that last year, actually indicated that SiteLock was leaving a website insecure. That isn’t surprising since as we mentioned more recently, SiteLock’s own marketing material indicates they think that security doesn’t involve keeping a website secure, but dealing with the after effects of leaving it vulnerable.

Negative Reviews

If you were to look at the most recent one star reviews of SiteLock on consumeraffairs.com what you would notice is that you have to go back months to see one where the one star rating is shown. The most recent ones either say “Insufficient response received” or “No response received”. The reason for that is that by SiteLock being a paying customer of consumeraffairs.com they can challenge reviews and they in fact have challenged every single recent negative review. The reason for that is that by doing they can get the low ratings excluded from the overall rating:

While ConsumerAffairs never changes star ratings at a company’s request, a consumer may choose to change a star rating after resolving a complaint. In addition, if a consumer does not respond to a request for more information, or the consumer’s complaint is resolved privately with the company, or the factual basis for a complaint is unresolved, the consumer’s star rating may not be displayed and will not be included in a company’s overall star rating.

The business model of that website and other review websites looks to be built on companies paying them to present a positive image of the company.

What seems to be a telling indication that negative reviews are the ones of value is that all the most helpful reviews are currently negative ones.

That doesn’t mean that those reviews are accurate either. Just as the natural positives reviews can be inaccurate due to a lack of understanding of security, plenty of the negative reviews we have seen are also inaccurate. For example, we have seen numerous negative reviews that claim that SiteLock hacked websites. We have also had people contacting us that claim the same thing. We have never seen any evidence to support that despite it being such a serious allegation and plenty of evidence to the contrary.

If you want to a summary of what SiteLock really offers, this review on consumeraffairs.com from May 23 does a great job of that:

It’s my opinion that SiteLock is exhibiting predatory sales tactics. In my case they sold me on the service to monitor and protect my website from malware for a subscription fee. They are aggressive. But the worst part is that malware infected my site again and I called SiteLock for help since I’m a paying customer. Even though they originally sold me on the effectiveness of their products they told me they were not going to be able to remove the new malware and it would cost $300 to remove it. They also were trying to sell me on more services. It’s just my opinion but then I believe they set up a system to catch people when they are most vulnerable then charge them a lot to get their website working again. The support people that I talked to are salespeople. Look elsewhere folks. Save yourself the wasted time, money and the headaches that come with choosing the wrong company to protect your website.

One thing that we would note about that is that we are not aware of any company that provides a service that will provide effective protection of a website. If you are looking for something like that we would recommend instead you do the things that are going to actually keep your website secure, but otherwise you would want to look for one that present evidence, preferably from independent testing, that shows that is effective (if someone finds a company that provides that we would love to hear about that).

If your website is already hacked, before focusing on the things that will protect it going forward, it should be properly cleaned, which involves three key components:

  • Cleaning up the hack.
  • Getting the website secured as possible (which which usually involves getting any software on the website up date).
  • Trying to determine how the website was hacked and fix that.

From what we have seen SiteLock usually doesn’t attempt to do the last two and doesn’t do all that good a job of the first. Unfortunately, based on our experience frequently being brought in to re-clean up hacked websites they are far from the only company that is not even attempting to properly clean up hacked websites.

That SiteLock doesn’t attempt to determine how websites were hacked explains in part why they are not good at protecting websites from being hacked either as they wouldn’t even know what to protect against.


A Better Alternative to SiteLock For Cleaning Up a Hacked Website
If your web host is pushing you to hire SiteLock to clean up a hacked website, we provide a better alternative, where we actually properly clean up the website.

10 thoughts on “The Truth Behind Conflicting SiteLock Reviews”

  1. What most people fail to realize is that website security has many aspects. There are different levels of scanners and firewalls. It really can be a “you get what you pay for” scenario. Many site owners buy on cost rather than the correct solution. It also amazes me when a customer will blame Sitelock or any other security firm because the site owner has neglected their site and now there is a problem and the solution costs money. Does your car mechanic fix your car for free when the transmission breaks? There is a lot to malware and security. In our internet connected world, it’s everywhere. I don’t know what the vendetta White Fir has against a legitimate company. I think he is just trying to get in the game and has to slam others to get some attention. I will be surprised if WhiteFir even allows this post to be seen

    1. What you didn’t note is that you are writing this comment from a SiteLock IP address, which seems relevant.

      We, White Fir Design, are a company, not a person. We don’t have a vendetta. What we have is years of experience having people coming to us after dealing with your company and hearing all about what you are up to. Contrary to what you are saying SiteLock actually charges a lot more than we do to clean up hacked websites, while you fail to do even basic parts of a proper cleanup. Based on what you wrote we would guess you are one of their sales people, that doesn’t actually know what is going on with the actual work done, just there to sell people (even if they have no need for what you are selling).

      Your company’s own marketing even indicates that you are not providing what you claim, as you claim to provide security without “comparison”, while claiming to not actually secure websites, but trying to deal with the after effects of them being hacked. It’s no wonder that your customers are complaining that the service doesn’t work. It is odd that you are blaming customers of your security service for them having security issues while using your service, since they are paying you to handle those already. To continue your example, it would be like if your mechanic claimed they would insure that your transmission won’t break and then they want to charge you when it does.

  2. Yeah Sitelock are a con. They repeatedly say my website has issues, but it is then always shown that this is not true. They try to sell new products they assure will fix the problem. They can’t even get the URL of my site correct half the time.

  3. Folks, it is worse than you can imagine. I sent a long complaint to the FBI Cybercrimes, two state AGs and now several others asking for a federal investigation.
    SiteLock partnered with Dotster, and many others, and only then did “infected”files start to show up in a scan – even in domain directories not even or ever used! They put files in, then almost immediately “scanned” and said files were infected. Nothing files, down in nothing directories –
    BUT then, third time in three weeks, then Dotster shuts down COMPLETELY -even the backend, to every single domain hosted there.
    The few files I found in the scan report took like 3-minutes to remove and had nothing to do with the domain.
    That was DAYS AGO. Now, unless I pay SiteLock $200 for their “Emergency 911” Dotster will not reopen my sites under they get around to rescanning. That WAS DAYS AGO. Calls and calls say it takes a few days – But “Have you tried our SiteLock to fix this?”
    So, Dotster used to handle tech support live, online, holding while they determined some embedded issue, then THEY WOULD FIX it and be on your way.
    The warning should have been that a few months ago all Dotster support disappeared. ALL OF IT. GONE. No email to support. No. Call the support number now and you get some foreigner who all they can do it take your input and pass it along to higher level.
    No longer has anyone access to Dotster support so partnering with SiteLock, it is the shakedown, like you show then really involves thousands and thousands, or all the sites, every single one of our sites is shut down until I pay the SiteLock ransomware demand – or wait days and days and days now with NO ONE TO SPEAK TO – NO ONE TO EMAIL
    Worse than you think.
    I emailed Wordfence to alert them, but like you, even running Wordfence, now is worthless. SiteLock can slide in a single file, as they have done several times, into NON-USED domain directories and have Dotster (and others too I am sure) shut down all the sites – all of them. So using you or Wordfence is worthless – you could not keep a site up if all are LOCKED – no backend access or anything to run a scan or update or backup.
    You pay the ransom or you are out. I have not paid the ransom.
    And latest email from Dotster was that if I DO NOT PAY a third-party (right there they then point to SiteLock) to “hard protect” your sites, then we will be forced to shut down all your domains permanent.
    HOW IN THE WORLD ARE THESE PEOPLE NOT HEADING TO JAIL?
    It wipes out everyone that does not pay up. The hosting providers are partnered to these crooked schemes with SiteLock.
    I will cooperate with anyone, anywhere, you might have to fully expose this crooked shakedown scheme!
    And, this is NEW, just weeks old, this put in place files from the backend, as SiteLock surely did, then run a brief scan, find files that are “infected” (nothing files) and then ensure that the hosting folks shut down every single site for days and days and days as Dotster has done.
    What is going on?
    Long detail email if you want it for the FBI Cybercrimes filing, as this is, cybercrime.

    1. We have been hearing complaints similar to yours for years, but we have never had an issue with SiteLock partnered web hosts restoring access after we have done a proper cleanup and never seen any evidence of the other things you are mentioning, which is all a good reason for people in this situation to hire us or someone else that have experience properly dealing with hacked websites instead of trying to clean up a hacked website themselves. Just removing files the web host listed is not going to clean things up, as, for example, the hacker had to have gotten the files on the website somehow and that needs to be found and fixed.

      If you are referring to the Wordfence Security plugin, unfortunately the company behind it lies about the capabilities of it (as well as lot of other things) and in reality it often limited, at best, capability to protect websites.

    2. Let us just avoid hosting under (EIG) Endurance International Group. They are all extortionists. They own SiteLock and they have their more than 60% of their revenues from SiteLock. Sounds fishy there…. BOYCOT hosting under (EIG) Endurance International Group.

  4. Totally agree. Have had same issues!! I’d rather take down website then hosting company that recommended Sitelock won’t get any money either.

  5. My negative review about SiteLock

    The backstory:
    I use HostGator hosting. I had an additional service connected, the SiteLock addon, which monitors the security of the website.

    Yesterday morning I received a message from SiteLock that malware was detected on my site. The day before, I had inserted the advertising network code, which is often scolded by antivirus because of its specifics. This code is not actually malware, but to experiment, I decided to remove the code from the site and restart SiteLock scanning. I also enabled the “SiteLock CDN/Firewall” feature in my personal account at HostGator.

    The same evening, I discovered that my site had become unavailable. Chrome was showing an error:

    “This site can’t be reached.
    The webpage at https://******/ might be temporarily down or it may have moved permanently to a new web address.
    ERR_SSL_UNRECOGNIZED_NAME_ALERT”

    It also turned out that the site is successfully opened via VPN and mobile network.
    I googled the problem, found some ideas, tried to apply them (in particular, to clear the DNS cache, reboot the router, etc.). Nothing helped.

    I decided to write to HostGator support. It is noteworthy, that I like their technical support: always friendly consultants, available 24/7, solve problems quickly.

    I wrote to “Malware/Security” section. I explained the situation (that SiteLock was scolding at the advertising script, that it wasn’t malware, but I removed the script anyway; I specified that the site is not available only on my network and that I recently enabled SiteLock’s CDN/Firewall).

    A SiteLock representative Brandon Becke joined the chat room, requested my website name, and then started asking me absolutely unconstructive questions:
    – Do I feel that the malware has been removed?
    – Do I know how malware works?
    – Do I understand what he says?

    Then he started talking that the viruses will come back unless I protect my site “for just 40 bucks a month”. At this point, I probably should have become really scared and gave Brandon money immediately (LOL ).

    I had a strong feeling that Brandon thought he might intimidate me and hit me up for money. But the trick is that I am aware of what kind of scripts I placed on my site. I also think I can tell the difference between malicious code and other problems with access to the site. If the malware had crashed my site, the site would have been unavailable from any network, not only from my home network.

    So I silently closed the chat with Brandon. And after 30 seconds I received a catch-up email from him :

    “Here are the details of the services to remove and prevent malware:
    Website Scanning
    TrueSpeed CDN
    TrueShield WAF
    I look forward to your feedback on this service for $25 per month.”

    After that, I decided I no longer want to use SiteLock services and disabled their add-on (which costs $3 a month) on my hosting ❌.

    The problem with the site has not disappeared and I decided to write again to HostGator technical support, but in another section – Tech Support/SSL.

    This time I was answered directly by a consultant from HostGator. He asked permission to access my cPanel, and found a problem with the A record there. The record was changed from my domain name to ***.sitelockcdn.net ❗. Because of this, SSL did not work properly. We changed the record to the original one and the site soon started working.

    Conclusion: As I understand it, the A record changed because I clicked the “SiteLock CDN/Firewall enable” button. While the update came into effect, my site was unavailable.

    Maybe the next day everything would have been fine, but my experience with Brandon Becke convinced me to say goodbye to SiteLock forever, because nothing annoys me more than trying to hit me up for money and make me look like an idiot without even bothering to figure out the situation .

    Ironically, the problem was caused precisely because of SiteLock’s actions, which did not warn me that my site might be unavailable for a few hours after the firewall enabling.

  6. I was considering offering sitelock to my own clients, as I use WHMCS, which integrates with sitelock and allows you to resell.
    However, after reading all the blurb on the website, something just did not seem right to me. It blatantly seems to state that sitelock does not protect your site at all, just offers to clean up malware after it gets hacked. So it will just keep getting hacked again and again….
    Which you seem to have confirmed above.

    Anyway I contacted sitelock with questions, but they never replied, so I contacted them again… and again, and again….. over several months, via twitter, email facebook….. not once did they ever reply to my questions. I guess that speaks for itself how poor their support is, if their sales cannot even be bothered to reply.

    if your site is WordPress then better to use Wordfence to protect your site, even the free version.
    For added security, I use Cloudflare.com or Sucuri

Leave a Reply

Your email address will not be published.