Bad Security

Cleaning Up After StudioPress Sites and Sucuri Didn’t Protect or Properly Clean a Website

Two weeks ago we wrote about how StudioPress Sites and Sucuri hadn’t properly dealt with a hacked website, leading it to being hacked again. Subsequent to that we were hired to re-clean the website, which allowed us to see more of what had and hadn’t happened. The results, which we will get to in a moment, are not just a reminder that a security company being well known, as Sucuri is, doesn’t mean that they have any business being involved with security, but also the limits of automated security solutions in general.

Probably the most striking thing that we found, is that based on evidence we ran across in an error log file, the hack had been going on for more than year.

We often find that when we are brought in to clean up hacked websites the hack goes back much further then the website’s owner was aware of. That could be a good reason to use a service that is designed to detect the presence of malicious code on website, if used in conjunction with doing security basics, as that could give you better assurance that the website is secure. The problem with that is we have yet to see evidence presented that solutions that attempt to do that are all that effective. The one time we ran across a security company claiming that independent testing had been done, the result was that their product was 100% effective. That sounded unbelievable to us. One of the important questions as to validity of that was how the samples tested were chosen. It turned out the security company had provided the malicious code that was used to test their service against. That meant it wasn’t independent testing and also made it meaningless that they detected 100% of it, since they could choose things they knew the service could detect.

One of the most worrisome indications of the quality of services to detect malicious code on websites is that we have seen companies providing them having marketed them as if they will protect website from being hacked in the first place, which obviously isn’t remotely possible since they only come in to play after the website is hacked. Either the developers don’t understand really basic elements of what they are providing or they are rather blatantly lying, neither of which seems like something that should be true about a company that has anything to do with security.

In the case of this website that type of detection was supposed to be happening:

Finally, we partner with Sucuri for continuous malware monitoring, scanning and remediation. If malware is found we take the responsibility of removing it so you don’t have to worry about it. Additionally, we also scan for advanced threats, including conditional malware and the latest cyber intrusions.

But it wasn’t, as neither StudioPress Site nor Sucuri were the ones that finally detected the issue, instead person managing the website noticed the issue.

As we mentioned in the previous post, how the StudioPress Sites service is promoted though made it strange that detection and cleanup would even be needed to be provide with the service, because it was claimed that service would protect websites from being hacked in the first place:

Our “always on” proprietary intrusion prevention technology works continuously to keep your WordPress install safe from vulnerabilities, intrusions, and exploits. Our years of experience, plus audit input from multiple third parties, allows us to create configurations and settings that keep the bad guys away without handcuffing your working style.

Clearly it didn’t.

While re-cleaning the website we saw a several issues with what looks to be an automated cleanup done by Sucuri.

The first was a much less serious issue, but it was rather annoying for us, as Sucuri had left numerous empty files all over the website. It looks like if they remove all the code in the file because it is all malicious they don’t then remove the file. That created a couple of issues. The first being that when we did file comparisons to identify any changes made by the hack we had all of these empty files coming up in addition to files that still contained malicious code. The second being that when we started reviewing the log files to see how the hacker was able to continue to access the website, it looked at first glance that they were successfully able to access quite a few files, that actually were empty, that increased the time it took to find the logging of successful requests to malicious files that still existed.

Along those same lines we found that in other instances while Sucuri looks to have removed malicious code they left other content that had been added by the hacker, including comments that had been before or after malicious code. Those all then needed to be checked over during file comparisons, slowing down getting to the serious issues.

Those things then tie in with the much more serious issue. We were able to easily find the files that were being missed by Sucuri’s automated tools, which were allowing additional malicious files to return that they were able to catch (and then remove again and again). Simply doing some file comparisons, some quick checking over the files in some directories, and looking at the logging, allowed us quickly find what Sucuri’s tools were missing. None of those things are by any means advance solutions (it isn’t the first time simply solutions used by us have caught things they missed).

Takeaways

First and foremost, this situation should be a reminder that claims made about security whether by security companies or other companies should be viewed with great skepticism. If there isn’t evidence backing a claim there is good chance that, at best, it is being made without any idea if it is true or not.

Second, relying on a service that will try to detect and remove the result of a hack instead of making sure you are doing the security basics, which will prevent many hacks, is not a good idea since you can run into a situation like this where the hack goes on and on.

Third, any company that is offering to do cleanups with just automatic tools is probably a company you don’t want having anything to do with cleaning them up since they either don’t understand what they are doing or they are providing a service that they know can’t get the job done.

Finally, if your website is hacked, you want to make sure you hire someone that will properly clean it up. The three components of that are cleaning up the malicious code and anything else the hacker added, securing the website (which usually means getting the software on it up to date), and trying to determine how the website was hacked (which not only helps to prevent it happening again, but as we have found repeatedly, helps to make sure that the hack is fully cleaned up). One simple way to insure you are hiring someone that does that is to hire us, since we have always done those things throughout the many years we have been dealing with hacked websites.

SiteLock’s Vague Emails About Vulnerabilities Being Detected Don’t Indicate That Websites Have Been Hacked

We are always happy to provide a free second opinion if the web security company SiteLock or their web host partners are claiming that a website contains malware or is otherwise hacked, as we don’t want people pushed in to purchasing unneeded security services on the basis of their all to frequent false claims. In addition to people contacting us in that situation, we have a lot of people contacting us looking for that second opinion on whether their website is hacked in situations where there hasn’t actually been a claim that the website has been hacked. One situation we have seen that has come up fairly regularly is with vague claims that websites contain a vulnerability. A recent example of a form email they are sending out for that is the following:

Because website security is important, your hosting provider has provided you with a complimentary scanner from SiteLock that proactively checks for malicious threats and vulnerabilities. This scan regularly reviews your website plugins, themes and content management system (CMS) for potential vulnerabilities.

During a recent scan, a vulnerability was detected on your website.

For details on the findings, including the location of the vulnerability and remediation options, please contact SiteLock today. We would be happy to walk you through your dashboard and talk to you about next steps. Our security consultants are available 24/7 to answer your questions.

Call 844-303-1509 or email support@sitelock.com

There is good reason to believe that has no basis, considering the lack of any details, as well as things like us last August running across someone that had received a similar email for a hosting account that hadn’t existed for months and in June of last year running across SiteLock continuing to falsely claim that websites using WordPress contained vulnerabilities that had been fixed in earlier versions of WordPress than were in use on the websites, despite SiteLock being aware they were spreading false information.

You could probably safely ignore these messages, but if you want extra assurance you could contact SiteLock and ask for evidence of their claim (though we have heard in the past that they wouldn’t provide that) or check to make sure you are doing the important things to keep your website secure, like keeping your software up to date. While we don’t recommend it, we also offer a security review to check over things like if software you are using is known to be insecure.

US Government Contractor Involved in Questionable HUD Hire Also Provides “Cyber Security” Service While Having Hacked Website

Yesterday the Guardian reported that an adviser to the US Housing and Urban Development (HUD) department “had resigned from his position with Hud after the Guardian asked him to explain multiple allegations of fraud as well as exaggerations in his biography”. How he got hired in the first place still seems to be a bit of an open question:

Raffi Williams, a Hud spokesman, said in an email that Jafry was hired through Accel Corporation, a contractor. When this was put to Stacye Loman, the owner of Accel Corporation, she said in an email: “That is an incorrect statement.” Loman then gave the names of two different companies that she said had hired Jafry. She did not answer when asked if these had been subcontracted by her company.

That leads to a security angle, as the Accel Corporation advertises providing “Cyber Security” and other security related services (emphasis ours):

ACCEL’s major business driver is serving and fulfilling our client’s requirements with speed and excellence. We delight our clients every day with high value, expert information technology and related professional services.
ACCEL Corporation has information technology experts who answer today’s demands for both stand-alone and web-enabled, secure applications to manage information in a timely, organized and integrated format.
ACCEL Corporation provides the following information technology services to our clients:

Cyber Security

IV&V

Network Security

Counterintelligence

Intelligence

Security Assessment

Risk Assessment

Security Program Review

Systems Design, Development and Support

Systems Integration and Testing

Software Engineering

Database Design, Development and Management

Information Assurance

Web Development and Maintenance

Help Desk and User Support

Software Testing

Technical Writing

They could use some security help themselves, as their website is currently hacked, which can be seen in the results of Google site search for accel-corporation.com:

Those results mentioning casino games are clearly due to a hack of the website. Google has also spotted that the website is hacked and a label that “This site may be hacked.” to the listing for the website’s Careers page. When clicking on the Careers page we got redirected to top-trustedcasinos.com:

When companies providing security services don’t appear to be able to handle their own security, is it any wonder that security in such bad shape.

Hacker Targeting Websites Hosted With SiteLock Partnered HostGator and Other Endurance International Group (EIG) Brands

Recently we have been thinking that a way to help people to better understand why security is in such bad shape despite the amount of money spent on it, is to say to think of the security industry not as that, but as the “insecurity industry”. As security companies are not focused on improving security, but instead of making people believe that insecurity is inevitable and that they can provide protection, but not to the extent that people actually expect those companies to keep them things secure. A prime example of a company that would fit that description is SiteLock, which is a company that comes up often on our blog when it comes to bad practices of the security industry. The other day we had someone forward several messages they had received recently from them and part of one of those stood out:

Malware is a real problem that affects a lot of websites. It’s as prevalent as the common cold and can do some real damage if you don’t catch and treat it early.

So how will you know if your website gets infected with malware?

To help protect your website, your hosting provider has partnered with SiteLock to provide your website with a complimentary malware scanner. Every day this nifty little tool checks the first five pages of your website for malware, and sends you an alert if any is found.

Their idea of protecting websites isn’t making sure that websites are actually secure, which would prevent them from being infected with malware or otherwise hacked, but instead trying to detect the website is infected after being hacked and then offering services that still don’t secure the website. That is great way for them to make money, but it isn’t great for everyone else since websites can continually be hacked.

As that email indicates they are not alone in that, web hosts have partnered with them. Why would a web host partner with a company that isn’t focused on making sure their customers’ websites are secure? Well when it comes to what seems to be SiteLock’s biggest hosting partner, the Endurance International Group (EIG), a partial explanation is that the majority owners of SiteLock also run EIG. EIG also disclosed to investors at one time that they receive 55% of the revenue of services sold through their partnership. That creates a strong incentive for EIG to not provide the best security possible as that would mean less money for them and less money being made by another company owned by the people running EIG. It might explain, for example, why in the past we found that EIG was distributing known insecure versions of web software to their customers through one of the companies they own, MOJO Marketplace.

Over the years EIG has brought together numerous web hosting brands including A Small Orange, Bluehost, FatCow, HostGator, iPage, IPOWER, JustHost and quite a few others. The situation with a website hosted with HostGator that we cleaned up a hack on yesterday seems to be an example of where those incentives might have created a situation that doesn’t serve their customers well.

The website was hacked in way that it would serve spam pages with Japanese text to Google’s search crawler.

While you wouldn’t know it from many companies that cut corners when doing hack cleanups, one of the three basic steps in properly cleaning up a hacked website is to try to determine how it was hacked. With this website the files involved in the hack didn’t really seem to shed any light on that. The main piece of this hack involved code added to the index.php file of a WordPress installation that caused the code in a file at wp-confing.php to run, which would cause that code to run whenever the frontend of the website is accessed. That filename is similar to a legitimate WordPress file in the same directory, wp-config.php, which could indicate that the hacker has some knowledge of WordPress, but considering how popular it is, it doesn’t seem to be a good indication that the hack was anything WordPress related (we also didn’t find anything that was known to be insecure in the WordPress installation).

The hacker had also added the website to a Google Search Console account with the email address “xueqilve@gmail.com” and submitted a sitemap to get the spam pages added to Google’s index.

It looked like the malicious code causing the issue had been added a few days ago (though another file might have been there since November), so there still should have been logging available from when that occurred that would shed more light on the source of that. Unfortunately HostGator hadn’t had log archiving enabled by default in the website’s cPanel control panel, so we only had access to logging for the current day. That fact alone probably should tell you that the company doesn’t have much concern about security and it would be strange to not have that on if they had a legitimate partnership with a security company since that would be an obvious thing to do because of its importance for dealing with hacked websites.

As we have found though, SiteLock usually doesn’t attempt to determine how a website was hacked, so they wouldn’t have a need for that logging. Considering that they don’t usually do that, it makes it not all that surprising that services they offer to protect website don’t work well, since they don’t know how websites are actually being hacked.

We did have one last lead to follow in trying to get some idea of how the website was hacked. In the root directory of the website there was a file named bray.php that contained the following message:

Hacked By Isal Dot ID

Through the website Zone-H, which catalogs defaced websites, we could see that same file had been placed on numerous websites recently. In looking over a number of those websites what stood out was that they all were hosted with HostGator or other EIG brands. Here are examples of websites hit at several nearly sequential IP address registered to HostGator:

If a hacker was hacking websites through a vulnerability in a WordPress plugin for example, that isn’t what you would expect to see, instead you should see websites hosted with numerous different web hosts.

At best you have a situation where a hacker looks to be specifically targeting numerous websites at EIG brands. There is also the possibility they are taking advantage of some security issue on EIG’s end to hack the websites.

Even if they are just targeting website hosted with EIG brands that seems like something that the hosting company would want to investigate and try to prevent as much as possible. That doesn’t seem to be the case here because later yesterday we were contacted by someone else with the exact same hack. They said HostGator has only been interested in pushing SiteLock. When you understand the incentives involved, it really isn’t surprising that is happening.

Update March 19, 2018: We have now come across a article from year ago in which the hacker behind this, claimed to have had full access to a server that contained another website they had hacked. That website was hosted with HostGator at the time (and Bluehost now). While the claim of a hacker isn’t necessarily reliable, it does raise further suspicion that there may be a security issue on EIG’s end

Wordfence Employee Ridiculously Claims You Can Make Sites “invincible against all the attack methods that are associated with WordPress sites”

While we have seen the bad side of the security industry for a long time, certain things continue to be surprising to us despite having seen them many times before. One of those is sheer amount of lying that goes on (that is on top of the amount of the massive amount false and misleading claims that are not clearly lies), despite trust being an important part of security. One area we frequently see that with is claims that products and services can provide a level protection that they can’t possibly provide.

When it comes to WordPress security plugins two are tied for the most popular in terms of active installations according to WordPress.org. One of them, Limit Login Attempts, is focused on a threat that isn’t of real concern and the current version contains a security we discovered and disclosed through our Plugin Vulnerabilities service last week (that security plugins frequently are found to have security vulnerabilities is a good indication of the poor state of the security industry). The other, Wordfence Security, owes at least some of its popularity and maybe a lot of it to marketing it with the unqualified claim that it “stops you from getting hacked”:

The WordPress security plugin provides the best protection available for your website. Powered by the constantly updated Threat Defense Feed, WordFence Firewall stops you from getting hacked.

That claim used to be the second sentence of description of the plugin on the page for it on the Plugin Directory and more recently has been found in the answer to the second FAQ question on that page.

The reality is that security plugins can’t possibly stop a lot of hacks, Wordfence intentionally leaves websites not using their service as well as the plugin vulnerable to being hacked, and in testing over at our Plugin Vulnerabilities service we found that the plugin provided no protection or the protection was easily bypassed when attempting to exploit real vulnerabilities in other plugins.

Once again in our monitoring of the WordPress.org Support Forum to keep track of information vulnerabilities in WordPress plugins for our Plugin Vulnerabilities service we ran across a Wordfence employee admitting that the plugin doesn’t do what they claim. This time it had the added element that even while admitting to that, they were still claiming a level of protection that is contradicted by what they were responding to.

The Wordfence employee wrote this:

Sorry we didn’t get back to you sooner! Unfortunately, there are many attack vectors associated with WordPress sites that lie outside of your WordPress installation like insecure servers, insecure passwords, encryption flaws, shared hosting, and many others; all these things combined make your site vulnerable to attacks. Wordfence helps protect and secure the WordPress installation side of your site and it does quite an excellent job at that. No security plugin can help protect your site against every vulnerability that lives there out in the wild, we can only help mitigate the risks associated with a vast majority of them. I recommend taking some time to go through these articles that will help you better understand WordPress security and how you can make your site invincible against all the attack methods that are associated with WordPress sites.

One of the problems with that is that the failure of Wordfence Security in this instance related to the WordPress installation:

I found this morning that someone from India logged into my WordPress admin panel on Jan. 11th using by login.
I am surprised that Wordfence did not stop this since it had been blocking the ip address range this login occurred from.

That seems like something it should have been able to protect against if it truly “does quite an excellent job at” security of the “WordPress installation side of your site”.

Something else that stood out in the Wordfence employee’s statement is this:

go through these articles that will help you better understand WordPress security and how you can make your site invincible against all the attack methods that are associated with WordPress sites

Below that were links to several pages on Wordfence’s website. Nobody that knows and or cares much about WordPress security would possibly make a claim of invincibility like that, but Wordfence seems to have no qualms about telling lies to public to promote themselves. That unfortunately comes at the expense of the security of websites since people are being mislead about the security Wordfence can provide versus other solutions like our Plugin Vulnerabilities service, which provides real protection that Wordfence doesn’t provide, and our service helps to actually make the WordPress ecosystem more secure even for those not using it.

StudioPress Sites And Sucuri Didn’t Properly Deal With a Hacked Website

Recently we have gotten quite a few questions related to web hosts that include a security service with their hosting service. Considering that web hosts seem to have problems handling the basics of their own security this type of offering seems like it might not be a great idea. Furthermore, most of what needs to be done to keep websites secure isn’t best handled by a security service.

Another issue is that we haven’t seen evidence presented that those types of services are effective at protecting websites and plenty that they are not. One of the pieces of evidence that we have seen that they are not effective is that companies that provide those services often don’t do an important part of properly cleaning up hacked websites. One of the basic components of a proper cleanup is trying to determine how the website has been hacked. If you don’t do that, it leaves open the possibility that the vulnerability is still on the website and can be exploited again. If you are a service that is supposed to protect websites and you don’t even know how they are hacked, you unlikely to do a good job of protecting them.

Security companies can often get away with all of that because the public doesn’t have a good understanding of security and when it comes to the lack of protection, people will often say that such services have been successfully protecting them because they assume that if the website hasn’t been hacked that means the service worked. In reality most websites don’t get hacked, so a service can get credit for providing protection when it does little to nothing to protect websites.

One prominent web security company that all of that would apply to is Sucuri. From what we have seen over the years they don’t seem to have even a basic understanding of security (amazingly one time they warned people to beware of companies that don’t have that). They fail to even handle even more basics elements of cleaning up hacked websites than determining how the website was hacked.

Those kinds of things haven’t stopped the web hosting service StudioPress Sites (previously known as Synthesis) from partnering with them, which they promote in this way:

Finally, we partner with Sucuri for continuous malware monitoring, scanning and remediation. If malware is found we take the responsibility of removing it so you don’t have to worry about it. Additionally, we also scan for advanced threats, including conditional malware and the latest cyber intrusions.

Right before that in their marketing they make this claim:

Our “always on” proprietary intrusion prevention technology works continuously to keep your WordPress install safe from vulnerabilities, intrusions, and exploits. Our years of experience, plus audit input from multiple third parties, allows us to create configurations and settings that keep the bad guys away without handcuffing your working style.

If they were actually able to keep the bad guys out, why would what Sucuri is supposed to be providing be needed? The reality is that when it comes to WordPress, while you see everybody and their brother making claims about their great security, our Plugin Vulnerabilities service seems to be out there alone in catching the kind of serious vulnerabilities in WordPress plugins that would be exploited before there is evidence that they have been exploited (we disclosed two of those just in the last few days). Considering those are a major source of WordPress based websites being hacked, it seems to be a good indications that others are not really do much when it comes to protecting WordPress sites.

We became aware of the partnership between those two companies when someone recently contacted us about a hacked website and mentioned that the website been hacked again after having using Sucuri’s service to clean it up by way of StudioPress Sites. In a situation like that, the first thing we always ask is if the previous company that did the cleanup determined how the website was hacked, since if the source hasn’t been determined and fixed it could explain why the website got hacked again. They responded that they got some generic security advice, but no information about how the website had been hacked or any indication there was an attempt to do that. So it really isn’t all that surprising that it got hacked again.

Out of line with how that hosting is promoted, neither the web host nor Sucuri had been the ones that spotted the hack in the first place. That really isn’t all that surprising since it seems that Sucuri’s scanner is to put it politely, incredibly simplistic, which we base in part on the terrible false positives we have seen it produce.

A Better Cleanup

When we do a hack cleanup of a WordPress website not only do we do it properly, but we also include a free lifetime subscription to Plugin Vulnerabilities service, which will warn you if any of the plugins you use have disclosed vulnerabilities. We will also review all of your installed plugins for serious vulnerabilities using the same technique that we have used to catch numerous serious vulnerabilities in other plugins.

Google Search Console Claiming That Fixed Security Issues Are Still Being Detected Days Later

Google’s flagging that websites are hacked (“This site may be hacked.”) is a good thing and from what we have seen their claims are highly accurate. A reoccurring problem we found in cleaning up hacked websites, though, is that after the websites have been cleaned is that Google will claim in the Security Issues section of their Search Console that the issue has been detected days after it has been resolved.

As an example of that we had someone whose websites we cleaned up on March 1, but as of March 4th, Google was claiming that the issue was detected the day before:

Using the Fetch as Google tool in the Search Console showed that the URL they claimed the issue had been detected on didn’t exist (since the code that generated it was no longer on the website):

No change had been made to the website on either of those days, so the result would have been the same the day before.

By later on March 4 that claim had disappeared despite a continued lack of change of anything on the website:

Since we deal with hacked websites all the time we are aware of this issue, but for clients or others who might be trying to deal with a situation on their own it is easy to think that this could cause unnecessary distress and wasted time spent trying to deal with an issue that has already been dealt with.

Hopefully Google will work on correcting this.

Bluehost Still Trying To Sell Unneeded SiteLock Security Services Based on Phishing Emails

Back in August we discussed a situation where the web host Bluehost had tried to sell one of their customers a $1,200 a year SiteLock security service based on the customer having received a phishing email that was supposed to have come from Bluehost. It obviously didn’t paint too good a picture of Bluehost, as despite it seeming that these phishing emails were rather common, they didn’t even do any basic checking on the claimed situation in the phishing email before trying to sell someone on an expensive security service that didn’t even have seem to have a connection to the issue mentioned in the email.

Fast forward to this month and it is still happening. We recently had someone contact us a looking for advice after having gotten an email they thought was from Bluehost about malware on their website and then when they contacted the real Bluehost, it was recommended that they spend $49 a month on a SiteLock service that was supposed to fix that. Before we even looked at the email that was supposed to have come from Bluehost, things seemed off since the person that contacted us said that the whole account had been disabled, but in our experience Bluehost only shuts off access to the websites, not other forms of access to the account. That seems like something a Bluehost employee should have also been aware of.

Looking at the email (shown below) we could see it was a phishing email as one of the links in it was to the website my.bluehost.com.f33ba15effa5c10e873bf3842afb46a6.co19331.tmweb.ru instead of my.bluehost.com.

Your account has been temporarily deactivated due to the detection
of malware. The infected files need to be cleaned or replaced with clean
copies from your backups before your account can be reactivated.

Examples:

/domain/[redacted]/public_html/config.php.suspected
/home1/[redacted]/public_html/post.php.suspected

/home1/[redacted]/public_html/administrator/components/com_weblinks/tables/s
ession.php

To activate your account, please visit our BlueHost account reactivation center. Use the link below:
http://my.bluehost.com.f33ba15effa5c10e873bf3842afb46a6.co19331.tmweb.ru/server/1012/reactivation.html

To thoroughly secure your account, please review the following:
* Remove unfamiliar or unused files, and repair files that have been
modified.
* Update all scripts, programs, plugins, and themes to the latest
version.
* Research the scripts, programs, plugins, and themes you are using
and remove any with known, unresolved security vulnerabilities.
* Remove all cron jobs.
* Secure the PHP configuration settings in your php.ini file.
* Update the file permissions of your files and folders to prevent
unauthorized changes.
* Secure your home computer by using an up-to-date anti-virus program.
If you are already using one, try another program that scans for
different issues.
You may want to consider a security service, such as SiteLock, to scan
your website files and alert you if malicious content is found. Some
packages will also monitor your account for file changes and actively
remove malware if detected. Click here to see the packages we offer:
https://my.bluehost.com/cgi/sitelock

Please remove all malware and thoroughly secure your account before
contacting the Terms of Service Department to reactivate your account.
You may be asked to find a new hosting provider if your account is
deactivated three times within a 60-day period.

Thank you,

Bluehost Support

http://www.bluehost.com
For support, go to http://my.bluehost.com/cgi/help

That all seems like a good reason to not use Bluehost. As for SiteLock it isn’t like they are an innocent victim in this, as the majority owners of SiteLock also run the Endurance International Group (EIG), which is the parent company of Bluehost and numerous other web hosts. SiteLock also pays a majority of the their inflated prices to web hosts, which certainly could create an incentive to sell unneeded services.

This is also a good example of why anyone contacted by SiteLock or one of their web hosting partners about supposed malware issue or other type of hack of their website should get a second opinion from another security company (something we provide for free and we hope that other companies would as well), since we were able to quickly identify what was going on and let this person know as well and saved them a lot money.

SiteLock Using Trustpilot to Try to Deceive Public as to How SiteLock’s Customers Really Feel About Them

We frequently deal with people that come to us looking for help after having an interaction with the web security company SiteLock or their web hosting partners. To be able to better understand what is going on with their sitaution, we occasionally check up on various websites where people leave reviews of SiteLock as that helps us to keep up with the various shady stuff that SiteLock is up to.

Earlier this year we noticed that there started to be a massive influx of positive of reviews for SiteLock on one of those website, Trustpilot. That seemed unnatural as we continued to hear from people that were describing situations that have lead to scams to be a commonly associated word with SiteLock at the same rate:

It also was out of line with the amount of and view being expressed in reviews we saw being left at other websites.

The other thing that stood out was that most of the reviews seemed to be people who were describing just interacting with SiteLock, which could have explained some of why they had positive comments about them as many of the problems are only realized later.

One of the recent reviews seems to explain at least some that, as the review starts:

I prefer to leave a review when I am ready but SiteLock insisted so here is my experience thus far.

The rest of the review is rather detailed, so that claim seems unlikely to be made up:

I became a customer after being hit by defacement hackers. They were able to get my site back up after a few hours. Their customer service is good in the sense that they walked me through their portal and call me to provide updates.

At present I feel like they are trying to get more money out of me after I have already paid quite a bit. They want me to pay an additional monthly fee per site to upgrade my firewall once I get a new SSL certificate due to Google’s new requirements.

As having compatible firewalls with Google’s SSL certificate is a requirement now, I feel it should be part of the basic package and I should NOT have to pay more to get a firewall that is compatible. If a firewall isn’t compatible and will shut my site down, what am I paying for? Why even bother selling something that doesn’t work? The basics should be enough to keep my site functional! I shouldn’t have to pay additional just to get a firewall that will keep my site functional.

The claim of insisting that people leave a review is out of line with what Trustpilot believes about SiteLock’s involvement with that website:

What we also recently noticed is that SiteLock is trying to get some of the negative reviews removed. For example, as of few days ago one of the reviews was hidden with a message that SiteLock had reported the review for “for breach of Trustpilot guidelines”:

That review is now visible with an indication that review relates to a verified order (it is the only review on the first page of results that has that designation), which according to Trustpilot indicates that the reviewer “has sent documentation to Trustpilot showing an experience with SiteLock”:

So what did SiteLock not want people to see? Well this:

This service is totally a waste of time …

This service is totally a waste of time and money. Once they have you locked in to their contact that’s the last you will ever hear from them. Do yourself a favor and hang up when they call. Not much more than a scam business in my opinion!

Some of the other recent reviews that SiteLock doesn’t appeared to have tried to take down seem equally bad to us, but maybe the accurate reference to them scamming people is what made the difference here.

SiteLock Claims Are Not Always False

While SiteLock has well earned poor reputation that doesn’t mean that if they or one their partnered web host with a claim that your website is infected with malware or is otherwise hacked that isn’t true, as we have seen many people incorrectly assume. What we would recommend you do in that situation is to get a second opinion as to the whether the website is in fact hacked. For someone to be able to do that, you should first get any evidence that the web host and or SiteLock will provide, which usually is something that should have already been provided to you. We are always happy to provide that second opinion for free and we would hope that others would as well.

GoDaddy (Owner of Sucuri) Still Using Server Software That Was EOL’d Over Six Years Ago

Last week we wrote a post about how the web security company Sucuri was hiding the fact that they are owned by the web host GoDaddy while promoting a partnership program for web hosts. Not mentioning that they are owned by a competitor of companies they are hoping to partner with seems quite inappropriate. It also seems problematic since GoDaddy has long track record of poor security, so that seems like material information that web hosts should have when considering partnering with Sucuri.

One example of GoDaddy’s poor security that we have noted before is that they are using a very out of date version of the database administration tool of phpMyAdmin. It turns out they are still doing that, as we found when doing some work on a client’s website hosted with them. While working on an upgrade we created a new database so that the database would be running a newer version of MySQL required by the new version of the software being upgraded. When we went to import the database we found the phpMyAdmin installation it is tied to is the same really out of date version of phpMyAdmin, 2.11.11.3:

The 2.11.x branch of phpMyAdmin reached end of life on July 12, 2011. After that date not fixes or security fixes were not released, so GoDaddy should not have been running that version after that.

Beyond the security concern with this, you have situation where GoDaddy isn’t even managing to update a customer facing piece of software at least every six years.

It also worth noting that GoDaddy is the employer of the head of WordPress security team (they are paying him for his work in that role). You really have to wonder how, if someone who truly cared much about security, they would be employed by a company that doesn’t seem to care about that. That they are willing to work for GoDaddy might go a long way to explain why the security team of WordPress continues to poorly handle things (it also raises questions about the propriety of having the head of the security team being an employee of a company that could profit off of WordPress seeming insecure).