The Poor Quality of Web Security Products and Services Can Lead To a False Belief That Websites Have Been Hacked

We think a baseline requirement for using any web security product or service that claims to protect websites should be that there is evidence that the service is effective. That would preferably be evidence from independent testing. What we have found though is plenty of products and services not only don’t provide that, but their marketing materials actually indicate that the services fail to secure websites. For example, SiteLock’s idea of security seems to revolve around dealing with after effects of websites being hacked instead of stopping them from being hacked in the first place, which isn’t security.

Even with what SiteLock claims to do instead of securing the website, they don’t provide evidence they are effective at it. We have seen plenty of evidence to the contrary. The latest example is also a reminder of another issue we sometimes see with security products and services, they lead to people falsely believing that their website has been hacked, so instead of securing a website they lead to people to believe that the website insecure. That might be good for security companies since it can mean more businesses dealing from dealing phantom hacks and more fear leading to more purchases of services that don’t have to work, but it, like so much else from the security industry, is bad for everyone else.

The other day we were contacted by someone using SiteLock’s services, for a second opinion on a claim from them that a website was infected with malware. We were sent the following screenshot from SiteLock’s website:

While that does claim that the website contains malware, the signature listed, SiteLock-HTML-SEOSPAM-fkl, seems to actually indicate that there was spam content detected. From what we have seen SiteLock labels any indication that a website has been hacked as malware. We don’t know if they don’t what malware actually refers to or if this is done to make what they are detecting sound more concerning than it really is, but it is sometimes very misleading. In this case they also make this sound very concerning by claiming the severity is “Urgent”.

The sample provided for the supposed issue doesn’t appear to be related to malware or spam. Instead it is just shows a link to another page on the website and harmless HTML code generated by the WPBakery Page Builder plugin for WordPress. We also didn’t find any other indications of a spam hack on the website, so this “Urgent” situation seems to really be a false positive.

Considering that their service is supposed to provide “security” by detecting and removing malware, the poor quality of their scanner makes it unlikely that they could even accomplish effective detection, much less effectively remove what they find.

This was apparently the third time that SiteLock had claimed that there was malware on the website, based on the quality of the claim in this instance, it seems unlikely it was the only false positive.