Tag: SiteLock

Don’t Ignore a Message From SiteLock or Your Web Host That Your Website Has Malware

When it comes to the poor state of web security we often find that security companies play an important role in that. That includes making up threats and telling people they need to take advanced security measure, while many, including those same companies are still failing to do the basics.

Another area we have seen this involves the security company SiteLock and their web hosting partners. We have written numerous posts about SiteLock’s bad practices, one of them being that they and their web hosting partners (who get paid handsomely to push their services) sometimes falsely claim that websites contain malware or have otherwise been hacked. What we have consistently said though is that you shouldn’t assume that the website isn’t hacked and recommended getting a second opinion (something we are happy to provide for free). Unfortunately people often conflate SiteLock’s many bad practices, with the idea that any claim by them or their partnered web hosts that a website is hacked as being false.

For example, yesterday we ran across someone on Twitter claiming that Bluehost was falsely stating a website had malware on it:

We asked how them how they determined that and the answer was they hadn’t actually done that:

We then tried to explain that while there are false claims made by them and the web hosting partners, the claims are often true and suggested that they get a second opinion from a security company (and letting them know we do that for free), at that point they blocked us.

If the website did contain malware, which seems to be of decent likelihood, then their tweets help perpetuate the issue.

Ignoring the Evidence

What makes the false claims is even more problematic is that it feeds in to an existing belief that we have often seen with people assuming that claims that their website are hacked are not true, even when coming from parties that have no profit motive (like Google).

When it comes to SiteLock and their web hosting partners we see two very different scenarios.

In some cases access to the website is shut off immediately and they haven’t provide any evidence of the supposed hack that lead to that happening, which makes the claim legitimately seem questionable.

In others they actually provide evidence, which should be easily checked, but is instead ignored. Take for example, someone, also hosted with Bluehost, that contacted us recently. They had been sent the following email by their web host:

[redacted],
Your [redacted] account has been deactivated due to the detection
of malware. The infected files need to be cleaned or replaced with clean
copies from your backups before your account can be reactivated.

Examples: /home1/[redacted]/public_html/config.php.suspected
/home1/[redacted]/public_html/post.php.suspected

/home1/[redacted]/public_html/administrator/components/com_weblinks/tables/s
ession.php

/home1/[redacted]/public_html/components/com_content/models/articles.php

To thoroughly secure your account, please review the following:
* Remove unfamiliar or unused files, and repair files that have been
modified.
* Update all scripts, programs, plugins, and themes to the latest
version.
* Research the scripts, programs, plugins, and themes you are using
and remove any with known, unresolved security vulnerabilities.
* Update the passwords for your hosting login, FTP accounts, and all
scripts/programs you are using. If you need assistance creating secure
passwords, please refer to this knowledge base article:
https://my.bluehost.com/hosting/help/418
* Remove unused FTP accounts and all cron jobs.
* Secure the PHP configuration settings in your php.ini file.
* Update the file permissions of your files and folders to prevent
unauthorized changes.
* Secure your home computer by using an up-to-date anti-virus program.
If you’re already using one, try another program that scans for
different issues.
You may want to consider a security service, such as SiteLock, to scan
your website files and alert you if malicious content is found. Some
packages will also monitor your account for file changes and actively
remove malware if detected. Click here to see the packages we offer:
https://my.bluehost.com/cgi/sitelock

Please remove all malware and thoroughly secure your account before
contacting the Terms of Service Department to reactivate your account.
You may be asked to find a new hosting provider if your account is
deactivated three times within a 60-day period.

Thank you,

Bluehost Support

http://www.bluehost.com
For support, go to http://my.bluehost.com/cgi/help

Over a month later they were notified by SiteLock that the website had been deactivated. Even then they didn’t look at the files that Bluehost had provided as examples of the malware infection, while questioning if they were really hacked.

When we took a look at the names of the files and their locations mentioned in that email, we noticed one of them wouldn’t normally be in that location in a Joomla website. That isn’t something we expect that the average person would know, but it does show how easy it should be for someone that has actual expertise with dealing hacked websites using the software running your website to double check the claims for you.

Looking at the content of the files, we think that even a layman would think that something was off with them. And for us it was obvious by just looking at them that they really were part of a hack and not a false positive, so we could easily confirm that the claim was actually true in this case.

Get a Free Consultation From Us

If you are have been contacted by SiteLock or a web host (whether a SiteLock partner or not) claiming your website is hacked, feel free to contact us to get a second opinion as to whether the website is really hacked and if it is we will provide you with a free consultation on how you can best deal with the issue. To provide that second opinion please provide us with the evidence SiteLock is providing to back up their claim.

If your web host is pushing you to use SiteLock you should be aware of a number of items before making any decisions and you should know that we can provide you with a better alternative for cleaning up the website for less money.

Cancelling SiteLock Services Sounds Like It Is Just As Bad As Everything Else With Them

Yesterday we looked at an example of the web security company SiteLock trying to mislead someone on what leads to websites being hacked to get them to purchase a reoccurring service with a long term commitment instead a one-time service. Using their one-time cleanup is also a bad option since it doesn’t include fixing vulnerability that allowed the website to be hacked, while costing more than we charge in many instances for a proper cleanup that actually includes the work to secure the website (you can also get a lower quality cleanup from many companies for much less that SiteLock charges). If you make the mistake of signing up for one of SiteLock’s ongoing services you are in for more problems based on what we have seen mentioned by their customers.

In the past we have had people comment and discussed that these service don’t protect websites from getting hacked and SiteLock explaining the solution is to pay them even more.

At least in some instances people are being charged without receiving any invoice or other notice of the ongoing charges.

Then there is trying to cancel, which we have seen numerous complaints from their customers about.

First off, according to their customer agreement you have to call in to a cancel the service:

All cancellation requests must be submitted by calling our Customer Care Department at (415) 390-2500 and must be made prior to the expiration of the Service term.

In one customer’s complaint they mentioned something that really isn’t that surprising to hear about what happens when you call:

It is not possible to each the billing department except by phone and when you call you are connected with a telemarketer that try’s to upsell you and they become rude when they realize there is not going to be a sale.

The “billing department” is actually a salesroom.

You might be waiting a long time to even get to that as one review on SiteLock’s BBB page reported that:

I tried to cancel my account and it is nearly impossible. Was on hold for over 45 minutes and the person said they did and low and behold….billed the next 2 months.

And here is another complaint with someone taking even more time

I’ve spent two hours, over 4 phone calls attempting to cancel the service by phone. I’m currently on another extended hold waiting for a ‘cancellation agent’.

(While it sounds like making you call is about trying to make it difficult to cancel or try to sell to you again, it turns out that for a web services business they don’t seem to be very web savvy, as one of their web hosting partners list that you need to call SiteLock to have their CDN’s cache of your website manually cleared as well.)

If that isn’t bad enough if you don’t cancel at least thirty days prior to end of the subscription period you are going to being paying for another one according to their customer agreement:

Such cancellation must be made at least thirty (30) days prior to the end of Customer’s current subscription period.

Considering that these are web services that should easily be turned on and off, this sort of lead time doesn’t make sense.

In other instances people have complained about various cancellation fees as well, even though with what the services include that doesn’t seem like it would be a reasonable thing.

SiteLock Misleads Potential Customers About Why Websites Get Hacked To Lock Them In To Long Term Commitments

One of the oddest claims that we have seen related to the web security company SiteLock was that they “don’t control how the hosts sell their services to customers”, which came from a journalist and seemed to be based on their conversation with a SiteLock employee. It’s odd because in what kind of partnership would one partner not have any control over how their services are being sold, but especially in the case of SiteLock’s partnerships where they are paying the web hosts a lot of money to partner with them (one web hosting company disclosed to investors that they get 55% of the revenue of sales of SiteLock services) and when many of the partnered web hosting brands are run by SiteLock’s owners. The other thing that made this so odd is that from everything we have seen the problematic way their services are sold usually involves sales made by SiteLock themselves. The web hosts just push their customers to SiteLock and then when their customer gets in touch with SiteLock they are put in touch with a commissioned sales person, which is where the problems really start.

We have seen and heard plenty snippets of what that involves in the past, but we recently ran across an example of an email from SiteLock that shows how they try to trick people into overpriced services. Not surprisingly considering that they are willing to tell people things that are not true even when the truth doesn’t seem to be a big deal, much of what they said is far from the truth.

Let’s start from the beginning of the email:

It looks like the issue your website is having is more than just infected files and you’re goign to need a manual clean. I recommend the SecureSite plan. I recommend this plan because you’re going to need several cleans during this process (of being under a targeted attack) but the malware itself isnt the biggest issue. The biggest issue the vulnerability that is allowing a hacker (or bots controlled by a hacker) to inject code or infect your files.

SiteLock makes a big deal of their automatic malware removal and how that sets them apart, but what we often see is they tell people that it won’t handle the issue on their website and they are going to need a manual clean, which comes with an additional cost. In one case they also claimed that a website couldn’t be automatically cleaned “without risking bringing down our site”.

A real problem with automated malware removal is that when cleaning up malware or other malicious code what is found can often provide important information on how the website was hacked, so if the cleanup is fully automated the cleaner is potentially going to miss important information needed to get the website secured. Normally SiteLock doesn’t actually determine how the website is hacked, so that doesn’t matter, but not doing that leaves the website open to the possibility of being hacked again. While doing that is actually a basic part of a cleanup, as will come up later SiteLock will charge even more money to do that (for a lot of cleanups they charge more to just remove the malicious code than we do for a proper cleanup including getting the website secured).

There is always going to be a vulnerability that allowed a hacker in, otherwise how would the hack have even happened.

The claim that website is being targeted isn’t actually true, unless you count every hack as being a targeted one. The explanation of how the website is being targeted doesn’t make sense:

You are being targeted by this hacker, they already know how and where the vulnerability exists and they will not stop sending bots to you until your website is destroyed or until the bots “hit a wall”. Typically about 4-5 months of rejected attempts the hacker will send the bots elsewhere as they’re usually after low hanging fruit. They’re hacking 10s of thousands of sites at a time and usually the goal is stealing traffic or placing malware on your site to get onto peoples computers to steal information. After the vulnerability is fixed, they’ll move on, I wish I could elaborate on what’s causing this right now but I don’t want to just guess, the data in the manual clean will give me exactly the information I need whether it’s having our technicians recode entry fields on the website or if something needs to be done on a server level via your host.

From dealing with many hacked websites we get the sense that this is written by someone who has no idea what actually happens with hacking attempts on websites, which they probably don’t, since it was coming from a sales person not a technical person.

The reality is that most hackings are not targeted at specific websites; instead hackers try to exploit the same vulnerability across many websites, which is often referred to as a mass hack. Either the website is vulnerable and the hacker will take further actions once they successfully exploit the vulnerability or they will move on to other websites. Often times there look to be numerous different people or groups trying to exploit the same vulnerability, so a vulnerable website might get hacked more than once (that is good reason to promptly deal with a hacked website once you become aware it has been hacked).

Hackers are not usually interested in destroying websites. The closet we see with that are defacements hacks where a hacker causes a website’s pages normal content to be replaced with a message from the hacker. The website’s content would normally not be destroyed by that. In other cases hackers are interested in using the website to do something else, say sending spam emails, which wouldn’t destroy it at all. Of course if you are trying to scare people, then telling hackers are trying to destroy their website would make sense.

Another part of shouldn’t really make sense even if you are not familiar with hacked websites. The email claims that “Typically about 4-5 months of rejected attempts the hacker will send the bots elsewhere as they’re usually after low hanging fruit.” Why would a hacker keep trying to exploit a vulnerability for months on end when either the vulnerability is exploitable or isn’t? The answer would seem to be that they are trying to lock you in to a six month commitment to one of their services, again this coming from a salesperson.

After the manual clean we will also your host (if your website is suspended) so that they can re-instate the account if you’ve been deactivated, we will also take care of any blacklisting issues (Google, Norton, AVG, Avast, Bing , Yahoo, etc… if there is a warning screen stating that your website is malicious or that it has malicious content). You do have the option of purchasing a one time clean from us but typically within 24 – 72 hrs, you’ll need another clean due to the bots attacking you. One time cleans are also $300 per clean, per domain and vulnerability fixes are the same price of $300 per domain.

A proper one time cleanup would actually involve determining how the website has gotten hacked and making sure it is fixed. Their pricing is just outrageous. If you want a poor quality cleanup that doesn’t involve doing things properly, you can spend a lot less than $300. For many websites we charge less than $300 to do things properly, meanwhile SiteLock wants $600 to do that. The idea that they would even sell a service that they know leaves a website vulnerable is rather troubling.

I would also be happy to review the services with you after 6 months to make sure that bot traffic has decreased, I encourage you to reach out to me so we can determine whether you’re still being targeted. I can proudly say that 100% of my customers that follow my recommendations (after the clean, as far as general maintenance) not only are malware free and no longer the victim of a targeted attack but also likely will not have a need for unlimited cleans and can explore other options (we have nearly 70 different products and services).

Here we get to them trying to get you to a six month commitment, the price of this wasn’t mentioned, but we have recently had people mention that they are trying get them to sign up for services that are $100 a month (in some instances it is even higher than that). That would be the same price as their overpriced cleanup and securing service, but with the added difficulty of trying to cancel the service at six months. The fact that they offer a service with unlimited cleanups is a good indication that they don’t properly secure websites, since if you do a proper cleanup the website shouldn’t be able to be exploited through the same issue again at all.

Considering that very few websites are ever targeted by hackers, the person receiving this email likely was never targeted in the first place.

SiteLock Provides More Evidence That They Are Not Being Truthful About Who Provides Their CDN and WAF Services

Back in November we discussed evidence we had found that indicated that the web security company SiteLock’s TrueSpeed CDN and TrueShield Web Application Firewall services were actually provided by another company Incapsula, while SiteLock made it sound like they are providing them directly. At the time we mentioned that is “troubling as all of the customer’s website’s traffic is going to be running through a company that they don’t have a relationship with or are even likely to know is involved”. It is also troubling to think that a security company would be lying to their customers like that, since a big part of security is trust. If they are lying about something like this, where we don’t see why they even would need to, you reasonably have to wonder if there is something they wouldn’t be willing to lie about.

A recent post on SiteLock’s blog provided further confirmation that these services are actually provided by Incapsula while at the same time making it sound like SiteLock is providing them directly. In the December 18 post SiteLock TrueShield Updates they let their customers know of new IP addresses being used by those services that some of their customers would need to whitelist. Those IP addresses are

107.154.129.0-107.154.129.255
107.154.192.0-107.154.192.255
107.154.193.0-107.154.193.255
107.154.194.0-107.154.194.255
107.154.195.0-107.154.195.255
107.154.196.0-107.154.196.255

If you look up who those belong to it is Incapsula: example 1, example 2, and example 3.

In the post there is no mention of Incapsula, but they is plenty that would make you think that SiteLock is actually providing the services. In a large font they refer to the IP addresses being used by the services as “ours”:

If you are adding our IP addresses for the *FIRST TIME* 

In explaining why the new IP addresses are being added they mention their servers and IP address, despite those pretty clearly being Incapsula’s instead (emphasis ours):

The SiteLock servers periodically make requests for updated content from your website’s hosting server. This ensures that we are delivering the freshest content to your visitors. During periods of high traffic, we may make more frequent requests for content than during off-peak periods. Cloud technology of this kind uses a finite number of unique IP addresses to fulfill these requests, making this behavior appear as a security threat to some firewall services. This can be due to the large number of requests from a disproportionately low number of perceived unique visitors. Whitelisting or creating firewall exceptions for our servers’ IP addresses prevents your other security systems from blocking legitimate traffic relayed through our servers.

If we were not already familiar with a litany issues with SiteLock (you can see some of those by looking over our previous post about them) we would say this would be a good reason to avoid them, but with all the others you should have more reasons to avoid them then you should possibly need.

Two of The Top Three Reasons SiteLock Promotes For Web Hosts To Partner With Them Are Revenue Related

When it comes to people being taken advantage of by the web security company SiteLock, their web hosting partners seem to play a critical role, as it looks like a lot of their business comes through them instead of people going directly to SiteLock. What seemed to us to be the likely explanation of why the web hosts would partner with SiteLock despite them being quite bad at being a security company and their sales practices, was the web hosts getting paid to push their services.

What was surprising to us when we ran across it is how much money they are getting, one of SiteLock’s web hosting partners, the Endurance International Group, disclosed to investors that they get 55% of the revenue from the SiteLock partnership (it also turns out that the web hosting company is also run by one SiteLock’s majority owners). So people that get pushed to their service end up paying at least twice as much as the service they are really getting costs.

That obviously raises some serious questions about the arrangement, but what seems of more concern is that from what we have seen their web hosting partners don’t disclose the financial arrangement. (What they will sometimes say instead is that SiteLock is a trusted partner, which doesn’t point to the web host being someone you can trust.)

When a web host tells their customer that should hire a certain company to clean up your website, we don’t think it is unreasonable that they should be told the truth about why that recommendation is being made.

With one of the web hosts owned by the Endurance International Group, HostGator, we found that the wouldn’t even acknowledge that they are getting any money out of the partnership when it was pointed out their parent company has already disclosed this fact to investors.

While the web hosts are not upfront about this, when SiteLock is promoting the partnerships program to web host they are. Here is the list of the “Top Three Reasons to Partner with SiteLock” from the page about their program:

The first two items listed are revenue related:

Generated $20
Million in Partner
Revenue

and

Dedicated SecurePartner
Support on Sales and
Marketing Efforts

So that gives a pretty good idea of what these partnerships are really about, if it wasn’t clear already.

What the third one is supposed to refer isn’t entirely clear, SiteLock does refer to itself as the Global Leader in Website Security (which is far from the truth):

Partner with the
Global Leaders Across
the Industry

We think that web hosts getting involved in this is a good sign that you should avoid them (you can check out our list of web hosts who partnered with SiteLock if you want to to that).

If you are unfortunately at the point where your web host is pushing you to SiteLock, you should take a look at our post on what you should know in that situation before doing anything else.

SiteLock Uses The Fact That They Cut Corners With Their Hack Cleanups To Try To Upsell Customers

Over two years ago we noted that SiteLock wasn’t doing a basic part of a proper hack cleanup, properly securing the website, which usually mainly involves making all of the software of the website is brought up to date. That situation hasn’t changed, as just about three months ago we were brought in to fix a website after SiteLock cleanup had broken it. In that case not only had the software not been updated, but SiteLock had also failed to attempt to determine how the website was hacked. If they had done that they would have spotted part of the cause of the hack was one of their web hosting partners, GoDaddy, allowed remote access databases that were set not to allow it. When you consider that SiteLock often charges $300 for a cleanup, which is more than we charge for many cleanups where we do those things, their customers are really getting ripped off.

It turns out that SiteLock doesn’t recommend using their one time hack cleanup service, not because they are not doing things properly, but so they can charge customers even more money and keep charging for something that should have a one time cost.

In a complaint with BBB (https://www.bbb.org/phoenix/business-reviews/internet-services/sitelock-llc-in-scottsdale-az-1000018625/reviews-and-complaints) one of their customers describe the situation:

After my business website was hacked on or before December 29, 2015, I was advised by my web hosting company to contact its security partner, Sitelock. Sitelock offered me two options: a one-time cleaning for $300, or cleaning plus monitoring for $90/month.

 

I was again told I chose the wrong product (he said they don’t recommend the $300 cleaning to anyone).

So instead of paying $300 for a low quality cleanup they wanted them to pay $1080 a year for monitoring and continuous cleanups. There are multiple issues with that. Some of those revolve around the reason they recommended against the one time cleanup:

I was then told I chose the wrong product (the $300 cleaning) because I had an active hacker who went right back to work on my site.

A proper one-time cleanup should prevent the active hacker from getting “right back to work on my site”. But if you don’t determine how the website was hacked and fix that (as websites don’t just get hacked, something had to have gone wrong for that to occur), as well as making sure the website is otherwise secured, then it isn’t surprising that a hacker could get back in.

Since SiteLock’s continuing service doesn’t do those things either, the best they can do is to keep detecting the hacker has accessed the website and clean things up after the fact. Having a hacker repeatedly get access to your website is not something that should be happening, even if it could be quickly cleaned up each time. What if a hacker gets access to customer data, once that has been taken a SiteLock clean up won’t undo that. There is also the issue that SiteLock doesn’t exactly have the best track record of detecting hacks, so they might not even spot was is going on to clean it up.

If you are spending $1080 a year on security it would be spent doing things that would actual prevent the website from being hacked, SiteLock doesn’t provide a service that does those things (probably because it would require actually doing a lot of work).

Based on all that you might not be surprised to hear that the one time cleanup done on that website had another problem. The website was messed up, which SiteLock excused based on this:

The hack affected many of the core platform and theme files (985 files total – attached).  The site’s appearance after the… clean had been completed was due to the compromised core and theme files.

A proper hack cleanup would have properly fixed the compromised files so you wouldn’t be left a website with appearance issues (that was also one of the issues with the website hosted with GoDaddy earlier and earlier instance with a GoDaddy hosted website).

At this point you might be wondering why this person’s web host had a security partnership SiteLock considering how bad they are. The reason at some web hosts is in part that SiteLock’s owners also run the web hosts (something that web hosts don’t acknowledge publicly) and the other big reason is that the web hosts get a significant amount of money pushing SiteLock services. In the case of one of them, the web hosts disclosed that they get 55% of the revenue from SiteLock services sold through the partnership. Which in the case of that ongoing service, would work out to $594 a year, without requiring them to do any work. The one time cleanup would get them $165. If you do have a hacked website and are getting pushed to SiteLock, beyond obviously avoiding them, you should take a look at a previous post we wrote that goes into more detail as to what you should know in that situation.

Is SiteLock’s Vulnerability Scanner Anything More Than Them Running Nessus on Websites?

As we have looked closer at the web security company SiteLock a reoccurring theme has been finding that their services are actually provided by others and that they don’t disclose the true source (in some cases they make claims that would reasonable lead you to believe they are in fact provided by them directly). That can have some pretty serious implications. For example, we found that their content data network (CDN) and web application firewall (WAF) are actually provided by another company, Incapsula. As both of those services involve sending your website’s traffic through the provider’s systems, not knowing the true provider of the service means you don’t actually know who has access to all of that traffic. In another case we found that due to SiteLock’s lack of understanding of WordPress security they were (and maybe still are) incorrectly using third-party data on WordPress vulnerabilities to falsely claim that websites are insecure. It also does more to undercut their claim to be the “global leader” in website security.

Back in September we discussed that while SiteLock’s vulnerability scanner is frequently promoted by their web hosting partners there didn’t appear to be any evidence that the vulnerability scanner was actually effective in finding vulnerabilities on websites. Recently we ran across a thread on the WordPress Support Forum from earlier this year about an instance where their scanner had claimed to find a couple of potential SQL injection vulnerabilities in the WordPress portion of a website.

Without having access to the website’s files as of the time the scan was done we can’t tell if these were false positives or not, but unless the website contained plugins that were changing the normal way the relevant files were operating, the results would have involved falsely labeling the core WordPress software as having vulnerabilities.

We were curious to see if we could find other examples of SiteLocks’s vulnerability scanner results and so we did a Google search for “The following resources may be vulnerable to blind SQL injection”, which is phrasing used in their message mentioned in that thread.

One thing that is pulled up was more indication that the scanning isn’t very good, as it was taking Joomla simply returning a different result when malicious code was added to URL parameters with their being a potential prone to SQL injection. The crude level of their scanning might provide some useful information for an experienced developer or a security professional, but for the average webmaster it is likely lead to a lot of unneeded confusion.

More interesting was something else that it showed. Here is how one SiteLock’s results began:

Using the GET HTTP method, SiteLock found that :

+ The following resources may be vulnerable to blind SQL injection :

+ The ‘rp_subject’ parameter of the /index.php/index.php/help/suggestion-about-website CGI :

The Google search results also pulled up result from the Nessus vulnerability scanner, that look like this:

Using the GET HTTP method, Nessus found that :

+ The following resources may be vulnerable to blind SQL injection (time based) :

+ The ‘LinkedGroup’ parameter of the /cgi-bin/vendx/forgotpasswd.cgi CGI :

Other than specifics of each potential vulnerability the only difference between those to is the Company name and the phrase of “(time based)” in the Nessus message.

So pretty clearly SiteLock’s vulnerability scanner at least in part involves them running Nessus over websites. Not surprisingly, based on the other examples, they don’t disclose that fact. The page for the service makes no mention of it involving a Nessus scan and a Google site search shows no mention of Nessus at all on their website. Considering that Nessus doesn’t really seem like a tool designed for end user as it is promoted by SiteLock’s web host partners (which also are in some instances run by SiteLock’s owners), it doesn’t seem like a good fit for the service.

What isn’t clear if the vulnerability scanning involves anything more than a Nessus scan. If you have any more information on the vulnerability scanner please leave a comment on the post.

GoDaddy Doesn’t Disclose The True Source of SiteLock’s CDN and WAF Services

The last time we discussed GoDaddy’s partnership with SiteLock back in September it involved a situation where SiteLock managed to break a website they were supposed to be cleaning, GoDaddy was partly responsible for the website being hacked, and SiteLock failed to detect that GoDaddy issue due to their failure to do a basic part of a hack cleanup. Based on that an expansion of their partnership doesn’t seem like a good thing, but it is happening.

Today GoDaddy announced that they would now be offering SiteLock’s content data network (CDN) and web application firewall services (WAF) services. What they neglected to mention is that these services are not actually provided by SiteLock, but as we recently discovered, by another company, Incapsula. That is a rather important item to disclose since both of those services involve sending your website’s traffic through someone else’s systems. Having a company you have no involvement with having access to all of your website’s traffic obviously raises some serious issues. Even if you are not concerned with Incapsula having access to your traffic, it looks like SiteLock could switch to another provider at any time without you being aware of it.

Also missing from the press release is any evidence that SiteLock’s WAF actually provides any protection (which we haven’t seen provide elsewhere either). Instead you get unsupported claims as to the protection it supposedly provides. One claim included has actually been indirectly disputed by SiteLock. That claim being that it prevents backdoor access:

Trust that website content will be protected from potentially harmful spam comments, and backdoor access to website files will be blocked.

In previous post we looked at situation where a SiteLock customer using their firewall got hacked again and said that “SiteLock assures me that everything is set up correctly, and that the hacker must have a back door access point.  They don’t cover that.”.

If you are actually looking to keep your website then these are things you should focus on, which are not things that any SiteLock services provides. You also would probably be best off not using a web host, like GoDaddy, that partners with SiteLock.

WordPress Doesn’t Want You To Know That WordCamp Sponsor SiteLock Takes Advantage of People

When it comes to the web security company SiteLock taking advantage of people, their web hosting partners have long been critical component of that. More recently there has been a new partner helping them to present a public face very different than the company that people end up dealing with if they have the misfortune of signing up for their services. That would be WordPress, which has allowed SiteLock to participate and sponsor WordPress’ WordCamp conferences.

It isn’t a situation where the people involved in running the WordCamps are not aware of the what SiteLock does. We contacted them back in September asking for a comment for a post we were preparing raising our concerns about the situation. We didn’t receive a response, but we received quite a bit of traffic to a post included in the message to them, shortly after we sent the message, so they seem to have reviewed it. SiteLock’s involvement has continued since then, which indicates to us that the WordPress folks can’t justify what they are doing, but will continue doing it anyway.

Fast forward to last week when in our monitoring of what SiteLock is up to we can across a post on the website for this weeks WordCamp US praising SiteLock. Wanting to let people know the reality of SiteLock we posted the following comment on the post:

It is rather unfortunate that you are promoting SiteLock in this way, as this company is quite bad at what they do and take advantage of so many people.

For example, a couple of months ago we were brought to fix a WordPress website after their cleanup left it broken, http://www.whitefirdesign.com/blog/2016/09/14/godaddy-and-sitelock-make-a-mess-of-a-hack-cleanup-and-drop-the-ball-on-security-as-well/. While fixing it we found that there were a couple of much larger issues, they had left the hacker with access to the website and didn’t detect that one of their web hosting partners, who had gotten the website’s owner to hire SiteLock in the first place, had a serious security issue that was leading to website being hacked.

Around the same time we found that they were spreading false information about vulnerabilities in WordPress to their customer, http://www.whitefirdesign.com/blog/2016/09/06/sitelock-spreading-false-information-about-wordpress-security-to-their-customers-through-their-platform-scan-for-wordpress/.

If you do a search for “sitelock scam” you will see a more of what SiteLock is really doing.

One thing we mentioned we think is important emphasis, is that SiteLock was (and maybe still is) claiming that customer’s website running older version of WordPress have vulnerabilities that they don’t. This was due to SiteLock not having a basic understanding of how WordPress handles security, which they should considering that is very important when properly cleaning up hacked websites and protecting them against future hacks, both of which are services they offer (some explanation to this might be that for one of their main protection services they don’t actually provide the service themselves, while claiming to). It is against that backdrop that one part of the WordCamp post sticks out:

With 2017 just around the corner, SiteLock hopes to continue their strong support for WordPress and WordCamps and make 2017 the best year yet!

Maybe it is just us, but it doesn’t seem that spreading false claims of vulnerabilities in WordPress based website shows support for WordPress, strong or otherwise.

We left that comment on Tuesday afternoon, by the next morning the existing comments (not just ours) on the post were gone and the ability to comment was removed. By comparison the previous post and next one still are open for comments and include comments. Again the WordPress folks would rather sweep under the rug the reality of what SiteLock is up to while being involved with WordCamps than deal with the situation.

What makes this all the more troubling is at the same time WordPress is helping to promote a very bad security company, they are intentionally not warning people when they are using insecure plugins, which could lead websites to be hacked and then those websites might wind up being taken advantage of by a bad security company like SiteLock.

Here Are SiteLock’s Web Hosting Partners, You Probably Should Avoid Them

As we have looked closer at how the web security company SiteLock takes advantage of people we have found that their web hosting partners are critical component of that being possible. Avoiding those web hosts prevents you from getting taken advantage of and also if enough people did that would get web hosts to stop allowing that to happen in the first place, but we also think that by partnering with SiteLock these web hosts are showing they are companies you should avoid even if you are not worried about being taken advantage of by SiteLock. There are number of reasons we think that is the case:

First, these web hosts are not being upfront with their customers as they don’t disclose that their partnership is really based around them getting a significant cut of SiteLock fees. That means for example, that they are making a large profit of off their customers websites being hacked. In the case some of their partners the web hosts are even controlled by the owners of SiteLock, something the web hosts won’t even publicly acknowledge, despite it being disclosed to their investors. If they are not being upfront about that, you have to wonder what else they are not being truthful about.

Second, they are showing that money they get from SiteLock is more important than their customers, as SiteLock is not a company that should be anywhere near the security of websites based on what we have seen over the years. This is due to the fact that at a basic level they don’t even try to properly clean up website, leaving them open to exploited again, and in some cases they couple that with leaving a broken website behind as well. They are also rather bad at detecting malicious code and detecting whether websites are secure. There are many companies that clean up hacked website, so to partner with SiteLock, it has to been about getting that money, not about doing what is best for their customers.

Third, we have found that these web hosts who are partnered with them do not have much concern for security. Not only by getting involved with a really bad security company, but their own practices. For example, at one web host we found that they were distributing outdated, inscure, software to their customers and their access controls were broken, leading to websites being hacked that otherwise would not have been. We don’t find that type of thing surprising, seeing as we can’t imagine a company that really cared about security partnering with SiteLock, considering their track record. Making their customers more secure would also likely reduce the amount of money they can make through selling SiteLock services as well.

To help you to avoid those web host we have started to compile a list of web host who have partnered with SiteLock. If you know of addition or subtraction we need to make to the list please leave a comment below or contact us.

(Last update: April 20, 2017)

#|A|B|C|D|E|F|G|H|I|J|K|L|M|N|O|P|Q|R|S|T|U|V|W|X|Y|Z

#

  • 1&1
  • 123 Reg
  • 123hospedaje
  • 24 Host India
  • 365ezone
A
  • A Small Orange
  • Alojamiento Tico
  • Aplus.net
  • Ardanhosting.com
  • Arivisti
B
  • BigRock
  • BiswasIT
  • BizLand
  • BlessHost
  • BlueDomino
  • BlueHost
  • BuyHTTP
C
  • Caribbean Domains & Websites
  • Certified Hosting
  • CleverHost
  • Colombia Redes
D
  • Dhrubo Host
  • Domain.com
  • Domains.com
  • DomainHost
  • Dot5Hosting
  • dotster
E
  • EasyCGI
  • EdorHosting
  • eHost
  • eNom
  • EntryHost
  • eWallHost
  • Exabytes
F
  • Facilweb.net
  • FastDomain
  • FastWebHost
  • FatCow
  • FreeYellow
  • Full Tech Solutions
G
  • Getesy
  • Globat Web Hosting
  • GMO Cloud
  • GoDaddy
  • GreenGeeks
  • Growfio
H
  • HaiSoft
  • Host Byte
  • Hostable.com
  • HostCentric
  • HostClear
  • HostForWeb
  • HostGator
  • HostHero
  • Hosting and Designs
  • HostJumbo.com
  • HostMonster
  • Hostnet
  • HostPapa
  • Hostpuppies
  • HostUtopia
  • HyperMart
I
  • IBHost Web Solutions
  • IMOutdoors
  • iPage
  • IPOWER
  • ITX Design
  • iViperHost
  • IX Web Hosting
J
  • JOEUSA.com
  • Just Host
K
  • Kualo
L
  • Lithium Hosting
M
  • MaxterHost
  • Media Temple
  • Midphase
  • Mustang Technologies
  • MyDomain
N
  • names.co.uk
  • Netfirms
  • Network Solutions
  • Networks Web Hosting
  • Noworryhost
O
  • OCNHost
  • ODISHA IT
  • One.com
  • OpenSRS
P
  • PowWeb
  • PureHost
R
  • ReadyHosting
  • Register.it
S
  • ServerFreak
  • ServInt
  • SotaHost
  • StartLogic
T
  • TMDHosting
  • Tripod
U
  • UK2
  • USANetHosting
V
  • v2Web
  • Verio
  • Very Chio
  • VirtualAvenue
  • VisualWebTechnologies
  • ViUX
  • VPSLink
W
  • Web Fortuners
  • WebHost4Life
  • WebhostforASP
X
  • XANTEC
  • Xeran

#|A|B|C|D|E|F|G|H|I|J|K|L|M|N|O|P|Q|R|S|T|U|V|W|X|Y|Z