Is SiteLock Worth It?

SiteLock offers a suite of website security tools. Many people encounter SiteLock through web hosts SiteLock partners with.

Conflicts of interest

On SiteLock’s website, visitors can find a list of some of the hosts it partners with. Many (though not all) of the hosts are owned by the Endurance International Group.[2] It’s almost certainly not coincidental that Endurance International Group’s companies recommend another UnitedWeb product.

Even web hosts that are not owned by The Endurance International Group may have a financial interest in recommending SiteLock. Here’s a blurb from a SiteLock’s web page detailing the affiliate program it offers:

We protect over twelve million websites worldwide and have generated more than $100 million in revenue for our partners.[3]

Hosts that partner with SiteLock may enthusiastically pitch the service. For example, here’s an image I snapped from HostGator’s checkout process:[4]


Given HostGator’s conflicts of interest (it’s owned by Endurance International Group), I think it’s probably appropriate to interpret the highlighted “highly recommended” as meaning something along the lines of “We’d really like you to pay for this product.”

My bet is that SiteLock is probably more of a marketing-focused company than a product-focused company. As weak support for this, SiteLock’s current careers web page lists 6 openings in sales or marketing, but only 1 in engineering.[5]

It looks like a lot of work has gone into trying to optimize SiteLock’s ability to convert partners’ hosting customers into SiteLock customers. When setting up the test websites I use to collect performance data on web hosts, I declined SiteLock services every time they were offered. Hosts owned by the Endurance International Group generally followed up by letting me know I was going to get free access to a pared-down version of SiteLock. Here’s an excerpt from an email I received after signing up for FatCow:[6]

We’ve recently collaborated with our longtime security partner, SiteLock, to help you — our valued customer — add even more protection to your web presence! Website security is something we take very seriously at FatCow. For that reason, as part of your hosting package we’ll be including a basic malware scan for your domains that don’t currently have SiteLock, free of charge.
I received similar messages from HostGator and Bluehost (both of which are also owned by Endurance). I expect that there’s some process in place to encourage me to upgrade to a paid version of SiteLock if a vulnerability is eventually detected.

Notice that the email doesn’t acknowledge that FatCow is owned by Endurance International Group which shares a parent company with SiteLock. Also notice that FatCow gives a bad explanation for why it recommends SiteLock: “Website security is something we take very seriously at FatCow.” The explanation I find more satisfying is “MONEY!”

SiteLock’s offerings

Although I’ve been ranting, SiteLock’s services might be genuinely useful. SiteLock’s primary offerings are bundles with the following services:

  • A web application firewall
  • DDoS protection
  • Automated website scanning for malware and spam
  • Tools for removing malware (likely to involve additional fees for those using the most basic plan)
  • A seal website owners can display to show that a site uses SiteLock

The security tools have the potential to be useful for a lot of websites, although most of the tools could be obtained in other ways. Comodo Security Solutions offers a free website scanner. CloudFlare’s free plan includes DDoS protection.[7]

However, SiteLock is an easy, automated solution. If you purchase the service through a web host, there’s almost no work involved. SiteLock can immediately scan non-public files on your server that wouldn’t be accessible by easy-to-use, free scanners like the one from Comodo. Given SiteLock’s relatively low price, the convenience might justify the cost for some people.

At the moment, my own experience with SiteLock is extremely limited.[8] I’m hoping to revise this article in a few months to give an update once I’ve had more experience with the product.

Silly security seal

SiteLock offers its clients the option to display the SiteLock Trust Seal on their websites. The seal is a little image website owners can display. SiteLock’s pitch is that displaying the seal increases websites’ credibility to visitors. I don’t know if that’s true, but it concerns me. There are lots of ways a website could be insecure or dangerous to visitors without SiteLock knowing. If the seal substantially improves visitors’ trust in websites, I would guess that’s because visitors are not well-informed about what it takes to receive a SiteLock seal.

Looking at some documents from hosts that offer SiteLock does not inspire confidence. Here’s a bit from HostGator (emphasis mine):[9]

If a scan happens to fail, website visitors will not be alerted to any problem. However, SiteLock will send an email alert to the website owner to let them know an issue was detected so that it can be addressed and resolved quickly. The SiteLock Trust Seal will continue to display the date of the last good website scan for 72 hours.

Here’s a second excerpt from the host A Small Orange (emphasis mine):[10]

The SiteLock Trust Seal is a badge which you can display on your website to ensure customers feel safe visiting and providing information on your site. If a scan fails site visitors will not be alerted to any problem. The SiteLock Trust Seal will simply continue to display the date of the last good scan of the website. If the site owner fails to rectify the problem SiteLock will remove the seal from the site and replace it with a single pixel transparent image within a few days. At no point will SiteLock display any indication to visitors that a website has failed a scan.
This is not how legitimate credentials work.

Footnotes

  1. I have a list of brands under The Endurance International Group that you can compare with brands listed on SiteLock’s partners page. The Endurance International Group and SiteLock are both owned by another company, UnitedWeb.[1]Both SiteLock and Endurance International Group are listed on UnitedWeb’s “Our Companies” webpage. (archived copy from 2/19/2019).
  2. This excerpt was taken from SiteLock’s “Affiliates” web page on 2/19/2019.
  3. The screenshot was recorded on 2/19/2019.
  4. To be clear, I don’t think this is anything like a knockdown argument. I’m sure there are companies with great software products and fewer engineers than sales team members. I accessed SiteLock’s “Careers” page on 2/20/2019.
  5. Email received on 2/8/2019.
  6. Cloudflare lists the following as part of it’s free plan: “Unmetered mitigation of DDoS attacks.” From Cloudflare’s “Our Plans” web page on 2/20//2019 (archived copy).
  7. At the moment, I’ve only explored SiteLock’s website, read some reviews, and seen results from free scans.
  8. Taken from HostGator’s “How to Use the SiteLock Trust Seal” article on 2/20/2019 (archived here).
  9. Taken from A Small Orange’s “Use The SiteLock Trust Seal” article on 2/20/2019 (archived here).