This will be a longer article explaining a common SCAM that was reported numerous times for multiple hosting providers. Even if you are not hosted with HostGator you still might want to read about it, for the future safety of your wallet. The short version of the story is at the bottom of the page.
I have been a loyal customer of HostGator since at least 2005. Even after they were bought out by EIG back in 2014, even after their support and customer service started going downhill rapidly, I still decided to stick with them. At the time of writing this I have 3 separate accounts with them (2 shared + 1 VPS) and I pay around $875 / year for their services.
The HostGator + SiteLock SCAM
It all happened yesterday, 23/02/2016. At 17:37 I get an email from HostGator informing me that my account has been suspended because it was distributing malware. I should immediately take measures into resolving this issue.
Our Abuse department has received a report regarding malware being hosted on an account under your control. We have disabled site access for your account to prevent further complaints, and have provided a list of the reported content. Note that the below content is not a comprehensive list of malicious content on this account. We strongly recommend that you address the entire account to avoid further issues.
In order to remove the restrictions we’ve placed, you must resolve the security issue and remove what malicious content was listed. If you do not believe you can do so on your own, you may use a reputable third-party security service, such as SiteLock, who can be reached directly at 877-563-2849. Please note that repeated reports of malicious content on your account within 60 days of an initial notice will lead to further action being taken, including permanent suspension after failing to professionally clean the account.
Once you have taken steps to secure your account of the reported content, please reply back to this ticket to request review.
HostGator’s letter says: “We have provided a list of the reported content”. There is no list and no reported content. OK.
I try to open by website and sure enough I get the following “suspended” page, which obviously contains ADS added by HostGator. I get the same view for all the other 10 domains on this account.
The abuse report came from a German service Clean-MX.de that conveniently SELLS WEBSITE CLEANUP SERVICES and is an obvious automated abuse letter. It contains ZERO information, but IS advertising its services. A new level in SPAM marketing.
Unfortunately for me, HostGator gladly jumped on board and had its own interest to play in this game.
What is SiteLock and how/why HostGator advertises it?
SiteLock calls themselves “The Global Leader in Website Security”. HostGator has partnered with them back in 2010. Today HostGator advertises SiteLock in all possible locations. They even stopped doing things that a hosting provider should be doing in favor of selling SiteLock subscriptions.
Here’s their official “My Site Got Hacked!” support page and what to do. Notice any helpful instructions other than “pay SiteLock”?
When looking at the suggested Emergency 911 Clean-up Service by SiteLock there was a $200 price tag for this service. You pay this fee if you didn’t have SiteLock enabled before the infection. Once infected – pay up the $200. Now that my account is back online I am unable to access that offer from SiteLock, so I can’t provide a screen-shot, sorry.
Additional Privacy Concern
Take a look at the original email they sent informing me of the account suspension.
How cool is that? They even CC a third-party service into a confidential support ticket created for the customer. Want it or not, but account suspensions are immediately forwarded to their partner, an open referral lead. SiteLock lands a customer? HostGator gets a good cut. An infuriating level of wrong.
HostGator’s Support Reaction and Inactivity
If you have read the full letter from above you will notice that HostGator did not provide a review for the situation. They simply forwarded the abuse report from a third-party entity, suspended my account, pasted an AD for SiteLock and sent the letter. There is no trace of any account-specific information, ZERO proof that my account was compromised in any way.
I quickly go and open HostGator Live Chat Support. Waiting time: 9 minutes, nice! During this time I inspect my account via FTP: folders, files, timestamps. Zero suspicious files. Zero files were modified in the last ~6 weeks. No trace of any malware.
1. Live Chat
The Live Chat opens up, a support rep called Jeffrey drops in. After about 30 minutes of slow talking, I finally get the following: “The Live Chat support people can’t do much, we have no access to information about such issues. I advise that you follow the instructions from the ticket”. Thank you Jeffrey, bye.
HostGator Live Chat no longer has the option to automatically send you support chat transcripts. Perfect, leave no traces.
@dumitru We suggest our Client's use Sitelock, you are welcome to use any security scanning firm you choose so long as they are effective.— HostGator Support (@HGSupport) February 23, 2016
@dumitru Unfortunately we do have to act when presented with third party reports Our security team does review these before action is taken.— HostGator Support (@HGSupport) February 23, 2016
“Our security team does review these before action is taken.”
3. The Support Ticket
The initial ticket was opened on February 23, 2016 at 09:37 AM.
The next message from HostGator was 8 hours later, on February 23, 2016 at 05:28 PM. Here it is:
I do apologize for the inconvenience as security department review each ticket in the order received or re-opened. Upon reviewing the issue the ticket was escalated to my department. I have had our administrative staff proceed with removing the restriction. I do apologize for the inconvenience as the account was not properly confirmed to be compromised. Please do note that in the cases of third party reports, we take those reports, review the report, then the account and once confirmed to be indeed compromised the restriction is placed though human error can occur.
Steven H. is kind enough to immediately offer 3 months of free hosting (~$20 value), after HostGator tried to “persuade” (read: extort) $200 out of a loyal customer. If at least 2 out of 10 fall for this – PROFIT.
Below I want to show you the Google Analytics stats for yesterday for 3 of the 10 domains suspended by HostGator.
Every year 2 of these domains see huge traffic spikes specifically on 23/02 due to an annual event. Yesterday I missed half of that traffic because of HostGator.
Other Reports and Reviews for the SiteLock Scam
When searching for other info on this matter I have found hundreds and hundreds of pages with awfully negative reviews for SiteLock and their services. Be it HostGator or other major hosting providers, a lot of consumers are furious.
- HostGator Takes My Sites Offline – Admits Their Fault
- I Had An Experience With SiteLock – Hint, It Wasn’t Good
- HostGator – SiteLock Malware SCAM
- Is SiteLock a legitimate service or a scam? (on Reddit)
- 35 SiteLock Reviews on PissedConsumer.com – most of these describe the SAME SITUATION.
In Conclusion (The Short Version)
- HostGator is my hosting provider that I’ve been a loyal customer of for ~10 years.
- Someone sends HostGator a bogus malware report for my account and 25 days later they simply suspend my account. Not once during these 25 days have they informed me of anything.
- Their support pages all suggest the same thing: sign-up for their partner’s services, SiteLock, which would cost me at least the $200 one-time cleanup fee, and then monthly payments, up to another $600 / year.
- Instead of providing ANY helpful information, HostGator’s Live Chat Support and Twitter support both suggest the same thing again: to sign-up for SiteLock and pay up. At this point there is still no confirmed malware.
- After 6 hours of waiting I finally send my final message to HostGator, threatening to cancel my hosting packages and taking my business elsewhere.
- Finally 2 hours later a HostGator support rep confirms that THERE WAS NO MALWARE to begin with, that it was just an honest “human error”. To buy my silence they automatically give me 3 months of free hosting.
What to do and how to protect yourself?
First order of business would be to open the website of your hosting provider and look for any mentions of SiteLock. If they promote this SCANDALOUS service anywhere then you should consider your options. Be on the lookout for attempts to extort money from you for bogus services and for protection that they are supposed to provide anyway.
I am not going to recommend hosting alternatives or post hosting reviews for other companies, as this is not the point of this article.
Don’t fully trust anyone with your website, not even your hosting provider. If they ever ask you for more money for service X or service Y, research it a little before opening your wallet.
Update #1 (26/02/2016)
There have been some updates and messages from a HostGator Customer Service Supervisor. I am posting the important part of the message below, I leave it at your discretion to decide what you think of it. I took the liberty to highlight the parts that I think are more important.
My name is [..] and I’m our customer service supervisor here at HostGator.com. I’ve since had a chance to review the situation as well as your blog post and would be glad to continue our discussion on the matter.
Having said that, I feel that what this situation boils down to is whether or not you believe our statement that this experience stemmed from human error. In that regard, I would point out that we do not actually share 3rd party reports directly with our customers, which I believe is a strong indication that the agent handling this ticket was not following company policy. Similarly, we found that our agent did not follow policy in regards to actually evaluating the 3rd party report before issuing a temporary suspension which of course is fairly obvious after reviewing the content of the original e-mail, so we offer our apologies if our Twitter response seemed to indicate that this was not an exception to our usual process of reviewing each of these reports.
The agent handling the initial report is actually one of our newer admins assisting with security issues and we’ve made certain that this oversight was immediately brought to their supervisor’s attention for appropriate action. In our opinion its not appropriate to make proof of disciplinary action available to the public or even privately with a customer, so again we’re really just at a point of whether or not you trust our communications with you. To that point, I see you’ve been with us for nearly 7 years so I would hope we’ve shown to be trustworthy throughout your time with us but if this error on behalf of one of our newer agents has ruined that amazing run, that is certainly disappointing.
In our last correspondence my employee Steven did offer 3 months of service for the mistake but after review, I don’t see any disclaimers stating that the credit would only be available if you kept your experiences a secret, but instead see that the credit was added due to the mistake.
We do offer our apologies once more for our agent’s error and if you’d like to discuss the matter further via e-mail or phone, please let me know and I’ll be glad to arrange a callback with you.
I have no complaints about their last messages in the support ticket, their customer service supervisors clearly know how to formulate an apology while keeping the situation in check. However it is easier to lose trust than to gain it, so personally I can’t trust them anymore.
Update #2 (20/05/2016)
For the last 2 months I have been getting daily emails and comments describing the same situation. In some cases people get charged up to $500 one-fee, in other cases they are persuaded to pay $99 / month, etc.
The high amount of comments for this post is just the tip of the iceberg. Nothing has changed since publishing this: SiteLock continues to grow thanks to “strategic partnerships” with hosting providers like HostGator.
Update #3 (02/01/2017)
In the last 6 months I have probably gotten about 50 emails of people complaining about the same type of behavior from HostGator (and a couple of other hosting providers). The strategy is still the same: suspend whole accounts and ask for money. In very few cases these people were able to find actual malware on their website.
On Christmas 2016 (25th December) HostGator sent out a mass newsletter to customers informing them that the partnership with SiteLock has advanced to a new stage, so they will now perform FREE basic scans. You don’t have to opt-in, it is forced on everyone. To opt-out you have to CALL THEM or get them on live chat. I think this is done just to be able to explain how and why SiteLock is harassing customers with their constant (often false) malware alerts.
Here’s the full message, the last line is the best:
We’ve recently collaborated with our longtime security partner, SiteLock, to help you — our valued customer — add even more protection to your web presence! Website security is something we take very seriously at HostGator. For that reason, as part of your hosting package we’ll be including a basic malware scan for your domains that don’t currently have SiteLock, free of charge.
This scan will identify known malware and acts as a simple “alarm system” by sending you an email alert as soon as something malicious has been detected, giving you time to react prior to being blacklisted by search engines.
To provide more information on this scan, and to address any concerns you may have about its legitimacy, we’ve created this article, which offers additional details. For other ways to secure your website, please feel free to reach out to our trusted security advisors at xxx-xxx-xxxx today.
The HostGator Team
*HostGator does not guarantee SiteLock scan results.
It is important to remember that both HostGator and SiteLock are owned by the same corporation (EIG), so don’t expect their upselling scheme to stop anytime soon.
Update #4 (03/01/2017)
After numerous emails asking me for alternative hosting providers with a good record, I decided to provide here a small list of WordPress hosting providers that are better (to my knowledge).
Disclaimer: affiliate links below.
Web Hosting Alternatives to HostGator
- InMotion Hosting – this is our current hosting provider. Surprisingly good value for the money, with even better customer support. They surely bring back memories of when HostGator was good. During the past year I have migrated multiple customer websites to InMotionHosting and everything has been smooth so far. Shared (called: Business) hosting plans start at $6.99 / month with big ongoing discounts.
- WP Engine. Shared hosting plans start at $29 / month.
Official WordPress.org Recommended Hosting Providers
On the WordPress.org Web Hosting Page (https://wordpress.org/hosting/) the foundation recommends 4 hosting providers and 1 of them is owned by the same EIG.
I have NO experience with these 4, but I have to mention them here.