Thursday, June 25, 2015

BlueHost promotes SiteLock, encourages customers to protect (Wordpress) sites from hacks


Bluehost has offered its Wordpress customers an automated “SiteLock” product  which offers various plans to scan and fix security problems on customer’s sites.  There are “Find”, “Fix” and “Prevent” products under “Basic” and “Premium” plans.  The “Fix” product under “Basic” is quite reasonably priced, but “Prevent” is much more expensive (because it would require more continuous monitoring).

It was not completely clear (to me, at least) whether the product has to be purchased separately for each domain.
  
There has not been a lot of news coverage of “ordinary” personal or small business sites being hacked.  A few small sites (like restaurants) around the country have been overlaid with radical materials. I experienced a hack on two flat HTML files on an old legacy site in April 2002 (seven months after 9/11).  The overlaying content appeared related to Russian nuclear weapons, of al things!  I did report it to the Minneapolis FBI.  I had my own backups and quickly restored them, and there were no recurrences (amd the ISP tightened Unix security’s Site Command).

Reputable hosting companies do provide backups of sites, but it’s a good idea to have your own copies of content (even offlne on CD’s or thumbdrives, or with cloud backups).  It isn’t that hard to set up your own, just in case.

Note the video below dates to 2012.
  
  
I have not heard much (or any) discussion of possible site owner liability for allowing a hack to happen, when the site is hosted with a regular shared hosting company.  The liability risk would seem much less if the site does not host consumer information (but I can still imagine some perils).  The idea of encrypting the entire web (even non-commercial sites) with https sounds relevant, but so does Section 230.  I suppose we could hear talk about this in the future.  Sites could conceivably be overlaid with “illegal” material (or perhaps with no link path for added new material  -- a webmaster can spot check for this by looking at access logs or looking at the site with WS-FTP or similar product), or be used to launch DDOS attacks.  Old legacy sites should be spot checked regularly for any problems. Here’s a typical link; it seems like a gray area now.  The Hacker News has an important piece about Wordpress vulnerabilities here

No comments: