Website security is an important component for any and every website, but few take the initiative to properly protect themselves.
You might think that configuring an SSL certificate or installing a few WordPress security plugins is enough to cover your bases. And to be sure, it’s a good start — it’s better than what most people do. But taking a more proactive approach to website security will save you a lot of time and money in the long run, assuming you become a target (which will happen, more likely than not).
This all begs the question: what incentive is there for hackers to stop?
Today, 20% of cybercriminals earn $20,000 per month or more.
But cyberattacks don’t just target websites of large enterprise companies. In fact, it was found that 43% of cyberattacks are aimed at small businesses websites but sadly, it takes about 197 days (6+ months) for a business to detect a breach on their network. By then, the real damage may have already been done.
Using a firewall and website scanner is a good first step when it comes to protecting your website from the worst cyberattacks. But you can take it to the next level with a solution that can also proactively fix vulnerabilities and malware attacks.
Let me walk you through a website security solution I’ve found to be particularly helpful in protecting my website. This is my SiteLock review.
The SiteLock Solution
Founded in 2008, SiteLock is the global leader in website security and is the only provider to offer complete, automated, cloud-based website protection.
While there are certainly other solutions that offer a similar type of service, what differentiates SiteLock is that it is the only provider to automatically remove website malware and fix common threats and vulnerabilities. Armed with these tools, SiteLock protects over 12 million websites worldwide.
As an added bonus, SiteLock also works closely with WordPress.
In fact, another unique SiteLock feature is its ability to patch vulnerabilities in between security updates — even if you don’t have the latest version of the WordPress core software. It can also clean malware without breaking your website design. SiteLock functions somewhat like a WordPress maintenance service that runs in the background (except it’s inclusive to all websites, not just WordPress).
Depending on who you host with, you may already have access to some of SiteLock’s features. SiteLock has partnered up with several popular hosting providers such as HostGator and BlueHost (among others).
But it keeps getting better. SiteLock also helps accelerate website speed (via caching to help save bandwidth and saved requests). If you collect credit card payments on your website, you’ll be happy to know that SiteLock meets PCI compliance standards for businesses of all sizes.
Let me walk you through some specific details of my SiteLock review, as well as an overview of the company’s helpful Dashboard, packages, and pricing, so you can evaluate whether or not SiteLock may be a good fit for you.
SiteLock: Praise and Criticism
In the interest of transparency, SiteLock isn’t infallible. While they have their fair share of rave reviews, they also have inspired some less than savory opinions.
To be fair, this mix of reviews is normal.
There seem to be a lot of good SiteLock reviews from customers that genuinely found SiteLock’s services helpful and raved about their customer service and support.
Curiously, a lot of SiteLock’s criticism stems from agencies that also offer website security services. Although it’s normal to see competitive messaging in the market, the question is whether or not these vendors have ulterior motives for creating content designed to outrank SiteLock for similar services.
Currently, SiteLock is in good standing with the BBB and some of the top online review platforms, with an average of 4+ star reviews:
The bottom line? Before you make any conclusions about SiteLock, it’s best to do your due diligence regarding WordPress website security and try the product out for yourself. I’ve done mine, and I give SiteLock my stamp of approval for the company’s fast and friendly customer service, automated security solutions, and free website risk assessments (discussed more at the end of this blog).
Furthermore, as a multi-year WordCamp organizer, I can vouch for SiteLock in terms of their generosity and helpfulness within the WordPress community. Over the past years, they’ve been a consistent sponsor at numerous WordCamps, they’ve participated heavily in speaking opportunities to help educate the community on the importance of website security, and also developed products specifically for WordPress websites.
I’ve only had good experiences when working with SiteLock employees during WordCamps.
Now, for my review of SiteLock products. Let’s take a look.
Walking Through the SiteLock Dashboard
When you login to SiteLock, the dashboard gives you at-a-glance site visitor statistics and a security summary.
These visitor statistics give you a preview of how many visitors your website has on a given day and even differentiates the human visitors from the bot visitors (both good and bad), which can help you understand who (or what) your bandwidth is really serving.
The most salient feature of SiteLock, however, lies in the Security Summary part of the dashboard. It displays the date of the last scan, as well as details of the scans and updates needed, if ever.
The icons on each circle represent the following:
- Green check: Everything is in good condition.
- Yellow exclamation point: Something is pending or needs to be configured.
- Red X: There was a scanning error, a vulnerability was found, or active malware detected.
- Gray arrow: You must upgrade your plan to use this service.
You can download a summary report for all scans/updates on the dashboard or download a report for each individual scan — ideal for passing on to anyone who helps you with WordPress web development for any further fixes.
SiteLock Security Summary
As part of my SiteLock review, let’s take a run-through of each aspect of the Security Summary part of the dashboard:
The Application Scan checks your running web applications to see if there are any vulnerabilities and code weaknesses that hackers can use to gain access to your website.
This ensures that the actual domain owner is the one in control of the website domain. If not, the email on file for your SiteLock account is sent an alert.
The Malware Scan checks for malware and other malicious links to pinpoint and remove malware that can cause website blacklisting, suspension from web hosts, or a poor site experience.
When you click on the malware scan button on the dashboard, you’ll be directed to the page that shows the dates your website was scanned, how many pages were scanned, how many malware links were found (if any), and the status of your website.
Look for a green status indicator to know that your website is in good shape.
The Network Scan checks server ports to ensure that the appropriate ports are open for the correct server type. If you need to make any changes, follow up with your web host.
Payment Card Industry (PCI) Data Security Standard (DSS) is a set of standards used to protect customers’ credit card data online. If you accept credit card payments, you must be compliant.
With Sitelock, you can become PCI compliant in 3 easy steps, all of which SiteLock will guide you through. You start off with a simplified PCI questionnaire. You can also add the PCI compliant web application firewall (WAF) to meet PCI requirement 6.6 and block bad bots from entering your site.
Think of this as similar to HTTPS — a security standard to protect important customer information, more important now than ever in the wake of GDPR.
The Platform Scan goes through your entire website and categorizes issues in five categories: low, medium, high, critical, and urgent.
The Risk Score section displays your website’s likelihood of compromise on a scale of low, medium, and high.
A low risk score (the baseline risk) means your site is just as likely to be compromised as a site that similar to yours. A medium risk score means your site is 6 times more likely to be compromised than low risk websites, and a high risk score indicates the risk is 12 times more likely.
The Blogsmith, for example, was characterized as low risk. SiteLock also shares information regarding the factors that can affect the website’s overall risk score, such as providing easy access to contact information (like your direct email address).
Clicking on the SMART button shows details regarding any malware issues that have been found and cleaned from your website.
As shown in this screenshot, SiteLock scanned 33,000+ of my website’s files and didn’t find any malware but did make some file modifications. Looking into the data, SiteLock’s file modifications are often related to plugin files, which may otherwise provide easy backend access to your website.
Though I don’t currently use this feature, you can also connect SiteLock to your WordPress database for an even deeper scan. Just follow the easy step-by-step instructions to get set up!
SMART/PATCH shows the items that are scanned by the SMART tool and need to be patched. Items can be classified as patched, reverted, or vulnerable. If there is nothing that needs to be patched, the patch status displays as “N/A.”
The Spam Scan checks your website’s IP and domain against other spam websites to ensure that your website isn’t flagged as spam, which can affect email deliverability (among other things).
SQL Injection Scan
SQL injection (SQLi) is one of the most common web hacking techniques. It usually occurs when you ask a user for input (as in contact forms) and the hacker gives you a SQL statement that you unknowingly run on your database.
The SQL Injection Scan checks for any SQLi vulnerabilities that can be taken advantage of to steal data from your website.
The SSL scan checks your website to ensure that users don’t see a certificate warning or error when visiting your site. If you haven’t switched to HTTPS yet, it provides a great reminder to get that done!
The TrueShield button provides your web application firewall (WAF) stats.
This includes data such as:
- Visitor statistics, which differentiate between human and bot traffic. You’d be surprised to know that most traffic that lands on your page are from bots.
- Visitors by country, which is helpful if you notice that a lot of malicious bot traffic comes from a certain IP address. You can then block that country’s IP addresses.
- Visitors by client. My website gets a number of visits from New Relic, Google Bot, and SEMRush bot.
- World map shows which regions most traffic originates from.
- Cached data. The black bar represents the total data transmitted in megabytes, while the red bar represents the total bandwidth saved while using TrueShield. Subtracting the red from the black can yield the net bandwidth, and since cloud service web hosting providers typically charge in terms of bandwidth, knowing that SiteLock saved some is certainly a useful, money-saving feature.
- Cached requests. The black bar represents the total number of requests received while the red bar represents the total number of requests saved by using TrueShield. This shows the net requests passed to origin, meaning most of the website content was served from the SiteLock network at fast speeds.
- The last section shows any threats your website may have encountered. In this case, most threats came from bot access control. However, in this case, no details were made available. You can use the details here to generate the PCI report.
Cross-Site Scripting (XSS) is another type of website vulnerability that allows attackers to inject client-side scripts into web pages viewed by other users. SiteLock’s XSS scan helps prevent attacks by scanning for XSS vulnerabilities that can be used to steal visitor data.
SiteLock Pricing Levels
SiteLock offers three subscription plans, priced at different levels depending on the type of solutions included: SecureStarter, SecureSpeed, and SecureSite.
Note that if you ever need to cancel your subscription, SiteLock requires that you call in to cancel. This is for security purposes and to ensure that your products are properly disconnected so as not to unintentionally impact your website.
Starting at $30/month, the SecureStarter plan is best for personal websites. It guards websites from malware, bad bots, and other cyber threats.
Notable features include the SMART scanner, which scans 500 pages and automatically detects and removes malware once a day; as well as the Pro WAF feature, which is used to block bad bots aiming to hack into websites (at the same time, increasing site speed).
The web application firewall (WAF) included in the SecureStarter plan supports SSL and comes with 24/7 customer service support.
The SecureSpeed plan is $50/month and promises to repair hacked websites and prevent future infections.
It includes the same features as the SecureStarter plan, but the Pro web application firewall (WAF) feature is upgraded to a Premium WAF feature. The Premium WAF feature does everything that the Pro WAF feature does, with the addition of customizable traffic filtering and the blocking of website data attacks.
Another feature introduced in the SecureSpeed plan is a one-timeEmergency Hack Repair, which covers manual malware removal and blacklist removal/suspension.
The SecureSite plan is at $70/month and is recommended for business websites as it protects websites with a combination of software and professional services.
It includes all the features of the SecureSpeed plan and upgrades the number of pages scanned to 2500 (which runs continuously, multiple times throughout the day). Instead of detecting and removing malware once a day, it does this constantly. Also, this plan offers unlimited blacklist removal and emergency hack repair (instead of just having a one-time option with the SecureSpeed plan).
The SecureSite plan also includes the INFINITY Scanner (instead of the SMART Scanner). This includes all SMART Scanner features, plus automatic vulnerability patching for WordPress, Joomla, and Drupal, as well as automatic database scanning and cleaning for WordPress sites, and the detection of website infections.
This is the plan I used and am specifically reviewing, and I highly recommend it — it grants access to a lot of value.
Final Thoughts: SiteLock Review: No BS Guide to Protect WordPress from Cyberattacks
Popular WordPress publication Torque recently posed the question, “Should You Pay for WordPress Security?” and after digging into the topic for my own blog, and those of clients, I can wholeheartedly answer, “Yes.”
My experience testing out SiteLock for this review has been mostly positive.
There have been a few situations where I had to get in touch with customer service after installing the scanner, mostly to ask about whitelisting the IP addresses of certain tools I use (like Ahrefs) that SiteLock otherwise blocked as a possible bot intrusion. Luckily, every time I had questions, I was met with a fast and friendly customer service response.
After configuring SiteLock, I feel a sense of relief in knowing that even if my website gets hacked, I have plenty of SiteLock tools I can use to automatically fix these problems, then learn more about them and why they happened, at my leisure.
The most useful SiteLock features (emergency hack repair, automatic WordPress version patching, etc.) are associated with the highest cost plans, which may not be realistic for the average blogger. But for the average small business owner, spending $70/month for the work seems like a worthwhile investment for the peace of mind it provides. That said, starting with a basic $30/month SiteLock plan can still absolutely help with the automatic detection and removal of malware for up to 500 pages.
If you’re looking for an easy way to get started, SiteLock offers a free website risk assessment to determine how likely your site is to be compromised by a cyberattack. The assessment reviews your website and calculates your risk score on a scale of low, medium, and high — ensuring you’re informed about any potential threats you might face.
After reading my SiteLock review, what other questions do you have about this security solution and WordPress security in general? I’d love to hear from you in the comments!