Shark repellent can be a useful product if you are near or in the ocean and have reason to be afraid of sharks. But if you live in Arizona, where sharks can only be found in aquariums, shark repellent is about as useful as a screen door on a submarine.
It’s 2018, and the internet is a dangerous and scary place full of villains out to take control your computer, online identity, or even your website. Everyone knows this, which is why hosting companies sometimes use that fear to sell services that solve problems you don’t actually have.
Years of experience has convinced me that website security is the shark repellent of the internet; it’s a product that hosting companies will try to sell to everyone – even that metaphorical resident of Arizona – no matter whether the customer needs it or not.
I have just spent an hour explaining to an author that their hosting company may have convinced them their site was hacked and required a $60 a year security upcharge, but two different website security scanners disagreed, independently reporting that the client’s site was just fine.
To put it colorfully, my client’s hosting company was selling them shark repellent even though they live in Arizona.
This is not the first time I have had this conversation with a client, and it probably won’t be the last. I would name the company, but I don’t want to get into a fight over this. Instead, I will explain what I do when a hosting company informs me of a security issue.
I don’t trust your hosting company. Most are good guys, but there are so many companies hosting websites that it is impossible to keep track of them all. Since I often can’t tell whether they have found a real problem, or are selling me shark repellent just because they need to make their quota, it is smart to only trust companies I know well.
Instead, I get a second opinion. Sucuri has a free security scanner at sitecheck.sucuri.net. Give it the address of a website and it will tell you whether it can find malware, spam, defacements, etc.
I have found Sucuri to be 100% accurate, and if it says I don’t have a problem then I don’t have a problem. But as the saying goes, you can’t be too careful, which is why I get a third opinion. If I have the option, I install a plugin from one of Sucuri’s competitors – Wordfence, for example – and use that plugin to scan the possibly infected website.
If both of the security scanners tell me there is no problem then I’ll beleive them. But if they disagree, or if they both say the site has been hacked, then it is time to bring in an expert to fix the problem.
My first choice is Sucuri, although if the client is on a budget I would instead give them one of my few remaining lifetime licenses for MalCare (I got the licenses at a discount).
Under no circumstances would I pay the hosting company to fix the issue because I would want someone whose main focus was security, not running a hosting company.
But that’s just my opinion based on years of running and fixing websites.
Other techs could reach different conclusions.
The business model is not much different than the sales companies that try to add on “extended warranties”.
I frequently see articles reporting that researchers found x number of sites with known vulnerabilities. Perhaps hosting companies should be at least partially responsible for the security of sites they host.
Well, the thing about site security is that sometimes you really do have a problem. Extended warranties, on the other hand, are usually worthless.