This is long. You may want to get comfy and grab some popcorn.
First of all …
I felt it was only fair to give this exchange some context by showing you a video that explained what I was asking the host (Bluehost) to do for my client. So, here it is:
To understand how this started, I have to tell the initial story.
Two clients contacted me in the same week about getting malware notices from Bluehost. (They are just two of the many I have had to help with this exact issue lately.) One was just a warning, the other was completely disabled. The client that had contacted me because she received a notice from Bluehost about her account getting shut down for malware forwarded me the e-mail she received. I’m going to print the e-mail here exactly as it was received so that you can see it, with the minor change of removing some identifying information.
Your DOMAIN account has been deactivated due to the detection of malware. The infected files need to be cleaned or replaced with clean copies from your backups before your account can be reactivated.
We created the malware.txt document in your home directory that contains a list of possibly malicious files for you to inspect. We cannot guarantee it is a complete list, and it may contain false positives — meaning files that look malicious but aren’t.
To thoroughly secure your account, please review the following:
* Remove unfamiliar or unused files, and repair files that have been modified.
* Update all scripts, programs, plugins, and themes to the latest version.
* Research the scripts, programs, plugins, and themes you are using and remove any with known, unresolved security vulnerabilities.
* Update the passwords for your hosting login, FTP accounts, and all scripts/programs you are using. If you need assistance creating secure passwords, please refer to this knowledge base article: https://my.bluehost.com/hosting/help/418
* Remove unused FTP accounts and all cron jobs.
* Secure the PHP configuration settings in your php.ini file.
* Update the file permissions of your files and folders to prevent unauthorized changes.
* Secure your home computer by using an up-to-date anti-virus program. If you’re already using one, try another program that scans for different issues.
You may want to consider a security service, such as SiteLock, to scan your website files and alert you if malicious content is found. Some packages will also monitor your account for file changes and actively remove malware if detected. Click here to see the packages we offer: https://my.bluehost.com/cgi/sitelock
We also offer Site Doctor, an in-house cleaning solution that locates and repairs damage caused by hackers, viruses, and malware to ensure your site is up and running properly. For more information, please visit: https://my.bluehost.com/cgi/services/site_doctor
Please remove all malware and thoroughly secure your account before contacting the Terms of Service Department to reactivate your account.
You may be asked to find a new hosting provider if your account is deactivated three times within a 60-day period.
Bluehost Terms of Service Compliance
For support, go to http://my.bluehost.com/cgi/help
I’d like to give you a bit of background information so that you can see this letter from a place of experience without having to Google all of it. Here are my notes:
- Site Doctor is a $249.99 removal service which is only guaranteed for 30 days and only updates the software on your site (preventing reinfection) if you have installed the software via Bluehost’s script installers.
- SiteLock runs $29.99 to $503.90 per year. At the lower levels, they will detect but not repair malware. At other levels, they use automated malware removal scripts. At no time do they do the basic things that would protect your site such as updating it or auditing it for WordPress vulnerabilities.
- Both services are sold as a complete solution to the average user who doesn’t have in-depth knowledge of WordPress security and best practices. (They are not.)
- A quick search on Google can tell you just how reliable these services can be. People have paid for repeat cleaning services from SiteDoctor after being reinfected, have been hacked even with SiteLock installed, and thought they were protected but they were not. (I have fixed many “I thought I was protected” sites.)
- These services are also sold though other EIG-related hosting companies (HostGator, JustHost, etc), many of which also have reinfections and bad service. Bluehost just seems to be having the most problems right now, and my experience with them in the past few weeks have been the worst.
- My average client, and Bluehost’s average client, has no idea what most of those bullet points mean nor how to accomplish those things once their hosting has been deactivated. Therefore, it leaves them with no other option than paying for these services.
- Most people feel like they trust their hosting company, and they tend to take the advice the hosting company gives them. They also don’t have a lot of experience with other hosting companies, and they don’t have a frame of reference to judge the advice they are given.
- At no time does Bluehost ever provide easy instructions in simple language, give a list of companies that provide security services, or suggest to contact a developer for assistance. This e-mail definitely feels like it is geared towards making money for Bluehost.
- As Bluehost has disabled its support ticket system, the only way to contact anyone is to now open a chat and sit there for a very long time. You even have to pass through a person or two to get to the department that handles this.
And now for the call …
My goal of chatting with Bluehost was to get them to rescan these sites. With 2 clients infected in the same day, and with Bluehost not offering any scanning services, I was just following the e-mail instructions to get a scan done. They had offered it to my clients, after all, so it didn’t seem like a difficult request to make. This is how it went:
[Initial Question] Provider: Bluehost – My Domain is: “[domain1.com]” I need to get the site scanned and get that malware.txt file placed at the root.
(1:43) [Prashanth] Hello Nikole, thank you for contacting support. Your patience is greatly appreciated.
(1:43) [Prashanth] Could I get the last 4 characters of the cPanel password to verify ownership of the account?
(1:43) [Nikole] I actually have 2 of them, let’s fix them both now that I finally have someone on the line …
(1:43) [Nikole] #1 here
(1:43) [Nikole] [domain1.com]
(1:43) [Nikole] last 4
(1:44) [Nikole] [lastfour]
(1:44) [Prashanth] Thank you for validating.
(1:44) [Nikole] I need this whole account scanned and the malware.txt file placed at the root so we can get it off your list
(1:45) [Prashanth] I could see that your account is not infected with malware.
(1:46) [Prashanth] we don’t create malware,txt if the account is not deactivated.
(1:46) [Nikole] then why did you email that?
(1:46) [Nikole] that is what the email says
(1:46) [Nikole] “Please contact our Terms of Service Team to have your public_html directory scanned for malware. They will create a malware.txt document containing a list of possibly malicious files for you to inspect. We cannot guarantee it is a complete list and it may contain files that our scan determined to be malicious but are actually benign.”
(1:49) [Prashanth] okay, the file will be ready in 1 hour.
(1:49) [Prashanth] You can see that file on your Home directory.
(1:49) [Prashanth] on File manager.
(1:49) [Nikole] okay
(1:49) [Nikole] I need it done for one more place, can we do that?
(1:50) [Prashanth] let me know the place where you need to done?
(1:52) [Prashanth] Are you here ?
(1:52) [Nikole] hi yes i am looking for you
(1:52) [Nikole] you need domain and the last 4?
(1:53) [Prashanth] Yes.
(1:53) [Nikole] [domain2.com] is the domain
(1:53) [Nikole] let me get the last 4
(1:56) [Nikole] [lastfour]
(1:56) [Prashanth] Thank you for validating.
(1:56) [Nikole] I think this one is currently deactivated and needs to be scanned again
(1:57) [Prashanth] You had a mlware.txt already on that account.
(1:57) [Nikole] yes
(1:57) [Nikole] and we fixed
(1:58) [Prashanth] Okay.
(1:58) [Prashanth] Thank you so much
(1:58) [Nikole] I renamed it OLD
(1:58) [Nikole] so feel free to make a new one
(1:59) [Prashanth] We provide 1 as a courtesy to give you a VERY SLIGHT idea of where the hack might be, but it’s not 100% accurate. The malware.txt is only an example of the infection.
(1:59) [Prashanth] You need to use malware removal tool SiteLock fix to clean your account.
(1:59) [Nikole] I’m aware of the recommendation
(1:59) [Nikole] we just want the account reactivated
(1:59) [Prashanth] if you reomve the files listed on malware.txt then your account will not be free from malware contents.
(2:0) [Prashanth] You need to use SiteLock fix to clean your account.
(2:0) [Nikole] I just want the account reactivated
(2:1) [Prashanth] I can’t be rectivated untill you clena your account ny using Sitelock fix and Site Doctor malware removal tool.
(2:1) [Nikole] Are you telling me the only way to reactivate this is to purchase your product? Why can they just not scan and reactivate?
(2:1) [Nikole] Please scan the account and reactivate.
(2:2) [Prashanth] The site is still i nfected with malware.
(2:2) [Nikole] how do you know that without scanning?
(2:3) [Prashanth] https://sitecheck.sucuri.net/results/[DOMAIN-OMITTED]
(2:5) [Nikole] I’m sorry but that is the most idiotic thing I think I have seen a Bluehost tech do. You can’t possibly rely on cached results of a Sucuri scan when it can’t be repeated due to the site being disabled.
(2:5) [Nikole] Now please scan the account so it can be reactivated immediately and stop this disgusting behavior.
(2:6) [Prashanth] Please contact Terms Of Service Departmet.
(2:6) [Nikole] I can’t contact your terms of Service Department because it won’t let me make a ticket anymore, all I get is this chat!
(2:7) [Prashanth] If you wish I can transfer your chat to TOS dept. now.
(2:7) [Nikole] Then please do because obviously you are unwilling to help me.
(2:13) [Adam] Thank you for contacting our Terms of Service Department. I apologize for your wait. My name is Adam. In order to assist you, I will need to validate your account.
(2:13) [Adam] May I have the last 4 characters of your cPanel/Hosting password??
(2:13) [Adam] I will also need the primary domain on your hosting account.
(2:13) [Nikole] yes let me get it
(2:13) [Nikole] [domain2.com] / [lastfour]
(2:16) [Nikole] I need the account to get rescanned so it can be reopened and she can work with it further
(2:19) [Adam] Thank you for validating.
(2:19) [Adam] Please allow me a few minutes to look into that for you.
(2:23) [Adam] You are still very much infected, and cannot be reactivated at this time.
(2:23) [Adam] You have 3 options
1) If you are familiar with code, identifying code, and altering code, you can do it yourself. Unfortunately, when you do it on your own, it means going through every single file on your account, 1 by 1, and removing the injected code. You will want to be very careful as there is good code mixed with the injection and removing any code incorrectly can permanently ruin that file.
2) Purchase Site Doctor which will also clean the account, but only carries a 30 day warranty. It generally takes about 1 business day to complete Site Doctor as it is a very detailed and manual process. They will email you with a report of how to keep things secure and explaining what was removed and after it is cleaned, the account will be reactivated. ($249.99)
3) Purchase Sitelock Prevent which will clean the entire account in 4-18 hours and protect the entire account for a year. I have never seen it be hacked on our servers. ($500)
(2:24) [Nikole] how do you know that, did you scan the site? where is the malware.txt file?
(2:24) [Adam] I’m happy to create a new one, but many of the infections won’t show on it.
(2:24) [Adam] The malware.txt is only an example of the infection. It does not contain a complete list of infected files, and may contain some false positives. You will need to go through every single file on the account, 1 by 1, and remove the infection. Please be careful removing any code as it can render your site unusable, and restores are not available on infected accounts.
(2:25) [Nikole] I don’t understand how you can say it is infected when you have not even scanned it
(2:25) [Adam] Please be aware, you will be unable to send any email, and no domain on your account will load a website until your account is clean.
(2:25) [Adam] I scanned it
(2:25) [Adam] I don’t use malware.txt to find it, I have my own tools
(2:25) [Nikole] You scanned it but didn’t produce a report?
(2:25) [Adam] Not going to argue with you.
(2:26) [Adam] Please contact us back once you have cleaned all 47,592 files on the account. You’ll need to go through them 1 by 1.
(2:26) [Adam] Or if you purchase Site Doctor, which will clean it all for you.
(2:26) [Nikole] Your email to your customers promises that you will scan it and provide a report. If you have shut this account down for a week with no way to resolve this issue, you need to provide a report.
(2:27) [Adam] No, I don’t
(2:27) [Adam] malware.txt is provided as a courtesy only, and carries no guarantee or warranty.
(2:27) [Adam] Until you have cleaned it, the account remains deactivated.
(2:27) [Nikole] So you can just close her account indefinitely with no way to get her files or clean it or ?
(2:28) [Nikole] We wanted to just take the sites but you said your backup server was down and we could not get a cpanel backup.
(2:28) [Nikole] You gave her this file to clean and refuse to provide another one.
(2:28) [Adam] All backups are infected anyway, so taking the files, is taking malware with you.
(2:28) [Nikole] And now you threaten me with going through every single file like you saw a female name on this chat and thought I would play that game?
(2:29) [Adam] PLEASE READ WHAT I SAID.
(2:29) [Nikole] Yes I’m aware that the cpanel back up would be infected.
(2:29) [Adam] [2:24:51am] Adam : I’m happy to create a new one, but many of the infections won’t show on it.
(2:30) [Adam] Malware.txt will be created in 3 hours, you may reference it, but it does not have a complete list.
(2:30) [Adam] Please contact us back once you have cleaned the account, or purchased a professional cleaning solution.
(2:30) [Nikole] how does she prove that her site is clean then?
(2:31) [Nikole] Are you creating the malware.txt file now?
(2:31) [Adam] No, it will be created in 3 hours, as I just stated
(2:31) [Nikole] I was asking if it is currently processing
(2:31) [Nikole] If there is nothing in it, how does she prove the account is clean?
(2:31) [Adam] She contacts us back, if we find malware, we leave it deactivated, if it’s clean, we reactivate it
(2:32) [Adam] She will need to go through every single file on the account.
(2:32) [Nikole] Does she just take your word for it that your “secret tools” say otherwise?
(2:32) [Adam] I have provided you the solutions. Terms of Service does not need to justify taking an account down, or reactivating it. Please review the Terms of Service agreemtn that was agreed to upon account creation.
(2:33) [Nikole] And we have actually already done your solutions.
(2:33) [Nikole] I’m just saying, how does she then prove it?
(2:34) [Adam] She doesn’t have to prove anything, we scan it, if infected, we don’t reactivate.
(2:34) [Nikole] and you are the only one who can see these scans?
(2:34) [Adam] We do not walk you through cleaning it, nor do we give hints. We provide the malware.txt as a courtesy only.
(2:34) [Adam] Correct
(2:35) [Nikole] do you have any plans of fixing the backup server so she can finally get a cpanel backup?
(2:36) [Adam] The backup server has no ETA for resolution fix.
(2:36) [Nikole] how are people supposed to get a cpanel backup for their sites?
(2:37) [Nikole] email, domains, all files and so on
(2:38) [Adam] https://my.bluehost.com/cgi/help/312
OUr backup policy
(2:38) [Adam] You are welcome to download your files via file manager or ftp.
(2:38) [Nikole] that doesn’t help for people using email and domain service
(2:39) [Nikole] That link you gave me says that “Customers are encouraged to run periodic backups through the provided cPanel.” but you can’t make a cpanel backup through the cpanel, there is no option.
(2:39) [Adam] it does, you can download the mail and etc folder, which contains that data.
(2:39) [Adam] Bluehost does not offer redundant or mirrored backups. Bluehost will run courtesy backups at our discretion. Any backups that Bluehost runs are in addition to our Terms of Service and are not guaranteed
(2:40) [Adam] Please contact us back when you have cleaned the account, there is nothing further to discuss.
The summary …
The malware.txt files provided by Bluehost were useless in this situation. I feel like they literally copied a list of all files in the account and pasted them into a text file. In fact, I had replaced some files minutes before their “scan” and they included the replaced files in their results as infected. They also included files that can’t even possible contain malware, as they are non-executable files like .txt files and error_log (text) files. At worst? It felt very dishonest and made me uncomfortable on behalf of my clients. The average WordPress user would have no idea what was in that file, wouldn’t know that it was 99.9% false positives, and would be coerced into buying this product.
The person from ToS (Adam) used several tactics to attempt to scare me into purchasing the products, including the phrases “once you have cleaned all 47,592 files on the account” and “going through every single file on your account”. He also followed the same tactics as the e-mail, only giving me the false dichotomy of purchasing their products or suffering through this thing. He called backups a mere “courtesy” even though Bluehost’s own documentation instructs you to make them. For some reason unknown to me, his creation of another malware.txt file took approximately 2 hours longer than it took for the first tech to make one for the other account. He admitted they do have the tools to scan the site, but that they don’t offer them to the public because it’s not his job to “give hints” – and if they find something bad, they don’t have to tell you what it is. (Can you imagine being arrested without a list of charges?) To wrap it all up, he basically closed the door in my face at the end.
On the first domain, we moved the sites as an entire cpanel, and they scanned clean upon arrival to Liquid Web. (I had manually cleaned them at Bluehost but their scan of the files did show malware still present.) The client was able to transition smoothly without outage.
On the second domain, we had to move all the sites individually as their cpanel backups were down and they couldn’t give us the files after multiple tries. Once on Liquid Web, I ran a scanner on the files and found only 5 to be infected – mostly header and theme files. Her sites (and the client sites she was developing in her account) were down for about 2 weeks in total.
Is any of this legal? I can’t answer that question. It sure feels like extortion to me, but I am not a lawyer. I can say that it’s not the best way to honor your customers nor protect your servers. I have seen people describe these things in more nefarious terms online, suggesting that they were infected right after they received a sales call from SiteLock. Is there evidence of this? I doubt you could prove it. But it does make me seriously question their motives and what they have going on over there.
So … I’m a developer. I have been a developer for nearly 30 years. I have specifically focused on security for the last 5 years. After reading this … how do you think the average website owner or Bluehost customer fares with all of this?
I got into this little Twitter tiff with Bluehost right after it happened. They asked me to e-mail my chat transcript to them, which I did right after their request. Hours after writing this blog post today, and long after I had forgotten I’d even e-mailed them, they replied back to me:
Thank you for contacting us but I am not exactly sure what your question is. If you still have a question please reply to the ticket with your concern.
Fantastic. It took them 15 days to respond to a support request and this is the best they could do?