Over the past week I have heard from a client (and a friend) who have sites hosted on Bluehost. Obviously I can't name names, but both told me that they had gotten emails from Bluehost with the news that their sites were infected by malware (in the case of one, multiple sites).
And then this blog post concerning a false positive report for malware crossed my desk today:
I had a bit of a scare on Sunday. I got an email from Bluehost that my server had been infected and deactivated and if I did not clean it up it would be deleted in 15 days.
After the email, I called them and they said my site was infected and I would have to use a service called SiteLock to get my site back up. SiteLock told me my only choice was to purchase their minimum fee of $120 a month for 6 months. A smart person would have investigated more options but I didn’t. Like others who are in over their heads, I felt I had no choice. I gave them my credit card information and they started cleaning up my server. After their first email came back saying my site was clean, I contacted my Bluehost who told me that it was still infected and not able to be reactivated. This cycle happened a few more times, site still not restored.
That post is echoed by multiple people on Twitter, many of which are reporting that Bluehost said their sites were infected with malware and Sitelock (a Bluehost subsidiary) said the sites were clean.
— We Teach We Learn (@WTWLedu) September 23, 2016
@bluehostsupport My client's server has been deactivated for malware issues. Sitelock saying no malware found. No response from Bluehost
— Santanu Das (@meetsantanudas) September 20, 2016
@bluehost Can U pls reactivate my services now. Theres no malware as confirmed by ur rep. Reminds me of US tryin to fnd MD weapons in Iraq.
— Harshad Ghodke (@GhodkeHarshad) September 12, 2016
It's not clear how many actually have a problem with malware, but what we can see is a worrisome pattern of Bluehost finding malware and then upselling its own malware removal service.
No matter whether there is a real problem with malware, that stinks to high heaven.
As someone who handles this kind of tech support issue at his other job, my recommendation is two-fold.
First, get a second opinion on the malware. A couple days back I wrote a post explaining how to use Sucuri to check whether your site was infected with malware.
If you were my client, this is one of the things I would be doing for you as part of a comprehensive maintenance checkup. I would install the Sucuri plugin and run its test, remove or update any vulverable plugins or software, and then hire Sucuri to fix any problems which I can't solve on my own.
And once you've solved the immediate security issue,my long-term recommendation is that you move your website to another hosting company.
The simple fact is I have never seen a cluster of complaints like this before. Sure, sites get hacked all the time, but when we see a cluster of complaints we have to ask what all the sites have in common.
In this case, I think it is the hosting company.
I have read too many complaints about Bluehost. Their security has a terrible reputation, and I even know of a WordPress security plugin which was created specifically to deal with Bluehost's security issues.
And so if you got one of those emails from Bluehost, it is time to migrate your website(s) to another hosting company.
If you need help, drop me a line.
Who is your hosting company? Would you recommend them?
image by aag_photos