The SiteLock + Bluehost/HostGator Malware Upsell: How the Scam Works

The ownership structure you're not told about at signup

Understanding why this happens requires understanding who owns what.

Endurance International Group (EIG) → Newfold Digital

Formed by private-equity rollup in 2011. Acquired Bluehost (2010), HostGator (2012), iPage, FatCow, A Small Orange, Site5, Constant Contact, Arvixe, JustHost, Hostmonster, and dozens more over the following decade. Rebranded to Newfold Digital in 2021 after persistent customer complaints associated the EIG name with cost-cutting and support decline.

SiteLock

Founded as a separate company, but according to multiple industry sources (White Fir Design has the most detailed documentation) one of SiteLock's principal owners was simultaneously in a CEO role at EIG during the period of the tightest revenue-sharing partnerships. SiteLock is now a separate entity under different ownership, but the established referral pipeline from Newfold hosts to SiteLock remains the documented source of most complaints.

The revenue-sharing contract

Multiple industry write-ups reference a ~55% revenue share flowing from SiteLock back to the referring Newfold host. This is the incentive structure that makes false-positive flags profitable rather than merely embarrassing.

None of this is illegal. It becomes a consumer-protection issue when the host's "independent" malware warning is economically equivalent to a commissioned sales call.

The pattern, step by step

1. Email arrives: "We have detected potential malware on your site." The email sounds urgent and technical. Wording references specific-sounding threats like "shell script," "backdoor," or "phishing kit."
2. Site may or may not be suspended. Sometimes the site stays up but with warnings on future visits; sometimes it's immediately suspended with a 503 page.
3. Phone call within 24 hours from a "security specialist." The call follows a scripted pattern: acknowledgment of the problem, urgency framing ("your visitors may be infected"), and a recommendation for SiteLock.
4. Initial quote: $199-$500. Pressure to purchase immediately to prevent "further damage."
5. Service begins, and in documented cases: (a) the site stays broken, (b) malware isn't found, (c) the customer is asked for additional payment for directories or extra domains.
6. False-positive confirmation: some customers have escalated to Bluehost/HostGator tier-2 support and been told there was no malware after all — but by then the SiteLock charge has cleared.
7. Warnings continue: some users have reported SiteLock warnings months after leaving the host entirely, raising questions about whether flagging is based on actual scans or commercial lists.

Specific cases with dollar amounts

These are documented cases from security-industry blogs, forums, and complaints boards. Not rumors — named sources with dates.

The range of quotes varies wildly: $199 to $5,250 within the same ecosystem. This variance is itself a signal — legitimate cleanup services have predictable pricing based on site size. Wildly variable quotes suggest the number is whatever the customer appears able to pay.

What BBB complaints actually document

The Better Business Bureau maintains a complaint record for SiteLock. The patterns (from public-facing complaint summaries):

• Billing practices: auto-renewal after cancellation, charges after service termination, refusal to issue refunds for service that didn't deliver.
• False-positive malware claims: customers reporting that third-party scanners (Wordfence, Sucuri's free scanner, Google Safe Browsing) showed their site clean while SiteLock warnings continued.
• High-pressure sales: "multiple emails and calls daily" reported as a consistent pattern.
• Support-as-sales: "support calls often turn into sales pitches, with solutions always being to buy something" — a common complaint across the BBB record.
• Malware re-infection: paying customers experiencing re-infection while being charged $300+ for removal — suggesting the underlying vulnerability (usually an outdated plugin) was not addressed because addressing it would reduce future revenue.

BBB complaints are not proof of wrongdoing — they're a record of customer frustration. But the volume (hundreds of complaints over many years) and the consistency of themes (false positives, billing issues, high-pressure sales) aligns with the independent security researcher findings. That convergence is why we're willing to call this a documented pattern rather than a collection of anecdotes.

When the malware is real: the clean path

Sometimes the flag is right. Your WordPress install got compromised, there's a real shell in wp-content/uploads, and something needs to happen. Here's the non-scammy path:

1. Verify independently. Run your site through at least two of: Sucuri SiteCheck (free, not the paid product), VirusTotal URL scanner, Google Safe Browsing diagnostics, Wordfence scan. If all three are clean and your host's SiteLock flag is the only warning, it's almost certainly a false positive.
2. If real: clean manually or hire a flat-fee pro. Wordfence Premium ($119/year) includes human-assisted cleanup. Malcare offers $99 one-time cleanup. Sucuri's own direct service (not through GoDaddy) is $199-$499 one-time, and they're a legitimate security company — just don't buy their product through the GoDaddy referral.
3. Replace all plugins with clean copies from wordpress.org. Don't trust any file on the server. Re-upload WordPress core, re-install themes from the official source.
4. Rotate every credential. WP admin password, database password (via wp-config), SFTP/SSH, hosting panel, any API keys.
5. Figure out the root cause. Usually an outdated plugin with a known RCE, a weak admin password that got brute-forced, or a shared-hosting neighbour with a worse problem. If you don't fix the root cause, you'll re-infect within weeks.

The honest market rate for a one-time WordPress malware cleanup is $99-$300. Anything substantially above that is an upsell, not a service.

How to escape the Newfold ecosystem

The only structural fix is leaving. Staying on Bluehost/HostGator and "just not buying SiteLock" doesn't help — the next suspension pushes you back into the same pipeline.

The Newfold Digital brand list (partial, as of 2026)

Bluehost, HostGator, iPage, FatCow, JustHost, Site5, Hostmonster, A Small Orange, Arvixe, TypePad, Domain.com, MOJO Marketplace, Constant Contact (email marketing — separate issue but same parent), Yoast (acquired 2021), and many smaller white-labels. If you're considering a new host and their pricing looks suspiciously like Bluehost/HostGator, check the WHOIS of their billing/support domains — Newfold brands share infrastructure.

Migration checklist

1. Pick a non-Newfold host. Privacy-first options (like LaunchPad Host) or reputable independents (SiteGround has its own issues but isn't Newfold; A2 Hosting is independent; Cloudways for managed).
2. Backup your site offsite before touching the Newfold account. UpdraftPlus to Backblaze B2 or similar — do not use the host's native backup, which lives on the same account.
3. Verify the backup by restoring it locally (LocalWP or a test VPS) before you trust it.
4. Stand up the site at the new host on a temporary subdomain or hosts-file entry. Make sure it works.
5. Update DNS (via Cloudflare, not via the old host's DNS) to point at the new host.
6. After 48 hours of the new site serving cleanly, cancel the Newfold account. Get the cancellation in writing.
7. Dispute auto-renewals on your card issuer if they occur — Newfold brands have documented auto-renewal issues. Card issuers side with customers on "service cancelled but charged" disputes.

LaunchPad Host is designed as a specific alternative to this ecosystem: fixed pricing (no renewal cliff), no security-product kickbacks (we don't resell SiteLock, Sucuri, or anyone else — our Scale plan includes ModSecurity + Imunify360 at the server level, already paid for), and documented incident response instead of a phone call from a "security specialist" reading a script. Compare that to the pattern above and pick accordingly.