SecureDash Review
POS:
Provides modest security and monitoringNEG:
Not really 'strong' security, not going to prevent most attacks it claims toToday I am doing a review of a new security software called SecureDash I became interested in this software because unfortunately we live in a age where websites get hacked every single day. Bored 16 year old kids with big brains and social awkwardness do it for fun. Twenty somethings do it for revenge or […]
Today I am doing a review of a new security software called SecureDash
I became interested in this software because unfortunately we live in a age where websites get hacked every single day. Bored 16 year old kids with big brains and social awkwardness do it for fun. Twenty somethings do it for revenge or to make a statement. Older people do it for profit. As internet marketers we rely on our websites and the truth is that most websites are not very secure at all and we can lose countless hours of work and potentially thousands of dollars in income if our sites are hacked.
Security Dash is a cloud based software that claims to be the answer to our problems. It claims that with it, anyone can secure their site in as little as 60 seconds just by copying and pasting some code. Here is a list of the attacks it claims to protect its users from.
*NOTE: The image of SecureDash was removed in response to a DMCA Complaint that the vendors of SecureDash filed in a pathetic attempt at silencing this honest review.
In order to test this I was given access to a ‘JV account’ that is a shared account that was given to everyone the vendors are trying to get to promote this as an affiliate. Most of the people who got this access are going to pop in, have a look around, perhaps put the ‘security code’ on their site, and that will be that. Most affiliates are not professional software developers, I am, so I took a much more in depth look at this system. I had a look at the ‘security code’ and I even tried to hack (a little) one of the other affiliates sites that was testing this (he does not know I did that). Let me explain to you what I found.
First off, I noticed that the very first ‘attack’ that this system claims that it will protect against is DDOS. DDOS stands for Distributed Denial Of Service. This is basically an attack where the attackers uses dozens, hundreds, or even thousands of machines to send an overwhelming amount of traffic to a website in order to ‘bog it down’ so no one else can access it. Imagine if I had 500 people call your phone over and over, no one else could call you, because you would always be busy with the garbage calls I am having people make. Thats basically what a DDOS attack is.
Now Im not going to go into a lot of depth explaining how the ‘security code’ that you get from Security Dash works, but I will say this. It will not prevent a DDOS. It might let you know that one is happening, but it for sure wont prevent it. In fact it also wont even be super useful in helping you stop it once it starts happening. I let one of the vendors know this:
The response I got was not really so great. I was basically told that DDOS was just one of the attacks SecureDash protects against (even though it doesn’t) and that it allows you to ban people via IP address (it sort of does but not really, more on that later). Honestly I felt like my concern was just being blown off and not answered. Unfortunately that does not change the fact that SecureDash is not going to stop a DDOS, so we can scratch that one off the list.
Two other attacks that this has listed jumped out at me right away besides DDOS. First was Phishing, which makes no sense at all. Phishing is where a site (or email) pretends to be something its not. Its an attack on the internet user not the website. The second was Waterhole attack, which really is not a specific attack in the first place but more like an overall hacking strategy. Honestly at this point I felt like the creator of this system just put up a bunch of hack sounding terms, even if they made no sense, and said it protects against them in the hopes that the majority of users would not be technically proficient enough to realize that using them in this context makes little sense.
But there where some legitimate attacks listed here that happen on websites (such as SQL Injection) so I decided to keep testing anyway. Thats when I found the huge weakness with this entire system. But before I explain this one glaring problem I do want to make something clear. Even though this does provide some measure of security despite this problem, the security is limited to attention not prevention. That is, as I said in my message above to Tom, SecureDash really does not do much to prevent attacks automatically, instead its more about alerting attacks in most cases and letting the user know that an attack is happening. This might be ok still though, if not for its major weakness which I will explain now.
Remember when I said that in order to use this you simply copy some PHP code (which I inspected) and put it on your site. Nice and easy right. Well the problem is that SecureDash can only monitor files, programs, and pages that have this code on it. It can do nothing if the code is not present.
Now every website is different, but first off, if you have an HTML website you are not going to be able to use this without changing the name of every file on your site or creating a custom HTACCESS file to force your server to treat your HTML files like PHP. Regardless of if your site files are PHP or HTML, if you have a custom designed site you will also have to add the code to every single site file manually. Thats kind of a pain.
Fortunately many people dont have custom sites anymore. They use a CMS like WordPress, and sure enough the tutorials specifically talk about a quick and easy way to add this code on every page of your WordPress site. They tell you, and show you how, to simply add their ‘security code’ to your WordPress theme’s header file. Nice. Problem solved right? Not really because there is still a gaping hole here. The plugins. Everyone who has a WordPress site has some plugins and following the instructions provided inside of SecureDash will not protect you from vulnerabilities in the plugins. Even worse, attacks that are made to your site though any of the plugin files wont even be noticed or monitored by SecureDash. Its a massive flaw in the system, a gaping hole, that is easily exploited and that leaves you open to all kinds of potential problems even if you are using SecureDash as instructed. Let me give you a specific example:
I initially thought to test how good SecureDash works by putting the ‘security code’ on my own blog (this blog) and seeing if I could find any vulnerable points still. But I decided that doing that would not be a fair test since I know all about my own site so I would have an advantage. So what I decided to do is head over to a site that was owned by one of the other potential affiliates, and that had the ‘security code’ from the JV account I was given access to on it.
I knew nothing about the site when I went to it. The first thing I did was view the home pages source. From that I was easily able to see several plugins that the site was using. Within 30 second I found one that had a flaw in it. It was poorly designed and outdated and allowed me to browse its directory:
Its important to point out that I was also logged into SecureDash so I can see if the system was monitoring my activity. It indeed did register my IP address visiting the home page, but it did not know that I was remote browsing the plugins directory. It couldn’t know that, because it cant know anything that the site visitor does if its ‘security code’ is not present, and its code was only in the WordPress theme (and I was not in the WordPress theme).
From here I can poke around without SecureDash ever knowing it, and indeed I even used it to block my IP address, which prevented me from visiting the sites home page, but did absolutely nothing to prevent this remote access, from me manually going through the plugin directory’s or loading those files (again because its ‘security code’ was not present here). Now poking around is not totally terrible in itself, but there are some things I could do. For example if I wanted to launch a DDOS attack I could use a botnet (if I had one, Im not actually a hacker, but hackers do have them) to constantly request any of the files that I had unsecured access to, using up resources and causing server issues without SecureDash ever even knowing a thing. I could also download the plugins that I can see are installed on this site, look for security issues in them and exploit them without SecureDash ever knowing.
The problem stems from the fact that SecureDash can’t know anything about any file that does not have its code on it, and if you have a WordPress site there are going to be tons of files without its code. Truth be told though, even if you could (you cant, but if you could) make sure the SecureDash code was on every page of your site it still is little more than a monitoring tool and not really much of a ‘protection’ tool. From what I can see the only thing it can really do as far as protection is ban IPs and only from visiting pages / files that have its code on it. This is not something that is very useful given that you can ban IP’s from the entire site, all files, very easily in cPanel.
Over all I found SecureDash to provide a ‘facade’ level of security. Its like a $2 lock that you buy at the general store. It might make you feel good to have it, but its not really doing much at all to protect you. I personally would not spend my money on this and because of that I have no choice but to say:
A quick note about the reviews I do on this site. The product vendors give me access to their products for free in order for me to do my review. However I make no promises to them regarding the results of my tests or what I will write in my review. Should you click a link that takes you to a sales page for a paid product for sale this link will be an affiliate link and I will be paid a percentage of the sales price should you decide to invest in it.
Thank you for your “brutal” honesty of this program…
As you say; “It might make you feel good to have it, but its not really doing much at all to protect you.”
I would not have known this without your help. This info may might have saved me both money and headache. Thank you!
Great review of this product Brett. I read about it in their affiliate offering and thought the same things you surely discovered in your testing. I am not a software developer like you are so it is nice that you test these products so that affiliates and end users are not deceived by a product that simply under performs. Keep up the ”Great Work” Brett as there are a lot of us out here that depend on your honest and truthful testing and reviews of new products to hit the marketplace.
Thanks for the review, Brett. I have been in IT for 25+ years now, and it’s kind of depressing to see what people try and pass off as security products. When you said “copy and paste some code,” I immediately had my doubts.
And when you said it was PHP code, I knew they were full of crap. You can’t stop DDOS attacks at the application level or a lot of other attacks.
I hope people appreciate the level of effort you put into this. Most affiliates don’t have the skills necessary to test these kinds of things.
Thank you, just caught your email in time to read this review. Was in the process of purchasing the product.
Thanks for the excellent review and help
Thanks Brett…can you recommend any product that works?
I really dont want to recommend anything here, in a negative review, because I dont want to appear bias.
“Wordfence” and “iThemes Security Pro” are the 2 big ones i know of James and I’ve used both and they have free versions.
I know there are a few more than those 2. They have companies behind them so really hard to beat.
I would never try to create a plugin to compete with them.
I have been away from work as I got really sick and today I was going to look for a product to promote.
My first promo since getting sick almost 3 weeks ago!
Tom sent me jv review access (The same one as you probably) and not being a developer like you was thinking of promoting this.
Glad that you are the only marketer who’s list I have stayed on!
After meeting you a few Months ago and hanging out a lot I thought that my respect for you could not be more but you continue to surprise and be a marketer that I look up to more and more!
I do feel for Tom as he is a great guy but when putting the security of something as valuable as a website under a false security “Blanket” you really should have someone who knows what they are doing testing it.
Great review and explained in brilliant easy to understand wording!
Total respect Brother!
Tom is a great guy, someone I truly like in this business. I do believe he made a mistake putting his name / brand on this though. Also you are pretty frigging awesome yourself Marc, cant wait until we get to hang out again.
Yeah I guess not having that coding knowledge and then someone who you trust tells you that it does this and that then you have no reason to doubt it!
Also thanks mate, I had an absolute blast hanging out with you. I think that even if we were to have got got chatting randomily in a bar or somewhere as strangers we would still have hit it off!
Looking forward to the next one and sinking a few, or likely a lot together 🙂
Well to be fair, Tom did have a reason to doubt it, because I told him ‘as a friend’ and as a experienced developer. He chose not to listen to me though. Often people chose not to listen to the people who are saying something that they do not want to hear. And yea man, you and I have a lot in common I think 🙂
Thanks Brett, for this review. It was this kind of critical honest testing and analysis that got me to subscribe and buy from you 4 years ago. I know you changed your biz model and will again in the new year, but this offers a lot of us w/o tech skills a ton of value. I hope you continue this service in some way down the road.
Glad I was able to help 🙂
Thanks for that review Brett, I was also looking into this, what my skepticism was if you had an attack of any kind what was the urgency of getting an email pronto, to say that your site has been damaged maybe! you can repair it quicker.. have you an opinion on Wordfence” and “iThemes Security Pro as Rod mentioned or what is the security you use on your blog if it’s not a secret..
I use server based security. That is my security is built right into Apache. I also use some other things that Im not going to make public 🙂 The truth is though, if you are looking to protect yourself against something like a DDOS then your only real options is something like CloudFlare. I have not tested Wordfence, but I looked it its sales page (very quickly) and I did not see it claiming to block DDOS attacks (or a bunch of other attacks that actually make no sense, like Phishing). Why? Because they are likely not trying to bullshit non technical people.
Thanks for this honest and helpful review. I had just heard about Secure Dash and was considering buying it for a few of my sites that are not on WordPress. But I read your review in time not to purchase it. Thanks for the warning!
Thank you Brett for the wonderful insight into this SecureDash product, I do appreciate your time and effort you have put in to test these kinds of things and alert us of BAD software. I am getting sick and tired of the dishonesty of some vendors and we need someone like you to give us an honest review before we lose our money. Once again thanks for the great review, and shame on those vendors.
Brett: Thank you for this honest review. I appreciate your expert opinions.
Thanks, Brett, I was looking at this and it just didn’t seem right. I know you and Tom are friends, so I usually give Tom”s offerings an extra look, and then you sent your email notice. I believe Tom will be ticked off at you but will thank you later. He probably had work and money invested in it and is full of emotion come “come launch week”. Gorab is one I have dealt with also. I’ve unsubscribed from his many email lists, but somehow I end up on another even though I didn’t “opt-in”. Enough said.I’m glad you have shown the courage to “reject” as I’ve always known you to demand honesty and decent products in the IM field. Have followed you for a long time. You are a man of your word…..
Tom is someone I consider a friend. He is quite upset with me at the moment and a bit emotional. I do hope he and I can still be friends and I am sorry I upset him but I really cant just sit by and watch people waste money on something that is not what it claims to be.
Thanks for this review Brett. Sad what folks will put out software that flat out doesn’t work. I can’t understand people who will sell something so critical as security software and not care if it works or not. I can see a lot of marketers’ clients being really ticked off when the new-fangled security tool they were sold doesn’t work and they lose everything.
Thanks so much Brett. I have reached the point after many years of being an IM’er, I only trust your site and recommendations. I am an “IM Insider” now because of you telling the truth, and sometimes it is not pleasant. Even in response to some of my questions to you on support, you do not waste words. I appreciate this so much. Please do not change. We need more people like you who put truth over making money! I almost bought this as well until I saw your review.
Great review.
I did head over to have a look at it, while I didn’t go as in depth as you, I didn’t even get to the bottom of the page.
The claims made were definitely aimed at people who have no understanding of security structures. So I got out only having wasted 30 seconds of my time.
Kudos to you for taking the time to look closer and even offer them some suggestions.
You are definitely one of the good guys in the business.
I’m confused. I thought you mentioned that you stopped posting if a product review was deemed rejected due to the backlash it caused with other vendors not wanting to approve you for out of fear (even if the vendor had nothing to worry about) so what changed Brett?
Are you complaining about me being honest in this review?