If you were one of the 1.2 million customers compromised because of GoDaddy’s poor decision to avoid using best practices to protect your usernames and passwords, I hope you’ve taken this opportunity to move your website(s) to a hosting provider that takes security and protecting your site more seriously.
Before your brush this off and release that sigh of relief because you’re not hosting with “GoDaddy”, I’d suggest that you make sure you’re not using one of the GoDaddy brands that resell the Managed WordPress hosting that were also impacted; tsoHost, Media Temple, 123Reg, Domain Factory, Heart Internet, and Host Europe.
Here’s the truly scary part, this hacker had two solid months (Sep. 6 – Nov. 17) to establish themselves within GoDaddy’s infrastructure before they were discovered. What were they doing for those two months? How many backdoors did they establish, did they implant any malware or other malicious viruses to be accessed later? Is your website now a conduit for spreading their malware?
Don’t be fooled into a false sense of security!
If you called GoDaddy support after the news of this hack, you were likely reassured that everything was fine now and that they are improving their protocols, but the rep probably then suggested that you buy website security and a number of other products that won’t help in situations like these.
The problem with that strategy is that it provides a false sense of security because GoDaddy reported that the attacker had gained unauthorized access to the system used to provision the company’s Managed WordPress sites, and the website security product GoDaddy sells is designed to detect threats at an individual site level, not the GoDaddy server, which is where the attack happened.
Even if those 1.2 million customers had GoDaddy’s Website Security on their websites it never would have been triggered by this particular hack and their information still would have been compromised.
If GoDaddy’s own server security and monitoring didn’t identify the threat for two solid months, there is nothing you as a customer could have done to protect your data.
Do you have any risk?
Absolutely! The long-term consequences of this type of preach could be irreversible and endless.
You can change your passwords, and GoDaddy has already done that for FTP and databases, but if the hacker has malware embedded throughout the server, or within your site files, they could still have the ability to gain access to those new passwords and usernames.
What about your secure socket layer (SSL)? If the hacker was able to gain access to your SSLs private key, they could decrypt the secure data transfer and steal that data. That would be things like credit cards, names, emails, phones, and addresses of your customers.
Not to mention the risk and liability you are now exposed to because you store customer data on your website.
What about your customers and their data?
I’m not even going to say “if your site was compromised” because I’m assuming all GoDaddy Managed WordPress hosted sites were. That means it is very likely that if you have an ecommerce or online store, membership, or gather customer data of any kind, it too has been compromised.
You may be legally obligated to notify them, and you should. They have a right to know. If they have used the same email/password combination for your site that they use for any other online accounts they have, it could mean the hacker now has the potential of gaining access to those other accounts.
And you could be liable!
Trust me, GoDaddy has made it very clear in their terms and conditions that they are not responsible for anything that happens on your website, even if it was a result of their systems being breached.
Who’s at fault?
GoDaddy!
It would appear that they had/have a vulnerability in their system that was able to be exploited by the hacker and because they failed to follow the standard protocol for securely storing usernames and passwords millions of customers were compromised.
They will likely patch the vulnerability in their system, do a deep dive to try and clean out any trace of the attack, but I promise that they will not take responsibility for any fallout that might come in the near future to any individual customer or their website. They will instead insist that you purchase their Website Security product which is not a complete solution.
I’m willing to bet that if you stay with GoDaddy, you will have issues with your site being hacked and infected by malware on a regular basis.
This is the same type of issue that plagued the old GoDaddy hosting environments before they switched to the new cpanel hosting a few years ago.
What should you do if you use GoDaddy Managed WordPress hosting?
GET OUT!
Move your site to a more reliable hosting provider that offers truly managed WordPress services and that has implemented proper protocols and security to help prevent these types of intrusions.
I’ve listed a couple trusted providers of Managed WordPress hosting solutions below:
At the time of this writing (Nov. 24, 2021), each of these providers is offering amazing Black Friday deals so it is a perfect time to make the move!
This started as a GoDaddy problem but is likely to become an individual site owner’s problem, I would not recommend sticking around to find out how devastating this breach can be for you.
Get help migrating a clean site!
If you’re going to move your site to a new hosting provider, do not just move all your website files from GoDaddy to your new hosting provider, this could result in moving any malware and malicious content that may have been installed by the hacker.
I would recommend working with the new provider or paying for a service like the WP Mantis Migration to make sure your website is clean when it is migrated.
The Wrap Up
Bottom line, this may seem like it’s not a big deal, but keep in mind, these companies like GoDaddy spend millions of dollars to protect themselves legally from the fallout of issues like these.
How much did you spend to have the terms you agreed to reviewed by an attorney and then to have that attorney create a term of conditions agreement that fills in the gaps to protect you should your customers be impacted in situations like this?
It’s in your best interest to seriously consider working with a better, more secure, and reliable hosting provider like WP Engine, Nexcess, or Flywheel if you want a Managed WordPress solution. If you want/need a VPS or dedicated solution check out Liquid Web or Cloudways.