If its not one thing with GoDaddy (or the private branded/labeled reseller known as Empowered Entrepreneurs) Hosting… its another…
Let me start by saying that GoDaddy makes an excellent domain registrar. Need a nice, cheap domain name? They’re relatively useful.
Not such a hot web host. In fact, right near the bottom of the barrel if we want to consider my real opinion.
I hear a lot of students in the community tell me how glad they are not to be on GoDaddy, yet to find out that because they are hosted by Empowered Entrepreneurs that they are in fact on a re-branded GoDaddy installation.
A Little Background
Besides the lack of a CPANEL, besides the bad habit of selling windows hosting for wordpress (must be linux!), besides sending nasty-grams to their users that complain publicly (bet I get one!) and besides a wide range of other fatal flaws, they are simply easily surpassed by high quality hosts such as HostMonster and HostGator (my two favorites, and yes those are affiliate links, I’m proud to stand behind them both).
Anyways, enough of that…
WordPress has security holes of varying degrees in my opinion. Several of the guys from WordPress will tell you they believe otherwise. I however have spend WAY too much time cleaning up blog after hacked/infected blog.You learn to take this in stride. You make backups, you keep your upgrades current, you use good passwords, and you protect your blog like the business asset that it is. Generally speaking, if WordPress is more than a couple weeks out of date, you’re a sitting duck. Some argue that this is always a hosting problem, but I’ve seen too many blogs from different hosts to believe that is always true.
This is often spread through a combination piece of virus/malware that moves from an infected computer, to a blog where it infects everyone that visits the blog. This then can (but not always) cause the PC issues and it may join in the sharing of the virus/malware and the attacking of more web hosts. A collection of these infected computers is called a “botnet” and they act like an attack drone, obeying one central master.
Lets get down to the current HUGE problem.
It appears that someone took a botnet such as this, and using a vulnerability that exists between WordPress and the Host (GoDaddy), is attacking every single blog/site that lives on GoDaddy’s servers.
This round of infections appears to be unique to an exploit on GoDaddy and worst… this is the second full week of GoDaddy proving unable to secure the servers, or stop the botnet, or at LEAST get the word out to every last one of their wordpress using customers that they MUST upgrade or be at risk.
In The News…
Two major blog posts on the topic including GoDaddy’s responses to the entire situation as it has unfolded:
Warning! Massive Number of Godaddy WordPress Blogs Hacked This Weekend
Breaking News! Dangerous Malware Alert – Self-Hosted Sites On Major Hosting Service Hacked Again!
My Take On The Situation…
… including their sentiments as shared across twitter for all of you to enjoy.
GoDaddy still claims innocence. In fact they claim to have heard of other hosts hit with the same attack. Let me explain something… lots of hosts get widely attacked. There is always some background noise as handfuls of blogs here and there get hit on any host. This particular instance, is different, while this definitely could spread – it would have already if it was going to. This particularly attack is a GoDaddy problem in my technical opinion.
They did send an email out to a small percentage of their wordpress users. When I inquired today why ALL WordPress users did not receive the email (which is another matter altogether!), I received this DM reply: “We emailed those who installed using our Hosting Connection tool… not if it was installed manually”.
Okay so if you used a clean installation or a custom installation or installed the way WordPress TELLS you to, sorry you’re not only vulnerable but not worth us notifying. Okay point taken.
Then they made a smart move… sorta. They figured they better publish a fix! It’s not even a fix, its a clean up after the mess kit. If you’re affected, you’re going to need this link so go ahead and bookmark it now. Interesting to note that even though this has been going on since at least May 1st, they left users without support information till the 7th.)
Okay lets talk about that link. In it you will want to pay attention to the link to Upgrade Your WordPress Installation. Follow it, and then the steps starting on the next page. In case you’re wondering, no you can not upgrade from your dashboard. In fact, this LONG METHOD, also know as an Extended Upgrade, is the ONLY way you can do this correctly. Don’t try to skip steps here, this isn’t intended to be fun, its intended to work. (PS: You can still do this even if you’re on the current version of WordPress as some have asked.)
Infected and that list of technical work making your eyes cross? Contact me at the form above or by for a quote.
Unfortunately, I discovered that not only this document not tell the whole story – but it may not stop the problem. Tonight I discovered an infected WordPress 2.9.2 blog that was the only installation on the hosting account. Suddenly, it becomes strikingly clear that while in many cases yes, blog owners have a major implication due to not keeping their blogs updated… lack of updates is not the only issue at hand.
I feel bad when one blog owner gets hit. I feel unsettled when I see a lot being hit… and… I feel downright ILL when I see someone blatantly not telling the whole story to every single one of their impacted customers. This feeling of sickness at the matter increased dramatically when I shared the links with an affected blog owner, who happens to be a major member of this community, and he told me he’d just gotten off the phone with tech support and they had blatantly denied there was even an issue let alone something of this scope!
So, what to do… what to do…
Well, if I were you, I’d start with taking HostGator up on their offer to relocate your site if you start hosting with them.. but that’s just me.
If you’re with GoDaddy… You MUST MUST MUST (are you getting my point?!?!) do a full database and content backup RIGHT NOW if you are not presently infected. GO NOW. Seriously, you can thank me and comment and syndicate later.
Then, once you’re backed up, you must upgrade to the current stable version of WordPress. That is currently 2.9.2 but is soon to be 3.0. Don’t forget to upgrade those plugins since a vulnerable plugin is a common attack point!
Scared to death of all of this or not interested in doing it yourself? Jodie and I’s Peace of Mind Blog Protection Program is currently open to students and tribe members, and will soon be available to the public as well. It’s a great way to minimize your risk. (Interested? see me for a student discount code.)
What if your NOT on GoDaddy?
Well, as I pointed out above, you’re not entirely in the clear. However, you don’t need to panic as much in the moment. You too need to backup and upgrade. However, you should have been planning a major backup anyways with WordPress 3.0 this near launching. So in the next day or three you need to allot some time to do this. While this post, and this particular wave may be a GoDaddy issue, all hosts are continually being checked for vulnerable blogs.
So… In summary… I VERY BADLY want to yell at GoDaddy for hurting my friends. I’m sick of this runaround. I’m angry at seeing my community lied too. I wince every time I see a new member of the community tell me they are hosted with GoDaddy or GoDaddy via E.E. While I appreciate the affiliate money, at the end of the day I really don’t even care if you don’t use my links. In fact, please use the links of someone that has helped you, pay it forward, but pretty please, find a good CPANEL based host with great technical support (and preferably not with the anti-backup file policy that BlueHost has, although they’re a respected host). Then please get and keep your blogs backed up and upgraded. You don’t want to upgrade the day of a new release, but within a weeks time after a release if a new patch has not been issued, you should get to the current version of WordPress promptly. Because of how we syndicate (tribe) we may be even more prone to spreading these types of infections through our own community than other bloggers.
It would be wonderful if you could share this message with as many people as possible. We have GOT to get word through our own community about this. Our friends businesses are on the line! Sharing is Caring!
I’m here to help if I can be of service.
Humbly in your service,