[cue elevator music]

Ok, good, you’re back. If you followed some of the aftermath in the comments, on Twitter, and on various media outlets and celebrity blogs around the web (including Gawker and Wil Wheaton), you can tell that Jenny obviously has a large amount of supporters who were less than pleased at Jose Douche Canoe Martinez. The outcry got just loud enough that Brandlink Communications actually started to play the wounded bird card:

Apparently Jose Martinez felt so victimized from the whole experience, he actually decided that he needed to delete his entire Twitter account (or, of course, it could be that he was trying to do the internet equivalent of burning the evidence of his douchiness).

Quick side note: if a PR company’s first instinct when they come under fire is to duck and run, and get defensive, as opposed to owning up, making it right, and the moving on, then odds are that same PR company would not hesitate to throw a client under the bus if they felt it was necessary for their own self preservation. Anyone who is researching this company with the possibility of hiring them should probably keep that in mind.

Either way, I guess Jenny didn’t realize quite how much support she would receive, so she wound up actually asking her followers to put away the pitch forks:

UPDATED: I love you people. Really. Thank you for always having my back and for being so supportive during this weirdness. Jose has apologized, and I’ve been assured by the woman in charge of the company that they are aware and are handling it the best way they know how, so let’s give them some air and let them have the chance to do that. *deep breath* – Jenny Lawson, aka TheBloggess

Ok, so, maybe Jenny is right. Maybe some of her fans did get abusive towards Jose in the process of defending her (which, btw, I did not see myself, but I am guessing not everyone was polite) and it is time for us to let cooler heads prevail. However… I also don’t think this should fall just into internet obscurity, either. People who are looking to hire this PR firm should be able to find out who it is they are dealing with, and the first line of defense when doing research on a company is, of course, Google. Currently when you do a search for [brandlink communications], someone else’s post about Brandlink and TheBloggess is #1 (as a news story though, not as a regular listing), Brandlink Communications themselves show up next (which is actually the natural #1 listing, when no news stories show), and in the natural #10 spot is Jenny herself:

(Click to enlarge)

The news piece is of course only there for a short period of time, as all news pieces should be, and the rankings Jenny’s site has currently are probably also due to what Google refers to as QDF, or Query Deserves Freshness (where a particular search might warrant different results due to topic being “hot” at the moment). However, I think that Jenny’s site should be in the top 10 when searching on that company, even after the buzz dies down… possibly even #1. Therefore, here is what I suggest, if you happen to support Jenny in this issue:

1. Write a post showing your support for Jenny about the way she was treated. Don’t attack or “bully” anyone in the post, because despite them being in the wrong here Brandlink was right, bullying people is still wrong (although calling someone a douche canoe when they actually are one is just being descriptive imo)
2. In that post, link to Jenny’s blog post about the conversation, but use the phrase [brandlink communications] as the anchor text for the actual link.
3. If you link to the post more than once, make sure that link is the first link to the post.

For those of you wondering why, it is because links are still the number one factor Google uses when determining rankings. If you want more information on it, you can Google [santorum] and do some research… just don’t click on the first link.

Do I think this is too harsh? Perhaps if they weren’t a PR company boasting W Hotels and Chase as their clients I might be more inclined to go easy on them. However, even if they weren’t big shots treating those they regard as the “little people” like shit, there is also the fact that this behavior is not new for Jose, and there is evidence of him treating people like this all the way back to early 2006. The fact that the same guy is still VP Media Director 5 1/2 years later, still behaving the same way, makes the promises from the company that is “handling it the best way they know how” somewhat hollow. So yes, with that in mind I think that a response like this is quite fitting. Vote with your links, people, as Google intended you to.

Since this is an established pattern with them as a web host, and even though I still highly recommend them as registrars for domain names, I have decided to make this offer to all clients who want to be done with getting their sites hacked. If you hire me to clean your hacked website(s), WordPress or otherwise (since pretty much any site on GoDaddy is subject to getting hacked), and are willing to switch to Hostgator after I have you completely cleaned up (which is where this blog and many of my other sites are hosted, and a host that I highly recommend), then I will do the migration at no extra charge.

That’s right… I’ll move you to Hostgator, for free.

Now, if you want to help me out a little with that, and use the affiliate links in this post or the banner in my sidebar to purchase your hosting, then great, I will get a commission from them for doing it. But that is in no way required for this offer, and not at all why I am making this deal. You can manually type in hostgator.com into your browser, or click on a friend’s banner, or whatever. I’ll still move you for free. Everyone should have safe hosting, period, and I am willing to help people get there.

The one caveat with this offer is if you have emails stored on the old server, and use either IMAP or their webmail, and you need those old emails (not the accounts, but the actual emails) moved off of GoDaddy and stored elsewhere, then it does take a few extra minutes per email account, depending on which solution you which to use. GoDaddy doesn’t give you direct access to download and move them, but there are a couple of workarounds available. Some you can do yourself if you like (like downloading all of the emails to your local computer using POP3), some I can do for you for a very small charge. Other than that for each site I clean I will move it to the new Hostgator account for you at no charge, and that includes the files, the databases, setting up the email accounts, and any ftp users you want to move.

If you are not currently hacked, and want to move to Hostgator anyway, I’ll still offer anyone who wants it a deal. If it does not need cleaning, I will migrate your entire site for only 30 minutes worth of labor, flat fee, again not counting the moving of the physical emails. If you have multiple sites that need moved, depending on the sizes of them, I can offer you further discounts on those as well. Hell, you don’t even have to be hosted at GoDaddy to take advantage of this offer. If you’re unhappy where you are at, just let me know.

Anyone who wants to have me get started on moving them to a better host should contact me today.

WordPress is a-ok. Go Daddy is rock solid. Neither were ‘hacked,’ as some have speculated.

After an extensive investigation, we can report there was a small group of customers negatively impacted. What happened? Those users had outdated versions of the popular blogging software, set up in a particular way. – Alicia from GoDaddy

From what I have read around the web customers were being told that it was not GoDaddy’s responsibility to fix the sites, that they only offered “limited support” in situations like this, leaving people with only the option of restoring from a backup (which would often not help even in outdated WordPress hack situations, since hacks can go undetected for months) or hiring outside help to clean things up.

You can see on the support page they have set up, What’s Up with Go Daddy, WordPress, PHP Exploits and Malware? that they still claim that outdated scripts are part of the problem. Going to that page and viewing the source reveals something almost unbelievable:

(click to enlarge)

That’s right, in a classic “do as I say, not as I do” twist it seems that GoDaddy is in fact running an older version of WordPress (WordPress MU, based on the version number, which has the same security holes as regular WordPress) for their community blog that they are using to tell people to upgrade their WordPress versions.

To be fair, simply having an older version of WordPress does not mean that it is automatically insecure… the security fixes in the more recent versions may be minor and the known vulnerabilities might have been manually patched. I can’t know without actually digging deeper and looking if in fact the installation was vulnerable.

Then again… neither can GoDaddy in the case of their customers.

When it first started to happen I did some searching around, and noticed that there was some discussion going on about the heightened GoDaddy hacking activity, but at that time everything I read that stated the problem was with GoDaddy customers all had roots pointing back to a single post on a company blog that didn’t offer enough details for me to really see why it was happening there and not other places. Not that WordPress on other hosts weren’t still getting hacked, but there has definitely been a higher concentration of instances on GoDaddy. GoDaddy was definitely aware of the issue, and even replied in some threads on the WordPress.org help forum:

GoDaddy.com did send out a notification to customers affected by this issue. Although I know you would prefer not to be linked, I want to avoid flooding the forum. For a step-by-step guide to update WordPress, please visit http://fwd4.me/NGN – Alicia from GoDaddy.com

The link to their “step-by-step guide” to updating WordPress turns out to be nothing more than than a link back to WordPress’ own guide to upgrading, and links on how to back up your stuff on GoDaddy. Decidedly not step-by-step imo, and in this case not all that helpful. If the reason your site gets hacked is due to you running an older, insecure version of WordPress, once that happens simply upgrading will not fix the issue. This seems to me to be a bit of a lame response to a serious issue coming from a company that bills itself as the “World’s largest Hosting Provider”.

GoDaddy keeps insisting that the problem is due to outdated WordPress installations, and that staying up to date and site security is the responsibility of the customer, not of GoDaddy. In one sense I completely agree with them. If you run an older version of WordPress that has known security holes in it (ie. pretty much all versions aside from the most recent) then the odds are that you are going to get hacked. Most of the clients I cleaned from GoDaddy so far were up to date, running version 2.9.2, but this still didn’t mean that it was GoDaddy’s fault, since it is possible for a site to get hacked and no signs show up for months. This means that the sites I was cleaning could potentially have had the hack from an older version, and it only became apparent some time after they upgraded.

The problem is that after doing some very thorough clean up jobs (ie. wipe and reinstall), and making sure the clients were up to date, all passwords changed, all image files verified as actual images, clean WordPress, clean theme, clean plugins, and hand cleaning the database, I had clients still getting re-hacked.

One client I had was having issues with funky characters in his posts. He would make the post, everything would be fine, and then the next day they would be converted in a way that would make them display as unicode. This was well after I had done my cleaning, and no one should have made any changes to the database since then. My assumption was that GoDaddy themselves was making changes, possibly security upgrades related to the recent hacking waves, and I figured that calling them to see what they had done would be the best bet. In preparation for this I went ahead and logged into the client’s account, and ftp’d into the server just to make sure everything looked like it was in place still. As soon as I did I saw that about 30 minutes before a brand new, non-Wordpress, oddly named php file had been dropped into my client’s site.

I downloaded the file and looked at it. I suddenly realized that this was the source file for all of the hacks that were happening. It was named “plan_erich.php”, and had similar eval(base64_decode( instruction at the top of the file. I modified the code to be able to decrypt it safely, and looked through the output (which you can view here). The script was designed to delete itself as soon as it ran:

$z=$_SERVER["SCRIPT_FILENAME"]; @unlink($z);

Finding this script before it was triggered and deleted itself was raw luck. Catching this file gave a great opportunity to actually track down how these hacks are occurring, and possibly would leave clues that GoDaddy could use to keep it from happening again. Looking at the owner/creator of the file, and matching that timestamp up with the various logs (ftp, ssh, http, mysql, etc) could give GoDaddy the information needed to figure out how the file really got there, instead of just guessing that WordPress was the issue. I have never seen a file like this before, and searching Google for the name yielded no results, so there really was no other information out there available on this. Finding it there was a little like hitting the lottery in that respect, random and very, very good luck.

The problem, however, is that GoDaddy didn’t seem to care. I called and explained to the woman I spoke with exactly what it was that I found and how it could be useful. I told her that matching up that file to the logs could yield some potentially valuable information. She did listen carefully, and I am pretty sure she understood what I was saying, because she asked if she could put me on hold to go talk with someone who might know more. She came back and informed me that she didn’t have permission to look at those logs.

I explained again, in a little more detail, why looking at the section of those logs was very important, and if she didn’t have permission could she please escalate the ticket to someone who did. Again, she put me on hold. This time she came back and told me that they were uninterested in escalating it.

At this point I was a teensy bit amazed at GoDaddy’s lack of concern with the issue. She very kindly informed me that the issue was that the client was running an older version of WordPress, and that we needed to upgrade. Wtf? I went and looked, and made sure that he was indeed still running the 2.9.2 version that I had installed over a week ago (and remember, he was running that version before I ever did anything), and he was. I told her that. She told me that no, she was looking at what the hosting control panel said, and that he was running version 2.6.

That was when it struck me… GoDaddy was claiming that this wave of WordPress hacks was due to clients not upgrading without even bothering to really look at the clients sites. The hosting control panel can only report what was installed via the hosting control panel itself. If a client pushes the button to upgrade WordPress from within the WordPress admin section then the hosting control panel will never know.

As amazing as it seems, apparently the entire GoDaddy technical support team is ignorant of this fact. That’s right… the “World’s largest Hosting Provider” doesn’t understand the very basics of how the world’s largest blogging platform works.

Something, probably a hosting configuration, is allowing GoDaddy customers to have their sites hacked, and it isn’t file permissions, insecure passwords, or out of date software. Not being willing to even look when a developer calls to tell you that they found something is completely unacceptable. My suggestion to all GoDaddy hosting customers: bail now, before something happens to your site. This is not a WordPress issue only… although it seems to have targeted WordPress customers first, all sites that use php are at risk. Personally for shared hosting I recommend Hostgator, because I love their tech support (and their servers are very robust), but there are plenty of hosts out there to choose from (Disclosure: I changed the previous link to an affiliate link, although if you’d rather purchase hosting from them without giving me credit that’s fine too, here is a clean link for you: HostGator).

Bob Parsons, I am sorry. Hot chicks and a strong tits and ass marketing campaign do not make up for apathy in matters of client security and well being.

I decided to go through the affiliate operating agreement myself to see if I could understand why they were doing this. I realized after I read it that they were not in fact saying any such thing. I wrote them to see what was up, and what the specific issues were.

It took 4 emails to them, with the first 3 coming back with the same answer, that they were not allowed because you are not allowed to use redirects. The problem is that the language of the agreement only mentions redirects in conjunction with either ppc traffic (you cannot link a ppc ad directly to Amazon, or via a redirect, it requires a click from your site to be valid), and with hijacking someone else’s traffic (no redirecting or interfering with someone else participating in the program). Eventually, however, I got someone who understood what I was saying and they agreed that it is indeed acceptable to do so. Here is there final reply:

Dear Michael,

Thank you for writing back to us and I sincerely apologize for the delay in responding to your message. I have carefully reviewed your correspondence with us. As you mention, you would not be permitted to use a shortened URL to an Amazon.com page as the destination URL for paid search advertisements because Associates are not permitted to engage in keyword bidding or other paid search on Google, Yahoo, MSN, and other search engines, and their extended search networks, to send traffic to our site.

However, you can use shortened URLs on your Facebook or Twitter accounts. You may be asked to provide the specific sites on which the shortened URLs are posted, which would mean that your Facebook and Twitter profiles would need to be publicly accessible for review if you used the URLs on those sites.

I apologize for the misunderstanding regarding your inquiry and I hope this information is helpful to you. If you have further questions, please use the Contact Us form available on Associates Central or by following this link:

https://affiliate-program.amazon.com/gp/associates/contact

Thank you for your participation in the Associates Program.

Best regards,

Richard – Associates Account Specialist

http://www.amazon.com

Note that he did state that the specific sites where you intended to post the links needed to be provided, so if you are an Amazon affiliate and think you might possibly post a link on either Twitter or Facebook, you should probably submit those profiles to Amazon asap and go ahead and get them listed in your Amazon account. One of the other emails from them gave me these instructions for doing so:

If you would like to add another website or multiple websites to your existing Associates account, we first need to view and approve the sites content before it can be added.

Please send us the URLs for the sites, and we will review them and let you know our decision. Once approved, we will send you instructions on how to add the URLs to your account. You can contact us back by using the secure form at the following specialized link:

http://affiliate-program.amazon.com/gp/associates/contact/

Keep in mind that if your Facebook page is set on private we will be unable to approve its addition to your account because we need to be able to view your site at any given time to make sure you are in compliance with our guidelines.

I have gone ahead and provided the entire conversation thread with Amazon here. I hope this helps anyone who might have had issues with this.

In fact, according to Google themselves, their goal is to hire people who are “as passionate about their lives as they are about their work“:

… regardless of where we are, we nurture an invigorating, positive environment by hiring talented, local people who share our commitment to creating search perfection and want to have a great time doing it. Googlers thrive in small, focused teams and high-energy environments, believe in the ability of technology to change the world, and are as passionate about their lives as they are about their work. – Google Jobs

So why is it a company that concerned about the quality of their employees can’t seem find anyone decent for their customer service department?

If we were discussing deep complicated technical questions then I could understand a bit of confusion here and there. However, in my experience the reps at Google AdSense and AdWords seem to have problems with some of the most basic concepts of communication. I wrote a post about a month and a half ago about another of my recent communications with AdSense reps that went nowhere (wrote them again, btw, they are still ignoring me). This time, it’s AdWords.

Let me be clear on this, the issue itself is not that important. I am not losing copious amounts of money, the Internet will not come crashing down if the question isn’t answered, and no one’s life is at stake here. However, for a couple of years now the replies that Google customer service sends back have established a solid pattern of non-resolution regardless of how important the questions asked actually are. This week I received an email from AdWords that opened with the following:

We noticed that you haven’t shown your AdWords ads in a while. The Google AdWords Team wants to help you make the most of your advertising dollars, so…

Now, since I had just ran one of my AdWords campaigns not long ago, for my experiment having to do with the Google keyword tool, this concerned me a little. It hadn’t been “a while”, as they were claiming, it had only been 2 weeks. So, I wrote them back a one line reply, asking what they were talking about:

What’s this about? I ran an AdWords campaign last week… – Me

They replied today. I looked at what they sent, got a little angry, and almost replied back immediately. However, I decided first to make sure that it wasn’t my fault, that I hadn’t somehow perhaps been unclear in what I was asking. I asked 3 friends what their interpretation of what my question had actually been, sort of an early morning IQ test. I showed each of them the same portion of the original email I showed above, as well as my question I replied back to AdWords with, and then asked, “In your honest opinion, what was my question to them?” The responses I got back were:

wtf did you send me an email saying i haven’t advertised in a while, when i just did. – Donna Fontenot, Business Coach

why are you sending me this email, when i have run adwords recently? – Li Evans, Director of Internet Marketing

Your question was why are [they] saying your account isn’t active, when it actually is. – Melanie Nathan, Director of SEO/SEM/SMM

As you can see clearly see, none of them are trained Google AdWords customer service representatives. They did not go through intensive schooling designed to teach how to answer complex questions on how AdWords is engineered to make the world a better place. Yet, despite their complete lack of employee orientation, each of them was in fact able to correctly interpret my short question.

The actual AdWords rep who replied, however, was apparently unable to do so:

Thank you for your email. I understand you are concerned about an email that you received from AdWords support saying that your ads have not been shown on Google for some time. You received this email since all of your campaigns are either paused or deleted. Please note, your ads won’t show on Google if your campaigns have been paused or deleted. – Neha Verma, The Google AdWords Team

It’s as if Google wrote an Eliza style program to handle their customer service questions, and almost got it right. Pick out key phrases from the emails, and see if there is a matching canned response. The problem, of course, is that the reply actually came from a real person, hired by a company that professes to employ people who are “talented”, and are “passionate… about their work.”

I have had both MSN and Yahoo employees call me on the phone when I was having an issue before. GoDaddy has done that also, as has Hostgator. MSN has “How did I do?” type questionnaires that they ask you to fill out after having a question dealt with. Hostgator even has a rating system on their trouble tickets, asking you to rate the helpfulness of each and every answer. Maybe Google needs to seriously consider collecting individualized feedback on their customer service representatives. At 1,300 resumes a day, it really shouldn’t be that hard to find people who actually understand what the customers are asking.