GoDaddy’s Suggestion For The Cause Of Their Hacks And Their Community Blog – Can You Smell The Irony?

Yesterday I blogged about the hacking situation with GoDaddy hosting and a customer service call I had with them concerning some evidence I had found. While it is true that as this has progressed GoDaddy has widened their scope in investigating what the underlying cause of these hacks are, initially they claimed that the issue was with their customers running outdated versions of WordPress. While being wrong about something like that is usually not that big of a deal, in this particular instance it proved to be beyond irksome, since a large portion of their customer base were told that it was their own fault that their sites got hacked (even in cases where the customer was up to date), and that GoDaddy was in no way to blame:

WordPress is a-ok. Go Daddy is rock solid. Neither were ‘hacked,’ as some have speculated.

After an extensive investigation, we can report there was a small group of customers negatively impacted. What happened? Those users had outdated versions of the popular blogging software, set up in a particular way. – Alicia from GoDaddy

From what I have read around the web customers were being told that it was not GoDaddy’s responsibility to fix the sites, that they only offered “limited support” in situations like this, leaving people with only the option of restoring from a backup (which would often not help even in outdated WordPress hack situations, since hacks can go undetected for months) or hiring outside help to clean things up.

You can see on the support page they have set up, Whatโ€™s Up with Go Daddy, WordPress, PHP Exploits and Malware? that they still claim that outdated scripts are part of the problem. Going to that page and viewing the source reveals something almost unbelievable:

GoDaddy outdated software...?
(click to enlarge)

That’s right, in a classic “do as I say, not as I do” twist it seems that GoDaddy is in fact running an older version of WordPress (WordPress MU, based on the version number, which has the same security holes as regular WordPress) for their community blog that they are using to tell people to upgrade their WordPress versions.

To be fair, simply having an older version of WordPress does not mean that it is automatically insecure… the security fixes in the more recent versions may be minor and the known vulnerabilities might have been manually patched. I can’t know without actually digging deeper and looking if in fact the installation was vulnerable.

Then again… neither can GoDaddy in the case of their customers.

7 thoughts on “GoDaddy’s Suggestion For The Cause Of Their Hacks And Their Community Blog – Can You Smell The Irony?”

  1. Good eye on the older version of WordPress. ๐Ÿ™‚

    We recently went through and checked our site to make sure any third party apps were up-to-date. We saw our Community Blog was running an older version, so we started the upgrade process.

    Due to the amount of customized code and the amount of traffic the blog receives, it’s not live yet because we always make sure any upgrade is rock-solid before we deploy to our production environment.

    It’s nearing the final stages and I expect it will deploy early next week.

    Todd Redfoot
    Chief Information Security Officer

  2. The truth gets in the way of selfish behavior. The truth makes the posturing demagogue look foolish. The truth is bad for big business.

  3. I just want to clarify that what I’m about to say is true: Godaddy’s way of dealing with this problem is to shamelessly lie about it. Is this statement true, or am I missing something?

  4. @Eddie – I don’t know if they are lying. I would say that they are less than upfront about it, and it’s possible that the tech support telling people that they need to upgrade don’t know what they are talking about. I know that in at least one instance that was the case. If you read the original post on this topic I discuss how the data that tech support is using to determine which version of software people are using is delivering inaccurate information. This isn’t tech support’s fault, it’s a flaw in their system.

  5. @Michael – Outstanding catch! Todd owes you a lot for helping them out once again and hopefully he will give you the credit and courtesy due! Can you imagine the “non”-response you would received if you tried to call that in to “technical support” !

  6. This is still happening and GoDaddy now claims they have a developed a tool to fix it? How do we know they are telling the truth about this based on their previous false statements?

Leave a Comment