A few years back I blogged about HostPapa getting hit with a widespread hack that they lied to their customers about, and instead tried to blame on a non-existent WordPress security issue. More than just WordPress sites were affected, so obviously it was not that. It was most likely a cpanel bug that other hosting companies actually let their customers know about, and while they never did admit wrong eventually the sites stopped getting hit, so odds are they just quietly fixed it behind the scenes. However, since lying to your customers is bad form even if you eventually fix the problem, ever since then I have done my best to warn people against hosting with them. There are a ton of decent hosts out there at reasonable prices (my recommendation as always is Hostgator), so in this day and age there is no reason for anyone to go with (or stay with) one that gives crappy service.
A couple of days ago a woman named Kristina Birkhof (@sexypartyanimal) contacted me about helping her dehack her website, highclassbadass.com, since I clean hacked WordPress installations professionally. She said that HostPapa told her
that she could pay them $130.00 to clean the site, or they could delete the site altogether and she could start over. I let her know that the price itself for cleaning a site was not outrageous, and mine might be similar, as I charge $65 USD/hour and I can clean most sites in 1-2 hours. There were also other options I could have offered her, such as a barebones cleaning where I clean the guts and she re-installs a new theme and plugins (which takes me maybe 30 minutes to do). I needed to look at the actual site though in order to be able to know if this site would be an exception to the rule, so I asked her for her cpanel login so I could look into it.
After several tries by each of us to access it, including attempts to reset the password, she finally opened up a support ticket with HostPapa letting them know we couldn’t even get to the files or database to clean them. When she forwarded me their reply I was a bit shocked, as it turns out that HostPapa is claiming that the only way for her to grab a copy of her site, which she wrote and owns, is for her to pay them that $130 fee. This means she cannot clean the site herself (which the tutorial I linked to above teaches people to do for free), she cannot hire someone else to clean it, and she’s not even allowed to grab the site so she can switch hosts, unless she pays $130 to a company with a history of lying to their customers.
Thinking that this just must be someone answering support tickets who didn’t know what they were talking about, I opened up a chat with them, and I got told the exact same thing:
AbhijeetJ 4:51:33 PM I have checked from my end and found that the account is hacked and hence your account is current suspended. Unfortunately, you will not be able to access your cPanel, emails and website until the account is made free from malwares.
Michael VanDeMar 4:52:47 PM We need the cpanel backup to clean it, or at least ftp access.
Michael VanDeMar 4:53:34 PM Have someone run the backup, and put it somewhere we can download it.
AbhijeetJ 4:56:47 PM Unfortunately, we will not be able to access the account. You can either proceed for account reset or purchase our newly launched malware removal tool.
Michael VanDeMar 4:57:14 PM That’s extortion. What if she just wants to switch hosting?
AbhijeetJ 4:58:54 PM Unfortunately, as you are in shared hosting environment, access to the cPanel, FTP, emails and website cannot be provided as the account is infected with malwares.
Michael VanDeMar 5:00:00 PM And you are saying that your customers are not allowed to clean their own sites, is this correct? Their only option is to pay you, a host that has had known insecurities in the past, to clean it?
AbhijeetJ 5:01:02 PM Unfortunately, yes. You can proceed for a malware removal tool or account reset.
Michael VanDeMar 5:01:55 PM And you do realize this is unreasonable, yes? Not allowing people their own data so they can move elsewhere?
AbhijeetJ 5:02:22 PM If you want your data then you can go for a malware removal tool.
AbhijeetJ 5:02:39 PM Once done with it, you will be given access to your website files, databases and emails.
Michael VanDeMar 5:02:47 PM What if we want to use someone else’s malware removal?
AbhijeetJ 5:03:12 PM No, you will not be given access to the cPanel and FTP and hence you will not be able to use it.
So, obviously HostPapa has graduated from simply having shitty customer service to outright ripping off their customers and holding their data hostage. I cannot stress strongly enough how uncalled for and inappropriate this is in today’s hosting market. While I am certain that getting the word out won’t do anything to make Hostpapa see the error of their ways, please do let your friends know not to host there at least, to save them from this kind of harassment.