One of the services I offer people is cleaning their WordPress installations of hacks and infections, mostly for those who might not have the time or technical expertise to follow my hacked WordPress cleaning guide. Therefore when something happens that increases the number of people getting hacked, such as when a new exploit is discovered, or a security hole in a large host starts getting exploited (like what happened with Network Solutions last month), I get an increase in the number of people requesting help cleaning things up. This month it started happening with a large number of GoDaddy customers.
When it first started to happen I did some searching around, and noticed that there was some discussion going on about the heightened GoDaddy hacking activity, but at that time everything I read that stated the problem was with GoDaddy customers all had roots pointing back to a single post on a company blog that didn’t offer enough details for me to really see why it was happening there and not other places. Not that WordPress on other hosts weren’t still getting hacked, but there has definitely been a higher concentration of instances on GoDaddy. GoDaddy was definitely aware of the issue, and even replied in some threads on the WordPress.org help forum:
GoDaddy.com did send out a notification to customers affected by this issue. Although I know you would prefer not to be linked, I want to avoid flooding the forum. For a step-by-step guide to update WordPress, please visit http://fwd4.me/NGN – Alicia from GoDaddy.com
The link to their “step-by-step guide” to updating WordPress turns out to be nothing more than than a link back to WordPress’ own guide to upgrading, and links on how to back up your stuff on GoDaddy. Decidedly not step-by-step imo, and in this case not all that helpful. If the reason your site gets hacked is due to you running an older, insecure version of WordPress, once that happens simply upgrading will not fix the issue. This seems to me to be a bit of a lame response to a serious issue coming from a company that bills itself as the “World’s largest Hosting Provider”.
GoDaddy keeps insisting that the problem is due to outdated WordPress installations, and that staying up to date and site security is the responsibility of the customer, not of GoDaddy. In one sense I completely agree with them. If you run an older version of WordPress that has known security holes in it (ie. pretty much all versions aside from the most recent) then the odds are that you are going to get hacked. Most of the clients I cleaned from GoDaddy so far were up to date, running version 2.9.2, but this still didn’t mean that it was GoDaddy’s fault, since it is possible for a site to get hacked and no signs show up for months. This means that the sites I was cleaning could potentially have had the hack from an older version, and it only became apparent some time after they upgraded.
The problem is that after doing some very thorough clean up jobs (ie. wipe and reinstall), and making sure the clients were up to date, all passwords changed, all image files verified as actual images, clean WordPress, clean theme, clean plugins, and hand cleaning the database, I had clients still getting re-hacked.
One client I had was having issues with funky characters in his posts. He would make the post, everything would be fine, and then the next day they would be converted in a way that would make them display as unicode. This was well after I had done my cleaning, and no one should have made any changes to the database since then. My assumption was that GoDaddy themselves was making changes, possibly security upgrades related to the recent hacking waves, and I figured that calling them to see what they had done would be the best bet. In preparation for this I went ahead and logged into the client’s account, and ftp’d into the server just to make sure everything looked like it was in place still. As soon as I did I saw that about 30 minutes before a brand new, non-Wordpress, oddly named php file had been dropped into my client’s site.
I downloaded the file and looked at it. I suddenly realized that this was the source file for all of the hacks that were happening. It was named “plan_erich.php”, and had similar eval(base64_decode( instruction at the top of the file. I modified the code to be able to decrypt it safely, and looked through the output (which you can view here). The script was designed to delete itself as soon as it ran:
$z=$_SERVER["SCRIPT_FILENAME"];
@unlink($z);
Finding this script before it was triggered and deleted itself was raw luck. Catching this file gave a great opportunity to actually track down how these hacks are occurring, and possibly would leave clues that GoDaddy could use to keep it from happening again. Looking at the owner/creator of the file, and matching that timestamp up with the various logs (ftp, ssh, http, mysql, etc) could give GoDaddy the information needed to figure out how the file really got there, instead of just guessing that WordPress was the issue. I have never seen a file like this before, and searching Google for the name yielded no results, so there really was no other information out there available on this. Finding it there was a little like hitting the lottery in that respect, random and very, very good luck.
The problem, however, is that GoDaddy didn’t seem to care. I called and explained to the woman I spoke with exactly what it was that I found and how it could be useful. I told her that matching up that file to the logs could yield some potentially valuable information. She did listen carefully, and I am pretty sure she understood what I was saying, because she asked if she could put me on hold to go talk with someone who might know more. She came back and informed me that she didn’t have permission to look at those logs.
I explained again, in a little more detail, why looking at the section of those logs was very important, and if she didn’t have permission could she please escalate the ticket to someone who did. Again, she put me on hold. This time she came back and told me that they were uninterested in escalating it.
At this point I was a teensy bit amazed at GoDaddy’s lack of concern with the issue. She very kindly informed me that the issue was that the client was running an older version of WordPress, and that we needed to upgrade. Wtf? I went and looked, and made sure that he was indeed still running the 2.9.2 version that I had installed over a week ago (and remember, he was running that version before I ever did anything), and he was. I told her that. She told me that no, she was looking at what the hosting control panel said, and that he was running version 2.6.
That was when it struck me… GoDaddy was claiming that this wave of WordPress hacks was due to clients not upgrading without even bothering to really look at the clients sites. The hosting control panel can only report what was installed via the hosting control panel itself. If a client pushes the button to upgrade WordPress from within the WordPress admin section then the hosting control panel will never know.
As amazing as it seems, apparently the entire GoDaddy technical support team is ignorant of this fact. That’s right… the “World’s largest Hosting Provider” doesn’t understand the very basics of how the world’s largest blogging platform works.
Something, probably a hosting configuration, is allowing GoDaddy customers to have their sites hacked, and it isn’t file permissions, insecure passwords, or out of date software. Not being willing to even look when a developer calls to tell you that they found something is completely unacceptable. My suggestion to all GoDaddy hosting customers: bail now, before something happens to your site. This is not a WordPress issue only… although it seems to have targeted WordPress customers first, all sites that use php are at risk. Personally for shared hosting I recommend Hostgator, because I love their tech support (and their servers are very robust), but there are plenty of hosts out there to choose from (Disclosure: I changed the previous link to an affiliate link, although if you’d rather purchase hosting from them without giving me credit that’s fine too, here is a clean link for you: HostGator).
Bob Parsons, I am sorry. Hot chicks and a strong tits and ass marketing campaign do not make up for apathy in matters of client security and well being.
I have been hosting with Godaddy for about 4+ years.
Over the past 1 year there has been issues with CRON JOBS not running consistently. (I run 6 per hour)
They run fine for a few days then die for a few hours.. then fine again for a few hours and die again… totally random and across various websites/scripts (no change in script when it working to when its not)
Godaddy accused me of crap coding in the php script which I had double checked by a qualified php expert who said its perfect and its impossible for it to be the problem.
When the cron jobs stop working they don’t even fire off the email alert (optional) saying that they have failed.
I killed my php file and wrote a simple php script that just logged the time of cron tasks.. guess what same results.. missing events.
Anyway after many many many many phone calls – the Godaddy support team always did the same thing. Reset the hosting account cron manager and boom everything worked fine for about a day.. then it was faulty again. They would always say ‘see its working now’ and i would say ‘yes coz you just reset the server but it keeps happening’.
After months of repeating myself and them doing the same thing. They refused to look at the issue properly and check to see if it was a failure on their system. So now I have now GIVEN UP.
They have also become very very SLOW and I have tested both their US and EU servers.. and sometimes they just go non-responsive for 5 minutes but then bounce back as if nothing was wrong. Seems like its a routing issue.
Either way Godaddy has gone BAD.
Thinking of switching to Bluehost.. hope they are better.
Anyway GODADDY hope you are listing now because your tech support sure as heck does not – bye bye to 8 top websites.
My site was hacked 3 weeks ago and is written with wordpress and joomla.Hosted by Godaddy and they have not helped at all.My website developer left last year so I don’t know where to start.
Thanks
I was just about to sign up for hosting with GoDaddy to use with WordPress. But I came across your article when I Googled: WordPress with GoDaddy recommend. After reading your article I see GoDaddy is NOT recommended. I appreciate your excellent effort to explain and document what the problem is with GoDaddy + WordPress. I would’ve thought they cared more and had better customer service/IT. I already purchased my domain name through them today but will now get hosting elsewhere.
many thanks,
Loretta
Very nice article. I recently worked for a very small telecommunications company and one of the owners has his own company on the side creating websites. He uses WordPress and I know he does not have any real programming knowledge (neither do I outside of programming course requirements required in college).
He had a few customers call in around the same time about their sites being hacked. Basically someone took their site down and posted the typical “This site hacked by numknutz” banner up. If I had to guess I would think the main issue/exploit lies in wordpress somewhere and possibly Godaddy having less restrictive policies than some other hosts. I think much of the issue lies in people who are similar to this guy, selling services which they really don’t know what they are doing other than filling in templates, etc. A secretary can use MS Word all day but have no clue what a macro is. People like this get hacked and have no idea what is going on so they lean on someone else (Godaddy or other host) to fix it or be the scapegoat. Not that I am defending Godaddy b/c I am not, but in a world full of WYSIWYG apps that do it for you people don’t have the knowledge of what is going on therefore they blame can’t lie with themselves. I doubt many WordPress users even have any clue how to use SQL for database management. If you don’t know how to secure your work you really don’t have any business pretending to be a web developer. WordPress is pretty nice but it does enable many folks to be pretenders at web design/development. If you are serious about charging money for websites I think you should have put in the time/effort to actually learn the basics or the entire process. This way if it does happen to you and you can prove that your webhost is at fault, then more than likely you were smart enough to backup your work and database or at least the people you charged for doing so.
@Ana
I agree that I don’t think that is right what they are doing by changing your settings but at the same time it is very possible they are correct. I recently tested phpBB for use with message boards. It did not take long for there to be a long list of posts/registrations/etc created by robots/spammers and I could see the possibility of this happening as very easy. You should force users to register and complete some form of anti-spam measure like a captcha or else your website would not be readable due to having to filter through spam. I would think that if a host had to go as far as logging into your account and changing settings it would have to be for a good reason else they would not have the need to do so.
@conwayallday – perhaps you should actually read posts thoroughly before commenting. I clean blogs for a living, I am a developer, and these hacks were GoDaddy’s fault.
@conwayallday, your defense of Godaddy on an article that’s almost two years old when you can’t share any of your experience with them as host sounds shady to me.
i’m a webmaster whose sites were hacked at GoDaddy THRICE but never had problems after I transferred them all to another host. the sad part about GD customer service is that they put the blame on the users, which sounds just like you.
I hate godaddy… Below is from a client, about his Joomla site:
——–
I wish I could provide more insight, but don’t know much about this. My perspective is that the site takes too long to open. Perhaps worth mentioning (or not) but the godaddy customer service person mentioned that getting software to convert php files to html may assist reducing load time. I’m not even sure what that means… I might suggest you speak with a customer support person at godaddy – as they’ve always been knowledgeable and helpful to me.
—————-
This is so ridiculous I don’t know whether to laugh or rant. ~Gosh~ let’s just convert all those pesky CMS-type sites to plain old html! What does Joomla need with php anyway?? We-ell, Joomla and WordPress RUN on php for one thing. Any reputable tech support person would know this.
Godaddy is great at SOUNDING helpful but their advice is sometimes beyond ludicrous. They tell you all kinds of crap in the hope that you’ll just quit bothering them.
The funny thing is that when you host with godaddy, their terms of services allow them to take your intellectual property. I just discovered this. For all the problems, anything you post on their site they can take and that specifically includes your intellectual property and copyrighted work.
Netfirms had the exact same problem with their customers (including me and my clients), and their attitude was the same if not worse. all your wordpress sites and those of our clients got hacked, not only did it cause of unspeakable embarassment, we lost clients because of Netfirms’ insecure hosting and the “dont give a f***” attitude of their staff.
i was a few times trying to upload my website to host provided by go daddy – and that is one catastrophe!
as result, images from my page are not visible, and everything is so bad css is not working as that need also. before my web site was at 000webhost, everything was working so nice, perfectly and for free – but thay suspend me – thay said that my web site was spam. so i decide to fuck off 000webhost and i buy account at go daddy.
and there i am sure that i throw away my money. so complicate service with a so much password complicate procedure and so on. very difficult to understand how to upload webpage, photos, and so on – i am now goeing back to 000webhost and never, never again i should listen for that fucking and stupid go daddy host service!
Michael,
I totally agree with you that GoDaddy is not the best place to make a wordpress blog.
However I don’t believe HostGator is great either. I believe that WordPress is the best place to host WordPress blogs (duh) it seems stupid but it is the truth.
I’m hosting with GoDaddy 🙁 And I wanna leave. Should I do that before cleaning, or do it in conjunction? And oh pretty please is that something I can hire you to do? I have both my nonprofit site (http://operationwritehome.org) that’s seriously infected and I’m getting complaints about a screen of Cialis text that flashes on screen….and GoDaddy sent me an email saying my personal blog is compromised (though it doesn’t seem to be as bad). Helllllppppp……
“GoDaddy was claiming that this wave of WordPress hacks was due to clients not upgrading without even bothering to really look at the clients sites.”
Not surprising, as I have found, almost every time I email their support staff with a brief, direct and simple question, that they tend to answer the question either based solely on a word in the subject line, and/or before completely reading my brief, direct and simple question. It’s as though they are from another planet.
“Hot chicks and a strong tits and ass marketing campaign do not make up for apathy in matters of client security and well being.” I also came away with exactly the same impression.
However, I shudder to think what will happen if/when I decide to move my hosting (and other domains that point to my site) to another hosting service.