GoDaddy’s Managed WordPress Data Breach And What You Should Do If It Impacts Your Organization

By:
,

On November 22, 2021, GoDaddy informed the Securities and Exchange Commission (SEC) of a security breach for 1.2 million users on its managed WordPress servers. According to the report, the breach impacted users as far back as September 6, 2021. Let’s review what that means and what your organization should do if you utilize GoDaddy’s hosted WordPress management.

Confirm Whether You Use The Service

  • If your org uses WordPress, that doesn’t mean it is part of the data breach. The breach only impacts organizations and individuals that use GoDaddy’s managed hosting solutions or any of the following resellers that utilize the same service:
    • tsoHost
    • Media Temple
    • 123Reg
    • Domain Factory
    • Heart Internet
    • Host Europe.
  • If your organization uses GoDaddy for domain name registration and/or DNS management, that is a mutually exclusive service and according to GoDaddy is not subject to the data breach.
  • It isn’t unusual to be unsure so if there’s any doubt, reach out to your web developer or IT provider that set up your WordPress site to confirm.

What The Breach Means For Your Organization

  • For active customers, sFTP and database usernames and passwords were exposed. GoDaddy reset both passwords for all users, which is good, but there is a risk that malicious files and/or scripts could have been uploaded to your site or database.
  • A smaller number of active users had their SSL private key was exposed. GoDaddy is in the process of issuing and installing new certificates for those customers and informing them of the change. An SSL certificate is how your website keeps information like credit card numbers and personally identifiable information (PII) secure when interacting with site visitors.
  • IMPORTANT: if you never changed your original WordPress admin password, those credentials were exposed and provided another method for attackers to access the site and steal information and/or inject malicious files or scripts. GoDaddy has reset those passwords for those customers.

What This Isn’t

  • This isn’t a WordPress security breach; meaning, if your website runs on WordPress but you don’t use GoDaddy’s managed hosting, this doesn’t impact your organization.
  • This has no impact on any WordPress.com user accounts, which are mutually exclusive from self-hosted WordPress websites.

What You Should Do If Your Organization Uses GoDaddy’s Managed Hosting

Wordfence.com, a security provider that specializes in WordPress, published a list of actions and tips your organization should implement ASAP. The first point is of utmost importance and is connected to the topic of data breach policies.

  1. If you’re running an e-commerce site, or store PII (personally identifiable information), and GoDaddy verifies that you have been breached, you may be required to notify your customers of the breach. Please research what the regulatory requirements are in your jurisdiction, and make sure you comply with those requirements.
  2. Change all of your WordPress passwords, and if possible force a password reset for your WordPress users or customers.
  3. Change any reused passwords and advise your users or customers to do so as well.
  4. Check your site for unauthorized administrator accounts.
    1. Tip: go to [yourdomainname.org]/ wp-admin/users.php?role=administrator and if you see any unknown or suspicious admin users, take action.
  5. Scan your site for malware using a security scanner.
    1. Tip: reach out to your web developer and/or hosting provider for assistance.
  6. Check your site’s filesystem, including wp-content/plugins and wp-content/mu-plugins, for any unexpected plugins, or plugins that do not appear in the plugins menu.
    1. Tip: reach out to your web developer and/or hosting provider for assistance.
  7. Be on the lookout for suspicious emails – phishing is still a risk, and an attacker could still use extracted emails and customer numbers to obtain further sensitive information from victims of this compromise.

Additional Recommendations

One of the reasons why this data breach is so serious is WordFence discovered what might be best defined as a lapse in good security measures on the part of GoDaddy in the form of storing sFTP usernames and passwords in an unsecure plain text file.

In English, this makes it remarkably easy for hackers to collect and use that information to add malicious files and code to a website. When those credentials are stored securely, the amount of effort it takes to crack them tends to discourage most hackers from trying.

While regular readers know I write about the importance of setting and regularly updating admin accounts with strong passwords, it’s worth pointing out that using password management services, like LastPass.com, can also be used to securely store and use ancillary passwords like these.

About Drew McManus

In addition to my consulting business, I'm also the Principal of Venture Industries Online but don’t let that title fool you into thinking I'm just a tech geek. I bring 20+ years of global broad-based arts consulting experience to the table to help clients break the cycle of choosing one-size-fits-none solutions and instead, deliver options allowing them to get ahead of the tech curve instead of trying to catch up by going slower.

With the vision of legacy support strategy and the delights of creative insights, my mission is to deliver a sophisticated next generation technology designed especially for the field of performing arts. The first step in that journey began in 2010 when The Venture Platform was released, a purpose-designed managed website development solution designed especially for arts organizations and artists.

For fun, I write a daily blog about the orchestra business, provide a platform for arts insiders to speak their mind, lead a team of intrepid arts pros to hack the arts, lead an arts business incubator, and love a good coffee drink.

Leave a Comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Send this to a friend