In a security disclosure published today, GoDaddy says that up to 1.2 million active and inactive customers have been exposed after hackers gained access to its managed WordPress hosting platform. The hack was first discovered by GoDaddy on November 17, 2021.
GoDaddy’s Security Incident Disclosure on November 22, 2021
In the public security incident disclosure released today, Demetrius Comes, GoDaddy Chief Information Security Officer, explained the details of the GoDaddy hack:
“Using a compromised password, an unauthorized third party accessed the provisioning system in our legacy code base for Managed WordPress,” he explains. “Our investigation is ongoing and we are contacting all impacted customers directly with specific details.”
According to the disclosure, GoDaddy determined that beginning on September 6, 2021, the “unauthorized third party” used a compromised password to gain access to the following customer information:
- Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.
- The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, GoDaddy reset those passwords.
- For active customers, sFTP and database usernames and passwords were exposed. GoDaddy reset both passwords.
- For a subset of active customers, the SSL private key was exposed. GoDaddy is in the process of issuing and installing new certificates for those customers.
Am I Affected by the GoDaddy Hack?
According to the disclosure, the hack impacts both current and past customers of GoDaddy’s managed WordPress hosting platform. This includes WordPress hosting plans from Basic, Delux, Ultimate, to Ecommerce. The disclosure does not indicate if other hosting plans were impacted.
What Should I Do If I’m Affected?
If you use GoDaddy to host your WordPress site, we have a few (strong) recommendations:
1. Reset your WordPress admin password.
As a precaution, reset your WordPress password. You can do so from the WordPress login screen located at [yourURL]/wp-admin. Change your password to something that’s strong, unique, and complex. See our WordPress password security tips here.
2. Implement two-factor authentication for WordPress admin accounts.
Using the iThemes Security plugin, activate WordPress two-factor authentication for all your admin-level accounts. Two-factor authentication is a process of verifying a person’s identity by requiring two separate methods of verification.
Two-factor is a FREE feature in the iThemes Security plugin, so download iThemes Security and install it on your WordPress site.
3. Review your website’s security logs to see if there are unexpected logins to admin accounts.
Website security logging is an essential part of your WordPress security strategy. Insufficient logging and monitoring can lead to a delay in the detection of a security breach.
WordPress security logs have several benefits in your overall security strategy:
1. Identify and stop malicious behavior. Every day, lots of activity is happening on your site that you may not be aware of. Many of these activities can be directly related to the security of your site. That’s why logging is so important: activities are tracked so that you can know if a hack or breach has occurred.
2. Spot activity that can alert you of a breach. Activities like unrecognized file changes or suspicious user activity may indicate a hack. That’s what it’s so important to know when these activities have occurred so you can quickly know if a breach has happened.
3. Assess how much damage was done. With WordPress security logs, you can see file changes and user activity that may be related to a hack or breach. Logs give you a sort of trail that can help undo any damage done by a hacker to insert malicious scripts or make other file changes on your website.
4. Aide in the repair of a hacked site. If your site does get hacked, you will want to have the best information to aide in a quick investigation and recovery. WordPress security logs can guide you through the timeline of a hack and show everything the hacker changed, from adding new users to adding unwanted pharma ads on your site.
iThemes Security Pro’s WordPress security logs make it easy to track user activity, such as logins, user creation/registration, adding/removing plugins, and changes to posts/pages.
- EcoSite Lite: $2.49/mo. (36 months)
- Ecosite Pro: $4.95/mo. (36 months)
- Ecosite Premium: $8.95/mo. (36 months)
- Ecosite Lite: $4.95/mo. (12 months), $3.95/mo. (24 months)
- Ecosite Pro: $6.95/mo. (12 months), $5.95/mo. (24 months)
- Ecosite Premium: $10.95/mo. (12 months), $9.95/mo. (24 months)