Due to the growing popularity of WordPress across the board, there are more and more security incidents affecting different WordPress website hosting companies.
GoDaddy is the most recent example, as they’ve recently had a security breach in its WordPress hosting environment. Last week the announced there had been unauthorized third party access to its Managed WordPress hosting environment, affecting data of up to 1.2 million active and inactive customers.
WordPress Security Breach on GoDaddy
The Chief Information Security Officer (CISO), Demetrius Comes, announced on November 22, in a filing with the Securities and Exchange Commission (SEC), that on November 17 they had discovered unauthorized access to GoDaddy’s Managed WordPress servers. They determined that the incident had begun on September 6, 2021, and had exposed the data of 1.2 million active and inactive Managed WordPress customers. They had identified suspicious activity in the Managed WordPress hosting environment and immediately started an investigation with the help of an IT forensic firm and contacted legal authorities. A compromised password granted the attackers access to their systems.
The announcement indicated that:
- Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed. The exposure of email addresses presents risk of phishing attacks.
- The original WordPress Admin password that was set at the time of provisioning was exposed. If those credentials were still in use, they reset those passwords.
- For active customers, sFTP and database usernames and passwords were exposed. They reset both passwords.
- For a subset of active customers, the SSL private key was exposed. They are in the process of issuing and installing new certificates for those customers.
Finally, Comes added: “We are sincerely sorry for this incident and the concern it causes for our customers. We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”
As you can imagine, there’s plenty of messages on the Internet criticizing GoDaddy, not only for taking 5 days to report the breach, but also for having taken more than 2 months to detect said attack, as it presumably took place on September 6th. You will also find additional information on what actions you should take both technically and legally if you are an affected customer. I don’t even want to think about what a mess this is for GoDaddy and all those customers who may have been affected!
The Importance of Security when Selecting a Hosting Company
When we talk about the key requirements for choosing your WordPress hosting we look at a whole set of factors: compatibility with different versions of PHP, which features and tools it offers to easily manage the WordPress installation, fast loading speed of our pages, efficient support service, and, of course, a reasonable cost.
But let’s not fool ourselves: we often end up relegating the security aspect to the bottom of our priorities. Why? First, because our hosting provider’s security is something we take for granted. But this is absurd, because if there is one thing we know for sure, it is that no computer system is 100% secure. Second, security is difficult to evaluate quickly and easily. It’s only when a security breach occurs that we become aware of possible vulnerabilities.
The security of your website is a bit like your health. If you’re well, you don’t give it much thought. But the day you are unwell, the world comes crashing down on you. Often, getting sick is unavoidable but, prevention and early detection can save you a lot of grief. It’s the same with security. If your website is hacked, not only can your business go under, but you can also end up in a legal trouble for not having taken the appropriate security measures.
If we want to to try to prevent a security breach, what should we expect from our hosting provider?
Something that bores us all is having to update the software we use on our computers. But it’s quite important that we do, as most updates are precisely to protect it from known vulnerabilities!
For that reason, when you host a WordPress website with a hosting company, make sure it meets the compatibility requirements and the latest software updates recommended by WordPress. Take a look at the official WordPress website to know them. At the time of writing this post, the recommended requirements were:
My recommendation: do not even consider any hosting company that does not meet these requirements.
SSL Availability and Support
The Hypertext Transfer Protocol (Hyper Text Transfer Protocol or HTTP) is a protocol used in network systems, designed with the purpose of defining and standardizing the syntax and semantics of transactions that take place between the different computers that make up a network. In other words, it describes the way a web server communicates with web browsers such as Google Chrome or Mozilla Firefox.
HTTPS refers to the use of HTTP over a Secure Sockets Layer (SSL) or a connection with Transport Layer Security (TLS), and it’s responsible of encrypting all HTTP messages so that their transmission is secure. When a user submits information to a web server, SSL essentially provides a whole set of layers of protection:
- encryption: if an attacker manages to intercept that information, it will be useless since they will not know how to decrypt it (but you will).
- data integrity: attackers will not be able to “modify” the content of the message sent.
- authentication: phishing or man-in-the-middle attacks, in which a user provides information to third parties when they believe they are talking to somebody else, are avoided.
In this way, for example, you ensure that the data of the purchases made on your website cannot be read and/or modified by criminals.
If your website uses SSL, most browsers will display the web URL beginning with
https:// and a padlock icon somewhere near or in the address bar, providing visitors a visual clue about the safety of the current website.
When looking for a hosting service provider, make sure it supports SSL and check how easy it if to set it up.
Backup and Restore
If you ever suffer a malware attack on your WordPress, you will very possibly end up needing to restore an old backup that is free of infected code. For this reason, make sure your hosting provider performs regular and automatic backups of your WordPress website.
Make sure you know:
- Frequency of backups,
- How many backups of your site you have access to,
- Whether you can easily restore all of them on your own or you must request a restore and pay for the service,
- Whether you can perform partial restores of files, folders, email accounts or databases,
- Whether you can access the restoration history.
Protection Against DDoS Attacks
A Distributed Denial of Service (DDoS) attack is a type of attack that attempts to bring down the web server by triggering “a ton” of requests until the server overloads and crashes.
To prevent them, some hosting providers such as SiteGround and Bluehost work with Content Delivery Networks (CDNs) like Cloudflare. CDNs operate global server networks that make it easier to serve data faster and absorb resource-intensive attacks such as DDoS. This helps hosting companies reduce the load on their own servers without having to invest heavily in additional infrastructure. It is highly recommended that you check if your hosting company works with CDNs.
Also make sure that they have protocols prepared for this type of attack, such as:
- Firewall hardware that filters flood traffic,
- Firewall software based on iptables with complex functions and traffic monitoring,
- They limit the number of connections that can be established remotely,
- They check the high number of failed connection attempts from hosts and to perform filtering.
Malware, as we have seen in the case of GoDaddy, is malicious software that can affect servers. They can cause a minor infection, such as the theft of certain data, or wipe out an entire database.
It is important to know how your hosting provider controls and checks this type of attacks. How often do they perform scans? Do they have an account isolation system so that, in case of infection, it is contained?
Availability and Uptime
The three pillars of information security are known as the CIA triad (Confidentiality, Integrity, and Availability). The availability and uptime of your website (percentage of time that a website is active and available) are critical on any website.
Hosting companies have many ways to ensure this availability. For example, some employ RAID technology, hardware redundancies, network redundancies, and even alternate mirror locations. Make sure your hosting provider guarantees you minimum availability in the service level agreement (SLA) of they terms and conditions. For example, in the case of Siteground, they guarantee:
5.2. We guarantee network uptime 99.9% on an annual base. If we fall below the guaranteed network uptime, we will compensate you as follows;
- 99.9% – 99.00% uptime: 1 month free hosting
- An additional month of free hosting for every 1% of uptime lost below 99.00%.
The SLA is another indicator of the investment in infrastructure made by your hosting provider and the commitment they make to guarantee the service.
Security, as I have already mentioned, is like health. Although you can never guarantee absolute control over it, the fewer risks you take, the better. Protecting your site and taking care of its security can prevent major undesirable consequences. And that protection starts with selecting a good hosting provider for your WordPress website.