• GoDaddy Community
  • Managed WordPress Hosting
  • Managed WordPress Hosting

    cancel
    Showing results for 
    Search instead for 
    Did you mean: 

    Shared WordPress hosting and security issues resulting in all co-hosted sites being blacklisted

    I wanted to send the following to someone at GoDaddy via email however there appears to be no option for doing so. I think this may be helpful to others as well and may generate some discussion. Please keep in mind that I have been quite frustrated but I do understand some of the reasons behind what I have observed. What I state is a bit harsh but it is frustration do to low cost staffing of the first level of support. I'm sure if I was raised to a higher support tier, I would not have been so frustrated. I'm hopeful that the right folks at GoDaddy will read this and take actions to improve the services which GoDaddy provides.

    -----------------

    To who it may concern,

     

    I wanted to let you know that I have been in contact with the support team for WordPress hosting over the past few weeks on several occasions. I have not been too pleased with the service that I received. It seems that the folks that I have spoke or chatted with have very little knowledge or no knowledge of WordPress. There also seems to be a near lack of understanding of network security or technical knowledge of shared hosting in general. It is extremely frustrating when some with an IT background speaks to the support folks. People providing support for a product or a service should have a good working knowledge of the product and services that they are supporting. I will go into a few specific examples.

     

    Earlier this month, I wanted to post to my blog by using MS Word to write my post. When I attempted to connect to my WordPress site, I was unable to. I did some research and found that XML-RPC (XML Remote Procedure Call) seemed to not be working properly. After trying a few things, and more research, it appeared that it should be working on my site but it was not. My first contact with support was good in that the individual added a phpinfo script to my site which showed that XML-RPC was indeed turned on and should be functioning.

     

    I contacted support a second time after I still was having no success with XML-RPC for posting. I was told that an issue was found and was resolved so it should be working. It still was not working after the change but we were still giving it a go. At some point, I mentioned that Jetpack was having an issue as  it uses XML-RPC as well. I also provided some information regarding troubleshooting with cURL. At this point the tech told me that I would need to contact my ISP about the issue. I was quite confused and asked why my ISP would have anything to do with GoDaddy hosting. The tech told me that Jetpack is owned by Verizon. I asked really, Verizon owns Jetpack? The tech replied yes they do. I was wondering it they did. After the call, I found that Jetpack is owned by WordPress. I found that WordPress is owned by Automattic so really wondered why the WordPress support guy thought that WordPress was owned by Verizon. I was talking to one of my co-workers about it and they said the tech was probably thinking of a Verizon Jetpack MiFi, which is a piece of hardware. How the tech made the jump from software to hardware is amazing. Obviously the tech was not familiar with WordPress. If they were then they would have never made that leap.

     

    I ended up stumbling upon the reason that XML-RPC was not working on my site. My site had been infected with some mal-ware. I removed the malware from my site. (Most of it, I found out the next day it was not all gone so I needed to remove more the following day.) I contacted support again to give them a heads up that my site was infected and I was in the process of cleaning it up. They told me that they would make a notation on my account. I thought that was quite odd because if someone told me that there was malware on one of my servers, my team would be all over it to make certain that there was mal-ware and if there was, what damage has been done, was any data lost, etc. There seemed to be no concern whatsoever from the tech.

     

    Since having the malware, I installed the Wordfence plug-in to scan my site and identify security issues. I was alerted that my IP Address is blacklisted. Today, I looked into it and found that it is blacklisted due to another site being hosted on the same server as my site. I contacted the support team about it today so they can take some action to let the site owner know or take the site off-line as this is having an impact on all WordPress sites hosted on the same server. The tech had no clue as to where the other site was hosted. He should have been embarrassed to even ask the question. Apparently the tech is unaware of how shared hosting works or even what whois is. I used GoDaddy’s whois service to validate that the site was hosted by GoDaddy and let the tech know. I finally got fed up with the amount of time and lack of knowledge that I was working with when the tech came back and told me that the email that I received was from a plug-in and I would need to coordinate with the developer of the plug-in. I told the tech that this is impacting all WordPress sites hosted on the same server but they still seem to have no idea of the impact or they really did not care.

     

    If the chat messages are saved, I invite someone with knowledge of WordPress and network security to read the chat messages that I had with the support team. They will be able to see that I was extremely patient and that the techs that I chatted with really had little to no idea what they were being told. Perhaps it would be best to call in rather than using the chat feature but I think the level of competence may be only slightly higher with the phone support if at all. My first contact was over the phone which was better but if the tech was only a bit more knowledgeable, he could have resolved my issue quickly and make a sale on the security add-on for cleaning up malware. GoDaddy missed an opportunity. I have learned a bit more of the inner workings of WordPress so it was a win for me. I have found a few ways that mal-ware can infect a WordPress site and what some of the pages do in WordPress.

     

    As a final note, I see a problem with how GoDaddy sees the line between web provider security and site owner responsibility. There is at least one site which is co-hosted on the same IP Address as my site and others which has been compromised. GoDaddy sees this as the site owner’s responsibility and I agree but when GoDaddy knows a site has been compromised then GoDaddy needs to take some action such as notifying the site owner and if the owner does not resolve the issue in a given period of time, the site needs to be taken offline.

     

    Perhaps an even better way to deal with compromised sites on a shared host is to include malware monitoring a clean-up in the price of the hosting instead of a separate add-on. I know that will raise prices but perhaps marketing that GoDaddy cares about more about security than other low cost providers could be an advantage.

     

    Fortunately at this point I am still only using my site for blogging but I am putting together a business plan to transition to a marketplace. When that happens, I will look at other options for hosting. I will still consider GoDaddy but there is a tarnish on how I look at GoDaddy now. If I do add a store to my site, I will look at other offerings which are not shared hosting as I do not want another co-hosted site to have an impact on my site’s reputation.

     

    Thank You