GoDaddy Fails Crisis Communications Test
- 27
- Apr
I’m a huge fan of WordPress for building web sites. I’m also a fan of GoDaddy, although I know many people don’t share my opinion. If you haven’t heard, WordPress and GoDaddy are very much in the tech news these last couple of days after a massive weekend hack attack that infected untold numbers of WordPress-based sites that are hosted on GoDaddy.
To read more about what happened, check out the coverage on the WPSecurityLock.com blog.
This hack hit me particularly hard, affecting five client sites — three that were live and two more that were being built. Fixing the problem was time-consuming but not terribly difficult once I figured out the problem. I’m not writing this post to compete with other coverage of what happened or how it happened. What interests me from a PR perspective is GoDaddy’s response to this attack. Here’s the statement from them that has been posted in many places:
Measures are in place to protect the overall security of the shared hosting server on which your website resides. The compromise of your account is outside of the scope of security that we provide for you. Virus scans are performed on the content that is hosted, but they may not pick up everything, largely due to the fact that hackers tend to upload custom scripts which are not picked up by traditional malware scanners. However, if a virus is detected, you will be notified. The overall security of your password and the content within your account is your responsibility, as password compromises and compromises due to scripting can only be prevented by you.
I don’t know who crafted this statement or who it was even directed to, but it doesn’t appear to me that it was crafted by someone with much experience in crisis communications. First, it’s all I’ve been able to find from them on the issue. Second, it reads to me like, “We just host your site … we’re trying to figure out what happened, but it’s really your own fault.”
While I agree that, in the end, the security of a site is the responsibility of the site owner, to say that when hundreds of site owners are really ticked off is not a great idea. Additionally, there’s nothing that can be easily found on the GoDaddy site that addresses the issue. My experience with GoDaddy has been that their customer service is quite good and their downtime is minimal, but GoDaddy has many detractors. Here’s an example of what you see on Twitter right now:
These comments are relatively mild compared to what you’ll see in comments on blog posts about this hack attack.
How would I have handled it? First, a more sensitive statement would have been issued — something that addressed how the company values its customers and is working very hard to figure out how the sites were hacked. That statement would have been posted on the front page of GoDaddy, as well as on the company’s popular Twitter account. Regular updates would have also been posted, even if there’s really no progress to report. Additionally, instructions like those found at WPSecurityLock would have been made available by GoDaddy. This is all relatively simple stuff to do.
These days people understand that hackers are out there and it isn’t necessarily the fault of the company that made an operating system or is hosting a web site, AS LONG AS the company responds to it appropriately.
UPDATED 5/3/10: There was another attack this past weekend, one week to the day after the first one. It hit (it appears) most of the same sites plus some non-Wordpress sites. The word from GoDaddy is that the non-Wordpress files that were infected were actually part of a site that included some WordPress element. That’s not the word (pardon the pun) we’re seeing, as many people have come out and said their sites got hit, and WordPress isn’t on their server. GoDaddy HAS responded this time, with some infection removal procedures. They’re recommending those who were infected back up their database and customized files, delete WordPress, and reinstall the software. This doesn’t seem to me like a viable option, as all PHP files on infected sites were affected, and many of the customized files are PHP files. That said, at least they’re responding publicly now .. however weakly.
Hey dude,
WE put up one of the original posts about the hack. I called godaddy tech support 6 times yesterday over the course of the day. What was amazing is that each call which was done multiple times over the day resulted in not one person knowing what the hell I was talking about. It was ridiculous. Anyways, thanks for spreading the awareness of this issue.
Thanks for adding to this post. My experience with GoDaddy customer service has, for the most part, been positive. It really just sounds like they’re mishandling this hack attack from the top to the bottom of the organization.
Thanks for spreading awareness and linking to us. Hopefully this situation will be resolved soon.
We deal with Godaddy on a daily basis while working on clients site. For the most part, they’re customer service is excellent. Once in awhile we may get someone that seems less experienced. But I’ve learned that if you ask the right questions, 9 chances out of 10, you’ll get a better response. For instance, if you know which server error your site is showing, provide this at the beginning of the call. Of it you’re unable to establish a database connection, let them know that right away too. It’s better to be less long-winded and more technical.
Securely yours,
Regina Smola
Hi Regina — As I’ve mentioned, my experience with GoDaddy customer service has been for the most part positive. Most times they’re able to help me. The response to this hacking attack has been mishandled from the top of the organization, not from the call centers.
Speaking of call centers, I believe I posted on your blog about my experience with GoDaddy customer service yesterday. I called about something unrelated, but also asked about the response to the hacking attack. The support guy was very helpful with my problem, but knew nothing about attack. He said my mention of it was the first he’d heard. This is the sort of thing that can’t happen when there are potentially hundreds of irritated customers who want answers.
Yes, Steve. I did see your comment. Thanks for sharing. I completely hear you. I have also heard from others say when they called Godaddy, tech support has said they had not heard of it either. It’s unfortunate when this happens. I think they should give an important memo to all technicians letting them know of the situation and how to handle customers calls on the situation. Maybe they did. I have no clue.
I’m keeping an eye on this forum post for some new updates: http://community.godaddy.com/groups/go-daddy-customers/forum/topic/malware-infection/
I agree, Regina — that’s all part of crisis communications … making sure everyone in an organization is speaking with one voice. I didn’t expect the tech support guy to have inside information. I was anticipating something like, “We don’t have any answers just yet, but we’re working around the clock to figure it out.” I didn’t anticipate hearing that the tech guy hadn’t even heard about an attack on his company’s servers that nailed hundreds of sites.
It’s not just WordPress, and it’s not just traffic coming from Google. Our Godaddy website was hacked, just like the other reports and it doesn’t use WordPress or anything similar. It’s just a basic PHP site. And the hack worked even with direct access by typing the URL into the browser. WordPress should sue Godaddy for blaming them for Godaddy’s security lapse.
Gavacho – This blog post was referring to the attack that happened on April 24. There was another on May 1 that apparently DID affect non-Wordpress files. I’ve added an update to this post to address that.
Just wanted to give you an update. Go Daddy is reaching out to it’s customers more and more. They did a live teleseminar with us on 5/5 and released two new statements, one of which was today.
http://www.wpsecuritylock.com/exploit-on-wordpress-returns-go-daddy-responds/
P.S. Maybe you could update our company name to WPSecurityLock in the above paragraph, “Additionally, instructions like those found at WPSecurity would have been made available by GoDaddy.”