GoDaddy

GoDaddy (Owner of Sucuri) Still Using Server Software That Was EOL’d Over Six Years Ago

Last week we wrote a post about how the web security company Sucuri was hiding the fact that they are owned by the web host GoDaddy while promoting a partnership program for web hosts. Not mentioning that they are owned by a competitor of companies they are hoping to partner with seems quite inappropriate. It also seems problematic since GoDaddy has long track record of poor security, so that seems like material information that web hosts should have when considering partnering with Sucuri.

One example of GoDaddy’s poor security that we have noted before is that they are using a very out of date version of the database administration tool of phpMyAdmin. It turns out they are still doing that, as we found when doing some work on a client’s website hosted with them. While working on an upgrade we created a new database so that the database would be running a newer version of MySQL required by the new version of the software being upgraded. When we went to import the database we found the phpMyAdmin installation it is tied to is the same really out of date version of phpMyAdmin, 2.11.11.3:

The 2.11.x branch of phpMyAdmin reached end of life on July 12, 2011. After that date not fixes or security fixes were not released, so GoDaddy should not have been running that version after that.

Beyond the security concern with this, you have situation where GoDaddy isn’t even managing to update a customer facing piece of software at least every six years.

It also worth noting that GoDaddy is the employer of the head of WordPress security team (they are paying him for his work in that role). You really have to wonder how, if someone who truly cared much about security, they would be employed by a company that doesn’t seem to care about that. That they are willing to work for GoDaddy might go a long way to explain why the security team of WordPress continues to poorly handle things (it also raises questions about the propriety of having the head of the security team being an employee of a company that could profit off of WordPress seeming insecure).

Sucuri’s Lie of Omission Involving Their Ownership by GoDaddy

Last week we touched on a continued lie from the makers of the Wordfence Security plugin and mentioned the general problem of lying within the security industry. Not every lie involving the security industry involves something that is said, it can also be something not said.

As an example take what we noticed in a recent post by the web security company Sucuri promoting their partnership program for web hosts. What they neglect to mention despite being rather important, as we will get to, is that they are in fact owned by the web hosting company GoDaddy.

But before we get to that, the whole post is cringe worthy if you have followed our posts on the web security company SiteLock, whose business seems to largely built around partnerships with web hosts. Many of those web hosts are run by the majority owners of SiteLock, which might have given GoDaddy the idea to move from a partnership with SiteLock to do the same on their own.

At one of point in the Sucuri’s post they write the following:

We have found that doing active scans of your user base’s websites on a continual basis and doing outreach to help them better understand their security status is helpful in educating customers all while helping gain a better understanding of the overall health of accounts in the environment.

In the case of SiteLock, because SiteLock’s scanner isn’t very good that sort of thing has led to lots of people falsely being told that their websites have been hacked and then offered overpriced services to fix the non-issues. Sucuri’s scanner has also been bad for years, the most recent example of that we documented involved them claiming that Washington Post’s website contained malware. We noticed that while looking into a situation where someone was contacted by their web host with Sucuri’s results falsely claiming that their website hacked, much like they had falsely, but hilariously, claimed of ours not too long ago.

Elsewhere in Sucuri’s post they write:

They want a site that is fully secure and stays that way. From our experience, they don’t care about, or understand ambiguous services and up-sells. If it gets hacked, they want someone else to deal with it now, at an affordable cost. Once cleaned, they don’t want to be hacked ever again.

That isn’t what you are get with Sucuri, if one person that came to us after having Sucuri failed to take care of a credit card compromise on their website. Not only did Sucuri fail to detect an easy spot piece of malicious code, but kept telling them the website was clean despite the person telling Sucuri that credit cards were still being comprised on the website.

That ties in with something in the post:

A good website security provider also requires a customer-first approach that prioritizes time to resolution with respect to each customer’s level of technical ability. As an example, Sucuri is recommended by web professionals for our commitment to providing users with cutting-edge technology and excellent customer service.

Clearly the customer service was terrible in that situation. But the other striking element of this is that we were able to identify the issue without using any “cutting-edge technology”. Also, when it comes to security services, web professional are not necessarily who you would want a recommendation from, since they don’t necessarily have a good idea about security. Certainly any of them recommending Sucuri, based on what we have seen, would be someone that shouldn’t be providing that type of recommendation.

If what another recent example of poor security from Sucuri and GoDaddy take this recent example of Sucuri’s web application firewall (WAF) being bypassed by simply encoding a character as reported by ZDNet. That is an indication that the product is rather poor at what it is supposed to be doing, which isn’t surprising based on everything we have seen from this company (they don’t even seem to understand security basics). This also looks like another situation where they are not being honest, as the article states that:

For its part, GoDaddy said it patched the bug within a day of the security researcher’s private disclosure to the company.

But a quote from the company neglects to mention that it was fixed after they were notified of the issue

“In reviewing this situation, it appears someone was able to find a vulnerable website and manipulate their requests to temporarily bypass our WAF,” said Daniel Cid, GoDaddy’s vice-president of engineering.

“Within less than a day, our systems were able to pick up this attempt and put a stop to it,” he said.

What isn’t mentioned anywhere in the post is that SiteLock is owned by GoDaddy and therefore web host partnering are really partnering with a competitor and possible providing them with sensitive information.

That also isn’t mention on the linked to Sucuri Partner Program page.

What is mentioned there is that this is way for web hosts to make a lot of money:

As we have seen with SiteLock, that doesn’t lead to good things.

You also won’t find mention of the ownership on the about page on Sucuri’s website which states:

Sucuri, Inc. is a Delaware Corporation, with a globally-
distributed team spread over a dozen countries around
the world.

Beyond the fact that web hosts might not want to be partnering with a competitor in this way, there is the issue that GoDaddy has a bad reputation when it comes to security.

One element of that is obliquely mentioned in the Sucuri post when the write:

For example, cross-contamination over multiple shared hosting accounts used to be a major problem for large website hosting providers, but this isn’t really a huge threat today.

One such provider that happened with was GoDaddy, which had ignored attempts by people we were helping to deal those hacks, to get them to do something about it before it became a major issue. GoDaddy then made ever changing claims as to the source of, but notable didn’t blame themselves.

In more recent times there have been issues with them distributing outdated and insecure software to their customers, using outdated and insecure software on their servers, being unable to properly control FTP access to websites, not providing a basic security feature with their managed WordPress hosting, and worst of all, screwing up the security of databases that lead to website that otherwise would not have been hacked, being hacked.

It isn’t really surprising with that type of track record that they would have bought a security company that inadvertently made a good case that you should avoid them. But that all would be a good reason why other web hosts would probably want to avoid getting involved in this if they truly care about their customers and that might be why it goes unmentioned.

123 Reg Sending Out Scammy Emails Based on Baseless SiteLock Risk Assessments

Earlier this month we discussed what seemed to be new attempt to scam people by the web security company SiteLock and their web hosting partners, using a supposed assessment of a website’s likelihood of attack. That post was based on information in an article written by a contributor at Forbes that had been contacted by their web host Network Solutions about the supposed risk of compromise of their website. The author of that article did a very good job of breaking down on how the claimed “comprehensive analysis” leading to risk score seems to be without a basis and we recommend reading that article.

The web host 123 Reg, which is now part of GoDaddy, has now started sending out emails based on the same assessment and the results are equally questionable. We were contacted by someone that received one of these that has a small website built on HTML files, so there is limited ability for it to be hacked when compared to, say, a website using CMS and a lot addons for the CMS. Despite that, the email claims that the “website is at high risk of vulnerabilities or compromise” and that “vulnerabilities are 12 times more likely to be exploited than the average website”, which is completely ridiculous. If you were to believe that there website is at high risk of being exploited then we can’t think of one that you wouldn’t.

Here is the email they are sending out:

Dear [redacted],

We take a proactive approach to protecting our customers’ website security. There are many factors that make a website vulnerable to hackers, and some sites are more vulnerable than others simply because of their software, plug-ins and passwords.

To help you understand where your website may be vulnerable, we have completed an automated scan of your website via the SiteLock Risk Assessment, a predictive model that analyses over 500 variables to determine a website’s likelihood of attack. The Risk Assessment is designed to score a website on a scale of low, medium or high.

After performing a comprehensive analysis of [redcated], we can confirm that your website is at high risk of vulnerabilities or compromise. When a website indicates a high risk score, vulnerabilities are 12 times more likely to be exploited than the average website, according to SiteLock data.

It is important that you act. For £0.99 per month, SiteLock ‘Find’ carries out a daily scan of your website. It can reveal where your website is vulnerable, and discover any malware. For £4.99 per month, SiteLock ‘Fix’ can also remove the malware from your site.

Find out more about SiteLock from 123 Reg

Alternatively, you can call us on 0330 221 1007 for more information.

Good website security comes down to teamwork. Here at 123 Reg, we do everything we can to keep your website safe server-side, and we urge you to do the same. A security breach can undo years of hard work in a matter of minutes. That is why, as a security precaution, we recommend you always upgrade outdated software like web applications or plugins to the latest versions when available.

Kind regards,

123 Reg Team

Based on everything we have seen so far these seems to be a rather naked attempt to sell security services based on scaring customers of web hosts under the guise of providing serious analysis of the security risk of the website. What makes it worse is that from what we have SiteLock services are not very good at providing protection, so the end result wouldn’t even be a good one even if the means is quite bad (as well as the company not doing much to help improved security for everyone in comparison something like our Plugin Vulnerabilities service).

One of the other people that received one of these emails raised another issue with them:

cheers @123reg, but I use your automatic installer with auto updates turned on, so if anything is insecure and outdated… pic.twitter.com/1FXWeanNf8

— Adam Hay (@antireality) August 31, 2017

It should go without saying that no company involved with security should be doing something like this. SiteLock already has a well earned reputation for this type of thing. Who seems like they should be taking more heat for this is GoDaddy, as not only are they multi-billion dollar company, but they also provide security services under the brand Sucuri (which has lots of issues of its own).

Security Plugins and Plugins by Automattic Haven’t Been Updated To List Them as Compatible With WordPress 4.8

Back on May 31 we received an email from WordPress.org asking us, as developers of several plugins, to make sure that the plugin were listed as being compatible with the then upcoming WordPress 4.8. The beginning of the message reads:

Hello, White Fir Design!

WordPress 4.8 is scheduled to be released on June 8. Are your plugins ready?

After testing your plugins and ensuring compatibility, it only takes a few moments to change the readme “Tested up to:” value to 4.8. This information provides peace of mind to users and helps encourage them to update to the latest version.

As scheduled, that version was released on June 8.

While looking at something the other day we noticed that a security plugin had not been updated to list as being compatible with the new version. Looking at the plugins tagged security it turns out that many haven’t been two weeks after the release of that new version of WordPress. That doesn’t seem to be a great indication as to the state of security plugins, but more striking was that several of the most popular plugins tagged security that have not been updated come from the company Automattic, which is closely associated with WordPress.

First up being Jetpack by WordPress.com, which is tied with 6 other plugins for having the most active installs, 3+ million:

One of those other plugins with the most active installs is another Automattic plugin, which despite shipping with WordPress also isn’t listed with WordPress 4.8:

Getting back to the security tagged plugins, another Automattic plugin not listed as being compatible is VaultPress:

Among the other security tagged plugin that haven’t been updated to be listed as being compatible, you have iThemes Security:

You also have Sucuri Security, which still hasn’t even been listed as being compatible with WordPress 4.7, despite that being released in December:

The parent company of that plugin GoDaddy also hasn’t updated their other plugins to list them as compatible:

Also worth noting, considering SiteLock’s questionable involvement with WordPress, is the SiteLock Security plugin:

The SiteLock 911 Service Offered by GoDaddy Leaves Websites Open to Being Hacked Again

When it comes to cleaning up hacked websites, we are frequently brought in to re-clean websites after another company has previously been brought in and then the website gets hacked again. While it is not always the other company’s fault, what we have found is that almost always it involves a situation where the other company unintentionally or intentionally cut corners with the cleanup.

There are three basic components of a proper cleanup: removing the malicious content, getting the website secure as possible, and trying to determine how the website was hacked. We frequently see that only the first item, removing the malicious content, is done. That can leave the website open to being hacked again (and skipping over trying to determine how the website was hacked can also lead to not finding some of the malicious content that needs to be removed).

All of that brings us to the SiteLock 911 service that GoDaddy offers in conjunction with SiteLock. From what we have seen being brought to get things properly cleaned after this service has been used, corners are cut, leaving websites vulnerable. What isn’t clear if you were to look at the description of the service, is that is the case, so let’s take a closer at how the service is presented.

In describing how the service works they make it sounds like all of the components are happening:

Next we remove every bit of malware from your code. We also close security gaps and the backdoors that hackers use to break into your site.

There are a couple of fairly glaring issues with that. First backdoors would normally not be how hackers break into the website; instead backdoors are placed on the website through a vulnerability and then used to take further actions. If you remove the backdoor, but don’t fix the vulnerability it can just be placed there again. The other problem is that all of that fixing is supposed to happen with files that they copied of off the server and then placed back on the server, but that wouldn’t actually be how you would do much of the securing or determining the source of the hack. The securing usually involves getting the software up to date, which wouldn’t be done by just copying files (and based on what we have seen, isn’t something they do). The determining of the source involves reviewing the log files, which are stored separately on GoDaddy’ servers or in the case at least one type of account are not even stored.

In the FAQ, there is a rather odd answer to the question “Is the cleanup permanent?”:

Unfortunately, no. If the hacker automated the attack, it could keep happening. And SiteLock911 doesn’t protect against future attacks, so your site could get infected again. We offer preventive SiteLock plans with daily scans to keep your website malware-free.

This doesn’t really make any sense, as most hacks are automated and whether it could happen again depends on if the vulnerability that was exploited has been fixed. This answer alone should be a good indication that neither of the companies involved with this service have any idea about the basics of hacked websites (this isn’t the first time we have seen that coming from SiteLock). (The preventative SiteLock plans don’t actually do much, if anything, to protect websites from being hacked either.)

Another FAQ is also rather odd. In response to the question “Is it guaranteed to work?” it is stated that:

SiteLock911 malware cleaner handles most websites with ease but with new malware appearing all the time, there are no guarantees. If you happen to be afflicted with a brand new infection or hack, SiteLock will work with you to make sure your website is restored.

Whether the malware is new or old shouldn’t have any impact on being able to restore a website, instead the only limitation in the ability for a cleanup to restore a website to its previous form is if the hacker has removed or damage files or other content from the website. You can’t restore something that doesn’t exist, so either there would need to be another way to get a copy of the files/content or you can’t restore it. Something being new shouldn’t make a difference.

This seems like it may be a cover for SiteLock’s ongoing issues with damaging websites that they are supposed to be cleaning up at GoDaddy. That seems to be a fairly common issue based on the complaints we have seen on the web and the times we have been brought in to fix things up after them. While we frequently are brought in to re-clean websites after other companies have done a poor job, SiteLock is the only one where we have seen other company leaving behind broken websites. That is one of the many reasons we say that they are by far the worst company in the field.

GoDaddy Still Using phpMyAdmin Version That Hasn’t Been Supported for Over Five and Half Years

Earlier this week we revisited a security issue with a web host that had yet to be resolved nearly two years after we first brought it up, but things can be worse than that.

Back in January of 2014 we pointed out that GoDaddy was still using a version of the database administration tool phpMyAdmin for which support ended in July of 2011. While dealing with an issue on a website hosted with them we noticed that they still are running that version, 2.11.11.3. It is incredible that such a big company would be running outdated and unsupported for over five and half years. You have to wonder what less visible security issues also exist in their systems.

While GoDaddy has a number of different types of accounts, according to their listing of what software is running on them all of the account types that include phpMyAdmin provide outdated versions of it. The newest version they are providing with an account type is 4.0.10.14, which is over a year out of date. They also are using 4.0.8, which is over three years out of date. Finally they are using 3.5.8.2, for which supports ended over three years ago.

When looking at this situation we can’t help but think of the GoDaddy’s partnership of with the security company SiteLock. If we were not already aware of what SiteLock actual does, it would seem very odd that they would not have required GoDaddy to deal with this issue long or ended their partnership, as it would highly irresponsible, at the very least, to be involved with a company that you know is leaving their customers insecure in this way.

Is SiteLock Providing Their Customers Access to All Accounts on GoDaddy Servers?

In looking over complaints about the web security company SiteLock a lot of things come up over and over, take for instance the end of a review of them from earlier this month at the website ConsumerAffairs:

Worst case scenario: a site will become infected with malware. Again, I get the auto-email with no clue to which site is infected. You have to upgrade your account to get it cleaned and then it never stays clean. It continues to get infected every few months and they do nothing to help you prevent or fix it. The one site that I’ve had this happen to, I ended up upgraded to the manual clean & monitoring service. Instead of them cleaning it when it happens, they send that email (you know the one, without any clue as to which domain it is referring) and then I have to call them to request it to be manually cleaned. AGAIN. They don’t just automatically do it, like the service implies. I cannot tell you what a frustrating phone call it is. They have no email or chat support and you are stuck to a phone call with someone who is trying to earn commission and has no interest in supporting you. DON’T USE THEM.

A lot of that isn’t surprising if you follow our blog, as we have discussed that usually when you get in contact with SiteLock you are dealing with a commissioned sales person (and how that looks to lead to untrue information being told to potential customers), the fact they cut corners when doing cleanups and leave websites insecure. It could actually have been worse as this review involved websites hosted at GoDaddy and we have previously discussed instances where websites cleaned through their partnership with SiteLock have left the websites broken.

What was new in this review was the claim of the prior paragraph of the review:

Once I find the account with the issue to reconnect, it is an absolute nightmare to do so. You have to enter the FTP info, then sift through EVERY SINGLE Godaddy site on the server to find yours (I’m not kidding, and I’m sure you can imagine there are a lot of sites on Godaddy’s server – why I have access to every single one of them via SiteLock seems like a security issue in itself). It’s an extremely tedious, SLOW and frustrating process.

It isn’t clear what level of access they are referring to there and what could be done with it, but there shouldn’t be any access to unrelated accounts at all (especially through a security service).

If you have more information on what access they are providing through that please leave a comment on this post or get in touch with us.

GoDaddy Doesn’t Disclose The True Source of SiteLock’s CDN and WAF Services

The last time we discussed GoDaddy’s partnership with SiteLock back in September it involved a situation where SiteLock managed to break a website they were supposed to be cleaning, GoDaddy was partly responsible for the website being hacked, and SiteLock failed to detect that GoDaddy issue due to their failure to do a basic part of a hack cleanup. Based on that an expansion of their partnership doesn’t seem like a good thing, but it is happening.

Today GoDaddy announced that they would now be offering SiteLock’s content data network (CDN) and web application firewall services (WAF) services. What they neglected to mention is that these services are not actually provided by SiteLock, but as we recently discovered, by another company, Incapsula. That is a rather important item to disclose since both of those services involve sending your website’s traffic through someone else’s systems. Having a company you have no involvement with having access to all of your website’s traffic obviously raises some serious issues. Even if you are not concerned with Incapsula having access to your traffic, it looks like SiteLock could switch to another provider at any time without you being aware of it.

Also missing from the press release is any evidence that SiteLock’s WAF actually provides any protection (which we haven’t seen provide elsewhere either). Instead you get unsupported claims as to the protection it supposedly provides. One claim included has actually been indirectly disputed by SiteLock. That claim being that it prevents backdoor access:

Trust that website content will be protected from potentially harmful spam comments, and backdoor access to website files will be blocked.

In previous post we looked at situation where a SiteLock customer using their firewall got hacked again and said that “SiteLock assures me that everything is set up correctly, and that the hacker must have a back door access point. They don’t cover that.”.

If you are actually looking to keep your website then these are things you should focus on, which are not things that any SiteLock services provides. You also would probably be best off not using a web host, like GoDaddy, that partners with SiteLock.

GoDaddy and SiteLock Make a Mess of a Hack Cleanup (And Drop The Ball on Security As Well)

In the complaints about the web security company SiteLock we have seen, one of the things that comes up frequently is the widely variable and often times excessive prices for their services. In some cases the pricing would be within reason if you were getting a high quality service, but as we found while helping to fix a website after SiteLock did a malware removal on it few days ago, you get the opposite of that from them.

This incident involved one of SiteLock’s partner web host, though not one the ones run by the owners of SiteLock. Instead it is GoDaddy, for which we found a couple of security issues on their end while looking into this as well.

What happened in this cases is that SiteLock through GoDaddy was hired to clean up malware on the website. Afterwards though the website was screwed up, with the styling gone and shortcodes showing up on the pages (instead of being processed). GoDaddy told the website’s owner that they would need to have someone update WordPress and re-install the theme they used.

None of this made a whole lot of sense. After removing malware or doing some other cleanup the website should appear as it did before. The theme shouldn’t be missing, unless it had been completely replaced with malicious code (which we have never seen happen). Also a part of a proper cleanup is making the website secure as possible, which would, in part ,involve updating the software on the website.

When we got in to the WordPress admin area to look over things we found that theme actually was still there, but wasn’t activated. The only reason we could think for changing to another theme would be to check if the theme being used was causing the malware to be served up, but after that checking was finished it should be reactivated.

We also found that all of the plugins were deactivated, the same explanation as the theme might explain them being deactivated. But again they should have been reactivated if that was the case. This was more problematic to deal with since we didn’t know which, if any, of the plugins were not active before the cleanup and did not need to be re-activated.

Not only did WordPress still need to be updated, but so did the plugins and themes.

Once we got a handle of those things we were able to bring the website back to working order, but further looking showed that items added by the hacker still existed (and would have allowed them continued wide access to the website) and the vulnerability that could have allowed the hacker access to begin with still existed on the website, so the hacker could have easily gotten back in.

Malicious Administrators and a Vulnerable Plugin

When cleaning up a hacked WordPress website one of thing you want to check for is the existence of users that should not exists, with an emphasis on users with Administrator role, since they have wide ranging access. Sometimes those added accounts are rather obvious, in the case of this website a couple had the email adress “backup@wordpress.org”. While seemly intended to look innocuous, there shouldn’t be any account with email addresses from wordpress.org on a website. Either SiteLock did not spot those or didn’t even do any check for that.

Looking at the details of the users in the database would tell you something more about this. In the following screenshot you can see that for the two account with the “backup@wordpress.org” and one other have the user_registered field not filled in (the others listed there have dates from before the website existed and before the original account on the website was created):

That indicates that the accounts were not created through the normal process in WordPress. One other way to do that is with direct access to the database.

That brings us to another thing that SiteLock missed, one the installed plugins, Revolution Slider, had an arbitrary file viewing vulnerability in the version of the plugin installed (you can check if a website is using a vulnerable version of that and if other plugins have vulnerabilities hackers are targeting using our Plugin Vulnerabilities plugin). Hackers frequently target that type of vulnerability to try to view the contents of WordPress configuration file, wp-config.php. That file contains database credentials for the website, so accessing that could allow a hacker access to the database, which they could then use to add new users.

GoDaddy’s Security Failings

We then went to check to see if the vulnerability was in fact exploitable on the website and we found that connection was dropping when we made the request to exploit it, which looked to be GoDaddy blocking the request. Unfortunately their protection is incredibly easy to evade.

The original request we made was the following, which was stopped:

/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php

This request was not stopped:

/wp-admin/admin-ajax.php?action=revslider_show_image&img=..%2Fwp-config.php

The only change was that the “/” right before “wp-config.php” has been encoded, changing it to “%2”.

The fragility of such protection seems to pretty common, as earlier this week we found that two WordPress security plugins protection against another vulnerability could bypassed by simply adding and “\” in the right location (the 9 other WordPress security plugins we tested provided no protection).

Remote Database Access

Even if a hacker gets the database credentials by exploiting an arbitrary file viewing vulnerability they still need some method to access the database. In the case of the database for the website remote access is permitted, which allows someone to connect to the database from outside of GoDaddy’s systems. That type of access makes it really easy for a hacker, so it should be disabled by default.

In looking how we could disable remote access to the database, we found that based on their documentation it shouldn’t have even been enabled. The documentation says that you need to enable direct access when creating a database for to connect remotely:

Connecting remotely to a database lets you manage it using tools like MySQL Query Browser,MySQL Workbench, or Microsoft SQL Server Management Studio Express.

If you want to connect remotely to a database, you must enable Direct Database Access when setting it up¹ — you cannot enable it later.

But the database in question is listed as not allowing direct access:

So something isn’t right.

If we didn’t know what SiteLock was up to at this point we would be asking why they had not noticed those problems with the partner GoDaddy’s security and gotten them to fix them, but knowing what they are doing it isn’t surprising they wouldn’t have done that. If anything getting their partners to improve their security would mean less money for them and less money for the partners as well.

If you want a hacked WordPress website cleaned up properly, we are always available to help.

GoDaddy’s Managed WordPress Hosting Fails to Provide Important Security Feature

We were recently brought in to deal with a WordPress website that had been hacked multiple times and just re-hacked. In that type of situation one of the first things that should be done is to review the log files available for the website, since those are likely to provide evidence on how the website is being re-hacked and depending on how far the logs go back, how the website was originally hacked.

One of the big problems we find in being able to review the log files of a hacked website, is that often times web hosts only store the log of HTTP activity for a short period, in some cases less than a days worth of logging is available. One of the better web hosts when it comes to this is GoDaddy. With their standard web hosting accounts using their own control panel, they store about a months worth of logging. When using the cPanel control panel instead, the log is stored for a shorter time period by default, but you can enable archiving, so we can at least make sure it stored for a longer period once we get started on the cleanup.

The website we are dealing with in this case though was in GoDaddy’s Managed WordPress hosting account, which we would find out when the client tried to get access to the log files, does not provide any access to the log files. We are puzzled that they manage to provide that in the standard web hosting accounts, but not not in what would seem to us to be a higher end type of account. The explanation for why they can not provide it, is also puzzling, as they say they can’t provide it because the website is hosted in a shared environment. The other web hosting accounts are also on shared environment and yet they manage to provide them there.

If you are concerned about security we would recommend that you not use their Managed WordPress hosting until they resolve this, since if you were to get hacked, you are going to be missing important information needed to properly clean it up (is worth mentioning that many companies that do hack cleanups either don’t know how to do things properly or are cutting corners and don’t review the log files like they should).

While we were looking over the marketing materials for the service we noticed some security claims that are also worth mentioning. One of the “key features” of the service is that they “keep the bad guys away”:

Keep bad guys at bay Your site gets the personal bodyguard treatment, 24/7. Our security team monitors, thwarts, and deflects so you can rest easy.

Seeing as the website we are dealing with got hit multiple times while using this hosting service, their ability to actually protect the websites is is at least limited.

The ability to protect the website is also contradicted by another feature available in one level of account, which removes malware from the website:

Malware scan & removal Hackers can inject malicious code—malware--into your site to steal info or deface your site. With SiteLock Professional Malware scan (included with Ultimate plan), malware’s found and destroyed before it harms you or your customers.

If they were actually able to protect the websites, as they advertise, then there shouldn’t be any malware getting on the website that needs to be removed.

We would also have wondered about the fact that the company SiteLock would be involved in doing hack cleanups on this service, when they can’t do things properly because the logs are not available, if not for the fact that we have seen that SiteLock doesn’t seem to seem to be interested in properly cleaning up websites and is known for taking advantage of their customers.