On the 6th of September 2021, as-of-yet unknown actors breached and gained access to data of 1,200,000 GoDaddy customers. GoDaddy noticed the breach on November the 17th, some 36 days later. The breach was reported to the SEC some five days later and 41 days after the fact.
While investigations are still ongoing, we do know that customer emails and customer numbers were exposed. Active Managed WordPress customers have also seen their credentials exposed, including those for sFTP and WordPress databases. Some customers have also had their SSL private key exposed.
Before we go any further, if you suspect that any of your accounts have been exposed, make sure you change all of your passwords straight away.
You might also need to inform your customers about the breach. Since this is a regulatory requirement, you will need to check what laws and regulations in your jurisdiction compel you to do.
Whether GoDaddy is at fault, we do not know yet – investigations are still ongoing. This, however, is something of a moot point for several reasons.
WordPress security, like all other forms of security, is first and foremost about managing risk
Hackers and security software/specialists are locked in an endless tug of war. For the most part, the knot remains bang in the middle. However, vulnerabilities, new technologies, and myriad other things can upset this delicate balance at any point in time. That balance is usually restored fairly quickly. However, this still leaves a window of opportunity, however minute, for damage, sometimes irreparable, to be done.
Because of this, no system is ever completely immune to attacks. Sure, service providers are responsible for ensuring that everything is updated and secured – and a chunk of the responsibility lies with them. This does not mean that we are at their mercy. WordPress administrators and owners can still take steps to secure themselves as much as possible to minimize risks.
WordPress, in particular, depends on several subsystems to function – each of which may be susceptible to vulnerabilities and attacks. A good WordPress security policy takes a 360-degree approach and equally ensures an iterative WordPress security process that addresses security risks and concerns as they arise.
Breaches can take an awfully long time to notice
GoDaddy, one of the biggest hosting companies globally, took 36 days to notice they had been hacked. Thirty-six days might seem like a lot, but an IBM report has shown that, on average, companies take close to 200 days to notice a breach. This makes 36 days seem quite reasonable, but still, a lot can happen in 36 days.
The truth of the matter is that hackers have turned the process of covering their tracks into an art form, making it quite difficult for even the biggest companies to realize they have been breached. This is exacerbated by the fact that many hackers are backed by strong budgets, which in some cases are funded by states.
You might think that a dictatorship-run state might not be interested in your WordPress website, but this might not necessarily be true. While they might not be interested in your website, in particular, it can still get caught in the cross-fire. The end result is just as damaging.
While it is getting harder and harder to uncover hacks, it all boils down to managing risk – including making sure you have the necessary systems in place to log access to resources.
On WordPress, an activity log plugin can make all the difference. The broader the scope of the activity log, the wider the field of view you’ll have on your system – helping you ensure that nothing evades scrutiny.
Our plugin WP Activity Log covers an extensive range of user and system activities and includes many activity log extensions for third-party WordPress plugin support such as WooCommerce. This can put administrators’ minds at ease that every facet of their website is being monitored, drastically reducing the risk of illicit activities flying under the radar.
One other essential plugin worth mentioning is Website File Changes Monitor plugin for WordPress. This plugin essentially takes a fingerprint of your WordPress website’s files every time it scans it and compares the result to previous scans to report on the most minute of changes.
Passwords are literally key to your entire infrastructure
Initial investigations have shown that the entire GoDaddy hack was made possible due to a compromised password. Seeing how one password can bring the entire house down makes us realize how important each password is.
Of course, we are not speculating about the GoDaddy case, since all the details have not been made available yet. Still, we do know a thing or two about WordPress passwords and how to turn them from a potential liability to be your strong suit.
A strong WordPress password security policy that includes mandatory complexity and automatic expiration is a good place to start. You should also block inactive users and block user accounts after a number of failed login attempts. All of these are easily configurable through WPassword, a plugin which adds some serious punch to your passwords.
Of course, two-factor authentication on WordPress, which is fast becoming as ubiquitous as passwords themselves, is critical to ensure account security. WP 2FA offers a fully customizable approach to WordPress two-factor authentication – helping you protect your users and your WordPress without having to reinvent the wheel.
There is no denying that hosting providers are responsible for security on their end – and they should be held accountable for any failings if these are found. However, there is no guarantee that breaches will not happen. Because of this, we need to look at security as a shared responsibility.
Today, WordPress owners have great resources at their disposal – from information to products and services designed to help them stay secure and safe. When all is said and done, we owe it to our users and customers to keep them safe and must do everything we can to ensure their data is safe with us.