One Million-plus WordPress Websites Hit by GoDaddy Data Breach

Multiple news outlets have reported that over 1 million WordPress websites hosted by GoDaddy have been breached. Data was exposed to hackers for several months. Whether or not your website was affected, you may want to consider these important steps to keep your site’s customer and user data and information secure.

WordPress is the Content Management Systems (CMS) that enables users to easily create, update and manage their websites. As the world’s most widely used CMS, it powers nearly half of all websites around the world. GoDaddy, one of the top global WordPress hosting companies, recently reported that 1.2 million customers had their customer, user and ecommerce data exposed to hackers since September 6, 2021.

How does the GoDaddy breach affect me?

The data in this breach included customer email addresses and numbers, increasing the possibility of phishing attacks for those users. It also included the original admin account password for the original installation. If you’ve never changed the default password since then, hackers have had access to your site for months.

Additionally, sFTP and database usernames and passwords were exposed, along with the  Secure-Socket Layer (SSL) private key for certain customers. The SSL ensures your site visitor’s data is secured and not visible to hackers. GoDaddy has said they have since rectified both these issues by resetting passwords and issuing new certificates.

What can I do about the GoDaddy data breach?

GoDaddy has said that they are reaching out to customers affected by the data breach. Whether or not your site was included in the breach however, there are a several things you should immediately consider putting into action to protect your website, your customers, and yourself.

1. Strengthen your WordPress site security – 5 steps

Whether or not your site was included in the breach, it’s a good idea to review the security settings on your site. Here is a short list of things you should be doing immediately to shore up your security:

  1. Reset passwords for anyone with access to your site’s administrative back-end
  2. Set up 2-Factor Authentication (2FA) for login
  3. Setup additional security functions such as WordFence
  4. Keep security functions updated with the latest definitions
  5. Rename the default login page to hide it from would-be hackers

As a WordPress design and development agency, these critical steps are part of our launch plan for every StitchDX customer. While it’s impossible to completely eliminate the possibility of a site hack, by taking these steps, our customers sites are better secured, regardless of their hosting environment.

2. Consider switching from GoDaddy

Unfortunately, this isn’t the first time GoDaddy has dealt with security issues.  In 2018 an AWS error exposed data on their servers. In 2020, 28,000 user accounts were breached, and later that year GoDaddy was named in part of a cryptocurrency hack that took down a number of websites they host.

Fortunately, there are a number of alternative hosting platforms that are specifically designed for WordPress. And switching is easier than you might think! As a WordPress development agency, we work with many hosting services (including GoDaddy) and have helped companies migrate from one host to another.

Additionally, certain hosting platforms like SiteGround or WPEngine can help optimize your website and provide further security settings built into their offering.

If you’d like help reviewing your security settings and/or migrating your site, StitchDX can help.