When it comes time for you to create a website for your business, a lot of factors come into play. There are hundreds of sites on the market that are designed to help that process go smoother. But the issue with these uber-convenient website builders is that things commonly go awry. The issues are more serious and go way past design issues or mobile device compatibility. Breached passwords are a major issue when it comes to your business and it carries some serious risks.
Yesterday, November 22nd, 2021, GoDaddy disclosed that an attacker had gained access to the company’s Managed WordPress sites. This attack has affected up to 1.2 million of their WordPress customers. And with GoDaddy’s Managed WordPress accounts making up a large portion of the WordPress ecosystem, the consequences and repercussions loom ahead.
What does this mean?
GoDaddy stored sFTP or “secure file transfer protocol” passwords in ways that could be easily decoded or reversed to plaintext. The attacker had access to emails, customer numbers, and admin passwords. With database access, personally identifiable information is available and the attacker could gain full control of compromised sites. If your website is one where transactions are made, they could successfully perform man-in-the-middle or MITM which intercepts traffic between you and your customer.
How does something like this happen?
According to the report filed with the SEC, the attacker gained access through a compromised password back in September. While it’s noted that GoDaddy took immediate action in an attempt to solve the situation, the attacker had two months of persistence before finally causing a full breach.
What should I do if I have a GoDaddy Managed WordPress site?
If there is ever a breach of passwords with any account you have, the rule of thumb is to treat your account as if it has been compromised until proven otherwise. In light of the severity of the breach, you should take action. Start by changing all of your WordPress passwords or even forcing a password reset. Set up 2-factor authentication wherever possible, this is recommended for apps and sites outside of WordPress too. Be sure to check your site for unauthorized administrator accounts. Failure to do this may result in the attacker still having access to your account. And lastly, be on the lookout for suspicious emails. This could be a last-ditch effort for the attacker to regain access.
Running a business requires a lot of time and energy. Having to worry about the security of your businesses’ website shouldn’t have to be an added stressor. BG Digital Group is blessed with an experienced and knowledgeable web developer. When you choose to build your website with us, you choose peace of mind. If you’re looking to make the switch to better security with your business’ website, please don’t hesitate to give us a call today.
