WordPress is far more than just blogs. It powers over 42% of all websites. So whenever there's a WordPress security failure, it's a big deal. And now GoDaddy, which is the top global web hosting firm with tens of millions more sites than its competition, reports that data on 1.2 million of its WordPress customers has been exposed.

Recommends

How the top VPNs compare: Plus, should you try a free VPN?

We tested the best VPN services -- focusing on the number of servers, ability to unlock streaming services, and more -- to determine a No. 1 overall. Plus, we tell you whether free VPNs are worth trying.

Read now

In a Securities and Exchange Commission (SEC) filing, GoDaddy's chief information security officer (CISO) Demetrius Comes said they've discovered unauthorized access to its managed WordPress servers. To be exact the breach opened information on 1.2 million active and inactive managed WordPress customers since September 6, 2021. 

This managed service, according to WordPress, is streamlined, optimized hosting for building and managing WordPress sites. GoDaddy handles basic hosting administrative tasks, such as installing WordPress, automated daily backups, WordPress core updates, and server-level caching. These plans start at$6.99 a month. 

Customers had both their email addresses and customer numbers exposed. As a result, GoDaddy warns users that this exposure can put users at greater risk of phishing attacks. The web host also said that the original WordPress admin password, created when WordPress was first installed, has also been exposed. So if you never changed that password, hackers have had access to your website for months.

In addition, active customers had their sFTP and database usernames and passwords exposed. GoDaddy has reset both these passwords. Finally, some active customers had their Secure-Socket Layer (SSL) private key exposed. GoDaddy is currently reissuing and installing new certificates for those customers.

WordFence, a WordPress security company, says in their report, "It appears that GoDaddy was storing sFTP credentials either as plaintext, or in a format that could be reversed into plaintext. They did this rather than using a salted hash, or a public key, both of which are considered industry best practices for sFTP. This allowed an attacker direct access to password credentials without the need to crack them."

GoDaddy has announced that its investigation is ongoing. The company is contacting all impacted customers directly with specific details. Customers can also contact GoDaddy via its help center. This site includes phone numbers for users in affected countries.

At this time, that's all the information GoDaddy has made public about the breach.

Related Stories:

• GoDaddy Q3 strong as it eyes point-of-sale, omnichannel commerce
• Best WordPress hosting 2021: Top picks for companies

Security

8 habits of highly secure remote workersHow to find and remove spyware from your phoneThe best VPN services: How do the top 5 compare?How to find out if you are involved in a data breach -- and what to do next

• 8 habits of highly secure remote workers
• How to find and remove spyware from your phone
• The best VPN services: How do the top 5 compare?
• How to find out if you are involved in a data breach -- and what to do next