GoDaddy security incident – lessons to learn

The recent incident with GoDaddy should give businesses extra pause for thought when considering who they choose to look after their online assets.

Please note: I’m not revelling in the issues GoDaddy faced here, and I certainly feel sorry for the technicians and support who have been on the front line of dealing with this issue.

Overview

I’m not going to spend much time recapping the recent security incident with Godaddy, but it certainly looks very serious indeed.

Instead, I want to talk at a high level about how your business needs to think about where its website etc is hosted.

GoDaddy

In my mind, I pigeonhole companies like GoDaddy as ‘cheap and cheerful generalists‘. They will:

  • Sell you domain names
  • Host your DNS
  • Sell you website hosting
  • Sell you email hosting

And it’ll be cheap.

Which can seem attractive.

But ‘cheap’ comes at a cost.

When you’re selling cheap, the profit margin is crucial to your business, and corners can be cut (as they certainly were with the latest GoDaddy incident – storing plaintext passwords?!). Security etc is then a bolt-on, nice to have. Which is all well and good, until things go wrong.

The problem with ‘Generalists’

I also have an issue with companies like this, offering website hosting, email hosting etc.

My issue is that these are all really specialist services. You cannot have a weak leak in your chain here – you need to have the best services you can afford – and when you are going cheap, you need to be aware of the risks and consequences.

Let’s break it down a little:

Website Hosting

We specialise in WordPress. A lot of companies like GoDaddy host pretty much any type of web tech imaginable – this means that their infrastructure and support is not tuned to the specific needs of WordPress; potentially causing hosting & support headaches for you. This is why we typically recommend WordPress specific hosting such as WPEngine, or Flywheel.

Such WordPress specific services do not cost much more and are very much better than the platform offered by generalist services. Yes, I know some generalist services also say they specialise in WordPress but really, I don’t think that stacks up to WordPress specific hosting companies whose infrastructure is built from the ground up to play to the strengths of the WordPress platform.

DNS Hosting

This is one that many businesses forget about. DNS is the lookup process that translates your domain name into an IP address. When people browse your website, the underlying technology has to first use this look up process.

Like any other cog in the machine, there are good DNS services and bad.

Bad DNS services are a nightmare – because if the domain name lookup is not as reliable as it needs to be, that means people can’t access your website.

This is why we always try to put in place the CloudFlare DNS service for our clients. CloudFlare offers super fast and rock-solid DNS plus many many other useful services (some free, some paid) that can make your website faster, and more secure. Again, this is about making sure every cog in the engine is of high spec.

Email Hosting

Sorry if I sound like a scratched record here but basic services such as GoDaddy have historically been very poor with email. Yes, the mailbox they offer may be cheap, but does it have all the facilities you need? Is it set up with all the anti-spam measures that modern best practices recommend?

Again I only recommend email hosted with specialists – whether that’s Google or Microsoft. You cannot afford to take chances with your business email; it’s an essential service.

Now, in fairness, whenever I’ve looked of late, I’ve seen some generalist services offering Microsoft email etc as an option. Whilst I applaud this, my gut feeling is not to have people like GoDaddy involved here. If you need Microsoft or Google email etc – get it from the horse’s mouth. You want as few ties with a domain name registration company as possible.

Domain Names

Talking of domain names. Historically I used to think that people like GoDaddy/123REG etc were ok just for domain name registration (nothing else, for the reasons above). However, with the latest issue, I don’t think even that is any longer the case. CloudFlare now offer domain name registration so why not use that instead?

The Future

The landscape of ‘which services are best‘ changes all the time, so the above list may well be different in 12 months time. However, for our managed clients, we handle all of this for them – making transparent and seamless upgrades and migrations wherever possible. Businesses don’t really want to worry about this stuff.

It can be daunting to unpick where your services are (email hosting, domain DNS, website hosting etc) but these are essential assets of your business, and they need to be audited.

If we can help in any way, please get in touch.

Joel

p.s. as a final point I’d say this: nothing is ever fully secure on the Internet – the technology stack is huge with many moving parts, and many potential points of entry to hackers. All we can do is to make the most sensible decisions as to where our key infrastructure is hosted.

No Comments

Leave a Reply