The Hidden ManageWP Plugin on GoDaddy Managed WordPress Hosting & Other Issues Missing Documentation

UPDATE 11/22/21: GoDaddy Managed WordPress Breached

It would be remiss for me to not update this article with the news of GoDaddy’s WordPress Hosting customers having their accounts breached for over 2 months. It could have been worse, sure. Mistakes happen; I get it. But this was a mistake that was preventable by following best practices.

This company has been around long enough that they should be, at minimum, following “industry best practices” in security. They’ve been around long enough that they should be writing the book on “industry best practices”. Here’s part of the article published by Wordfence Security on November 22, 2021:

This morning, GoDaddy disclosed that an unknown attacker had gained unauthorized access to the system used to provision the company’s Managed WordPress sites, impacting up to 1.2 million of their WordPress customers. Note that this number does not include the number of customers of those websites that are affected by this breach, and some GoDaddy customers have multiple Managed WordPress sites in their accounts.

According to the report filed by GoDaddy with the SEC [1], the attacker initially gained access via a compromised password on September 6, 2021, and was discovered on November 17, 2021 at which point their access was revoked. While the company took immediate action to mitigate the damage, the attacker had more than two months to establish persistence, so anyone currently using GoDaddy’s Managed WordPress product should assume compromise until they can confirm that is not the case.

It appears that GoDaddy was storing sFTP credentials either as plaintext, or in a format that could be reversed into plaintext. They did this rather than using a salted hash, or a public key, both of which are considered industry best practices for sFTP. This allowed an attacker direct access to password credentials without the need to crack them.

According to their SEC filing: “For active customers, sFTP and database usernames and passwords were exposed.”

We attempted to contact GoDaddy for comment and to confirm our findings, but they did not immediately respond to our requests for comment.

https://www.wordfence.com/blog/2021/11/godaddy-breach-plaintext-passwords/

This tells me that they’re probably not investing in their employees. Either not investing in the best-of-the-best or not employing enough of them. Perhaps they don’t have the best people managing their Security Team, ensuring enough redundancy and checks and balances. Either way, their security is not managed with sufficient expertise and GoDaddy should not be trusted with your websites.

If you had a website on GoDaddy Managed WordPress between September of 2021 and November of 2021, consider your site hacked. Figure out what email address your GoDaddy account is under and go check your email. Full instructions can be found on the Wordfence Blog at https://www.wordfence.com/blog/2021/11/godaddy-breach-plaintext-passwords/

BACK TO ORIGINAL ARTICLE:

This was my first experience with GoDaddy’s Managed WordPress Hosting. I was trying to help a client get an old website updated and wanted to connect it to my ManageWP account where I can monitor and manage all my clients’ websites.

I go to install the plugin from the WordPress Repository and it says it’s already installed and “Active”! What? Hop in FTP… nope, no ManageWP Worker plugin in the folder there either. What gives?

I headed to the GoDaddy Support Chat to find out where the plugin is hidden. SPARE YOURSELF! Don’t bother! It look about 30 minutes of explaining what ManageWP is, that it’s a GoDaddy plugin, and repeating that it must have something to do with it being Managed WordPress Hosting because it’s a “Required Plugin”. I wish I would have saved the transcript because it was classic, but apparently GoDaddy doesn’t give that option (strike #289); I guess they don’t want any evidence!

The person kept telling me that they “cannot help with Plugin issues”, and other inapplicable things like “so you help installing plugins? Here are instructions for installing the Plugins for the WordPress”… just ridiculous. Finally told me to hold for 3-4 minutes to “look into the issue further”; hey, what’s another 4 minutes when I’ve been on the chat for 35 already!

At long last, they came back with an answer to the question…

How do you access the ManageWP Worker plugin on GoDaddy Managed WordPress Hosting?

You add ?showWorker=1 to the end of the plugins’ page URL. So the URL would look like this:

yourdomain.com/wp-admin/plugins.php?showWorker=1

It’s that easy, but this info isn’t documented ANYWHERE. Hence, I wrote a blog article. Hopefully this helps someone and saves you the hour it took me to pull the answer out of GoDaddy Support!

If you’ve arrived here, then you’re likely dealing with a similar scenario; save yourself some time and read on for info on other dumb things that aren’t documented in GoDaddy’s knowledgebase.

Other Noteworthy Issues with GoDaddy Managed WordPress Hosting

No free SSL – No access to add your own

Unlike any other normal hosting company in 2020, GoDaddy does not offer a free SSL certificate option and makes it pretty much impossible for the average person to get a free certificate (well, you can get one, you just can’t install it). Their cheapest option is $80/year, and for those who have a blog that brings in little to no revenue, that’s a lot of money.

Cloudflare does offer a free SSL though, but again, GoDaddy makes it difficult to take full advantage of it. To use Cloudflare’s SSL, you’ll need to actually use Cloudflare’s CDN (which I recommend anyway). Note that if you choose this route, you may end up with a strange warning in your GoDaddy account about your DNS records (see below) and you will be moving all of your DNS record management to Cloudflare. That may sound intimidating, but setting this up is quite easy and there is documentation to guide you.

Going this route, you’ll be using “Flexible SSL”, which only encrypts the data going from Cloudflare to your visitor, but not between your server (where your website resides) and Cloudflare. For most of us, this level of protection is totally adequate. If you have cPanel access, you can also install Cloudflare’s Origin Certificate to use Full SSL instead of Flexible, then everything is encrypted. You can’t if you have GoDaddy’s Managed WordPress hosting though. More info on Flexible vs. Full can be found on Cloudflare.

Can’t access FTP after connecting Cloudflare with Go Daddy Managed WordPress Hosting

Yet another one of GoDaddy’s fun little surprises – and not a surprise like an Edible Arrangement… a surprise like the kind your puppy leaves you while you’re at work.

If you’re accustomed to accessing your site via FTP (SFTP), you’ll suddenly find that you can’t after you connect to Cloudflare. You might get something like:

Error: FATAL ERROR: Network error: Connection timed out
Error: Could not connect to server

So, how do I access my GoDaddy site via FTP when using Cloudflare?

Change the Host name to your site’s IP address instead of the domain. Easy, right?

You may need help finding your IP address in GoDaddy because, of course, it’s totally hidden away. If you have cPanel hosting, it’ll be over in the side bar with all the other site stats. In GoDaddy, you go to Managed WordPress or the Quicklink “Hosting & WordPress”, then click the “Overview” button, then navigate to the Settings tab. In the block labeled “Production Site” (where your WordPress version is listed), click “Show More”.

Now back in Filezilla or whatever FTP program you’re using, change the Host name from the domain name to your IP address. Ta-da!

Just a heads-up, I got the following warning on both Go Daddy sites when accessing via FTP the first time. Even before connecting to Cloudflare’s CDN.

“The server’s host key is unknown. You have no guarantee that the server is the computer you think it is.” Way to instill some confidence, Go Daddy! Such a comforting reassurance that you’re really on top of our site’s security… [obvious sarcasm].

Go Daddy support told me if I suspected I had been hacked (which the one site totally was), go into the Settings tab of My Hosting (same area mentioned above) and click on the SFTP Details, then Change Password. I did that, tried again; same error. Support said to click OK and proceed.

This leads to the final annoyance (for now)… and I have NO solution to offer for this, so this last one is just me complaining.

“We need your help to update DNS“

Since switching to the Cloudflare CDN, the aforementioned settings page gives a red warning in the Domains block.

Well, my A Record is obviously pointing to the site’s IP address because otherwise my site would not be working. PERIOD. I have no answer for this one other than “ignore it”? If you have anything better, please comment below.

“This page isn’t working” HTTP ERROR 431

And I almost forgot one of the most annoying! I can’t navigate the pages within the Go Daddy account using my usual browser (Chrome). Yes, even after clearing the cache, and clearing again plus restarting the computer. So I have to go open a different browser just to get to all these “surprises”.

“If the problem continues, contact the site owner. HTTP ERROR 431”

Contact the site owner? You mean Go Daddy? OK, so if you sit through the hour wait, they’re just going to ask you if you have your computer plugged in and then tell you to go call a plumber or something ridiculous. I did actually try though (contacting Go Daddy, not the plumber) and there answer was “it works fine for us”.

Conclusion

Don’t host your website with Go Daddy! LOL Well, at least not their “Basic” Managed WordPress plans; others might be OK. All the “Managed” part means is that they can manage to install WordPress for you, or maybe just that they “Managed” to tick me off about 6 times in 2 days.

What hosting do I recommend?

That’s tough because none of them are perfect. With Siteground you will certainly get a better service, better support, better… everything really, but your price is going to triple after your intro period. A2 is pretty good too – fast, reasonably priced, decent support (better than G.D.’s for sure) but they definitely aren’t at the forefront of innovation like Siteground; those guys are trying very hard to prove themselves the best-of-the-best in WordPress hosting. Whereas A2 is just like “Hey! We’re still here with all the same tools you’ve gotten to know and love since 1999!”. Sadly, no one has told them yet that’s not a good thing.

I don’t have any personal experience with InMotion or GreenGeeks but I haven’t heard anything bad about either. However if you’re looking for Managed WordPress Hosting, as in paying a company to actually handle things for you, I’d highly recommend Kinsta, who handles security and hack repairs, etc, all included. Again, no personal experience but if you read the reviews, you’ll see what I’m talking about.

Side note: I’m not an affiliate for any of these companies. I’m not going to include links because I encourage you to go Google them anyway and do your own research before deciding. Everyone’s needs/wants are different, so what’s good for this goose might not be good for your gander.