The Hidden ManageWP Plugin on GoDaddy Managed WordPress Hosting & Other Issues Missing Documentation

GoDaddy - The worst WordPress Hosting? blog post thumbnail

The Hidden ManageWP Plugin on GoDaddy Managed WordPress Hosting & Other Issues Missing Documentation

UPDATE 11/22/21: GoDaddy Managed WordPress Breached

It would be remiss for me to not update this article with the news of GoDaddy’s WordPress Hosting customers having their accounts breached for over 2 months. It could have been worse, sure. Mistakes happen; I get it. But this was a mistake that was preventable by following best practices.

This company has been around long enough that they should be, at minimum, following “industry best practices” in security. They’ve been around long enough that they should be writing the book on “industry best practices”. Here’s part of the article published by Wordfence Security on November 22, 2021:

This morning, GoDaddy disclosed that an unknown attacker had gained unauthorized access to the system used to provision the company’s Managed WordPress sites, impacting up to 1.2 million of their WordPress customers. Note that this number does not include the number of customers of those websites that are affected by this breach, and some GoDaddy customers have multiple Managed WordPress sites in their accounts.

According to the report filed by GoDaddy with the SEC [1], the attacker initially gained access via a compromised password on September 6, 2021, and was discovered on November 17, 2021 at which point their access was revoked. While the company took immediate action to mitigate the damage, the attacker had more than two months to establish persistence, so anyone currently using GoDaddy’s Managed WordPress product should assume compromise until they can confirm that is not the case.

It appears that GoDaddy was storing sFTP credentials either as plaintext, or in a format that could be reversed into plaintext. They did this rather than using a salted hash, or a public key, both of which are considered industry best practices for sFTP. This allowed an attacker direct access to password credentials without the need to crack them.

According to their SEC filing: “For active customers, sFTP and database usernames and passwords were exposed.

We attempted to contact GoDaddy for comment and to confirm our findings, but they did not immediately respond to our requests for comment.

This tells me that they’re probably not investing in their employees. Either not investing in the best-of-the-best or not employing enough of them. Perhaps they don’t have the best people managing their Security Team, ensuring enough redundancy and checks and balances. Either way, their security is not managed with sufficient expertise and GoDaddy should not be trusted with your websites.

If you had a website on GoDaddy Managed WordPress between September of 2021 and November of 2021, consider your site hacked. Figure out what email address your GoDaddy account is under and go check your email. Full instructions can be found on the Wordfence Blog at


This was my first experience with GoDaddy’s Managed WordPress Hosting. I was trying to help a client get an old website updated and wanted to connect it to my ManageWP account where I can monitor and manage all my clients’ websites.

I go to install the plugin from the WordPress Repository and it says it’s already installed and “Active”! What? Hop in FTP… nope, no ManageWP Worker plugin in the folder there either. What gives?

screen shot of ManageWP Worker plugin showing as already installed and Active with Go Daddy WordPress Hosting
ManageWP Worker Plugin on a GoDaddy Managed WordPress site, showing “Active” but inaccessible from… anywhere.

I headed to the GoDaddy Support Chat to find out where the plugin is hidden. SPARE YOURSELF! Don’t bother! It look about 30 minutes of explaining what ManageWP is, that it’s a GoDaddy plugin, and repeating that it must have something to do with it being Managed WordPress Hosting because it’s a “Required Plugin”. I wish I would have saved the transcript because it was classic, but apparently GoDaddy doesn’t give that option (strike #289); I guess they don’t want any evidence!

The person kept telling me that they “cannot help with Plugin issues”, and other inapplicable things like “so you help installing plugins? Here are instructions for installing the Plugins for the WordPress”… just ridiculous. Finally told me to hold for 3-4 minutes to “look into the issue further”; hey, what’s another 4 minutes when I’ve been on the chat for 35 already!

At long last, they came back with an answer to the question…

How do you access the ManageWP Worker plugin on GoDaddy Managed WordPress Hosting?

You add ?showWorker=1 to the end of the plugins’ page URL. So the URL would look like this:

Screen shot of ManageWP Worker plugin now visible on WordPress Plugins page of a Go Daddy-hosted website

It’s that easy, but this info isn’t documented ANYWHERE. Hence, I wrote a blog article. Hopefully this helps someone and saves you the hour it took me to pull the answer out of GoDaddy Support!

If you’ve arrived here, then you’re likely dealing with a similar scenario; save yourself some time and read on for info on other dumb things that aren’t documented in GoDaddy’s knowledgebase.

Other Noteworthy Issues with GoDaddy Managed WordPress Hosting

No free SSL – No access to add your own

Unlike any other normal hosting company in 2020, GoDaddy does not offer a free SSL certificate option and makes it pretty much impossible for the average person to get a free certificate (well, you can get one, you just can’t install it). Their cheapest option is $80/year, and for those who have a blog that brings in little to no revenue, that’s a lot of money.

Cloudflare does offer a free SSL though, but again, GoDaddy makes it difficult to take full advantage of it. To use Cloudflare’s SSL, you’ll need to actually use Cloudflare’s CDN (which I recommend anyway). Note that if you choose this route, you may end up with a strange warning in your GoDaddy account about your DNS records (see below) and you will be moving all of your DNS record management to Cloudflare. That may sound intimidating, but setting this up is quite easy and there is documentation to guide you.

Going this route, you’ll be using “Flexible SSL”, which only encrypts the data going from Cloudflare to your visitor, but not between your server (where your website resides) and Cloudflare. For most of us, this level of protection is totally adequate. If you have cPanel access, you can also install Cloudflare’s Origin Certificate to use Full SSL instead of Flexible, then everything is encrypted. You can’t if you have GoDaddy’s Managed WordPress hosting though. More info on Flexible vs. Full can be found on Cloudflare.

Can’t access FTP after connecting Cloudflare with Go Daddy Managed WordPress Hosting

Yet another one of GoDaddy’s fun little surprises – and not a surprise like an Edible Arrangement… a surprise like the kind your puppy leaves you while you’re at work.

If you’re accustomed to accessing your site via FTP (SFTP), you’ll suddenly find that you can’t after you connect to Cloudflare. You might get something like:

Error: FATAL ERROR: Network error: Connection timed out
Error: Could not connect to server

So, how do I access my GoDaddy site via FTP when using Cloudflare?

Change the Host name to your site’s IP address instead of the domain. Easy, right?

You may need help finding your IP address in GoDaddy because, of course, it’s totally hidden away. If you have cPanel hosting, it’ll be over in the side bar with all the other site stats. In GoDaddy, you go to Managed WordPress or the Quicklink “Hosting & WordPress”, then click the “Overview” button, then navigate to the Settings tab. In the block labeled “Production Site” (where your WordPress version is listed), click “Show More”.

Now back in Filezilla or whatever FTP program you’re using, change the Host name from the domain name to your IP address. Ta-da!

Just a heads-up, I got the following warning on both Go Daddy sites when accessing via FTP the first time. Even before connecting to Cloudflare’s CDN.

“The server’s host key is unknown. You have no guarantee that the server is the computer you think it is.” Way to instill some confidence, Go Daddy! Such a comforting reassurance that you’re really on top of our site’s security… [obvious sarcasm].

screen shot of ominous FTP warning when accessing Go Daddy site via SFTP.

Go Daddy support told me if I suspected I had been hacked (which the one site totally was), go into the Settings tab of My Hosting (same area mentioned above) and click on the SFTP Details, then Change Password. I did that, tried again; same error. Support said to click OK and proceed.

This leads to the final annoyance (for now)… and I have NO solution to offer for this, so this last one is just me complaining.

We need your help to update DNS

Since switching to the Cloudflare CDN, the aforementioned settings page gives a red warning in the Domains block.

“We need your help to update DNS” 1. Log in to your domain registrar and update the DNS A record to __[site’s IP address]___. 2. Come back here. 3. Refresh status.

Well, my A Record is obviously pointing to the site’s IP address because otherwise my site would not be working. PERIOD. I have no answer for this one other than “ignore it”? If you have anything better, please comment below.

“This page isn’t working” HTTP ERROR 431

And I almost forgot one of the most annoying! I can’t navigate the pages within the Go Daddy account using my usual browser (Chrome). Yes, even after clearing the cache, and clearing again plus restarting the computer. So I have to go open a different browser just to get to all these “surprises”.

“If the problem continues, contact the site owner. HTTP ERROR 431”

Error inside Go Daddy admin account pages. "This page isn’t working   If the problem continues, contact the site owner. HTTP ERROR 431"
“This page isn’t working If the problem continues, contact the site owner. HTTP ERROR 431”

Contact the site owner? You mean Go Daddy? OK, so if you sit through the hour wait, they’re just going to ask you if you have your computer plugged in and then tell you to go call a plumber or something ridiculous. I did actually try though (contacting Go Daddy, not the plumber) and there answer was “it works fine for us”.


Don’t host your website with Go Daddy! LOL Well, at least not their “Basic” Managed WordPress plans; others might be OK. All the “Managed” part means is that they can manage to install WordPress for you, or maybe just that they “Managed” to tick me off about 6 times in 2 days.

What hosting do I recommend?

That’s tough because none of them are perfect. With Siteground you will certainly get a better service, better support, better… everything really, but your price is going to triple after your intro period. A2 is pretty good too – fast, reasonably priced, decent support (better than G.D.’s for sure) but they definitely aren’t at the forefront of innovation like Siteground; those guys are trying very hard to prove themselves the best-of-the-best in WordPress hosting. Whereas A2 is just like “Hey! We’re still here with all the same tools you’ve gotten to know and love since 1999!”. Sadly, no one has told them yet that’s not a good thing.

I don’t have any personal experience with InMotion or GreenGeeks but I haven’t heard anything bad about either. However if you’re looking for Managed WordPress Hosting, as in paying a company to actually handle things for you, I’d highly recommend Kinsta, who handles security and hack repairs, etc, all included. Again, no personal experience but if you read the reviews, you’ll see what I’m talking about.

Side note: I’m not an affiliate for any of these companies. I’m not going to include links because I encourage you to go Google them anyway and do your own research before deciding. Everyone’s needs/wants are different, so what’s good for this goose might not be good for your gander.

Posted in
Photo of Abby Lehman Buzon, owner of The Helpful Marketer

About the Author

Abby Buzon

I'm Abby (Armstrong-Lehman) Buzon, Lead Designer & Owner of The Helpful Marketer, based in Medina County, Ohio. I got my start in marketing and website administration in 2010, became a mom in 2015, and left my day job in 2017 to begin The Helpful Marketer. I'm happier than I've ever been and I truly love what I do, so I'm here to share my story and give some marketing tips along the way!



  1. Jackie on October 6, 2020 at 1:08 pm

    Thank you for this! I came across this same issue (client website on GoDaddy) and could not figure out where it was!

    • Abby Buzon on October 6, 2020 at 2:17 pm

      Yay! I’m so glad I could help!

  2. OldDesertLizard on November 2, 2020 at 3:29 pm

    Abby… I’m on hold with a GoDaddy CSR now, and while waiting (10 minutes while he “researches the problem”) I found your stuff here. Thanks so much for the “?showWorker=1” trick — this saved the day!

    FYI, the GoDaddy ManagedWP Pro 5 account allows you to host up to 5 WP sites AND provides SSL for all of them at no charge.

    • Abby Buzon on November 3, 2020 at 4:49 pm

      Absolutely! I’m glad I could help. Good to know about the Pro account; I still couldn’t ever recommend GoDaddy, but that’s good to know!

  3. Austin Reason on November 3, 2020 at 3:42 pm

    holy craaaaap! I’ve been trying to figure this out for months! Sometimes to add a site to the dashboard you need the connection key instead of WP logins. but with the GoDaddy auto-installed/hidden version, YOU CAN’T FIND THE CONNECTION KEY.

    1,000 thank yous!

    • Abby Buzon on November 3, 2020 at 4:41 pm

      OMG, I know, right!? LOL So glad I could help!!

  4. Sergio on December 30, 2020 at 4:46 pm

    Interesting, thanks. You mention “If you have cPanel access, you can also install Cloudflare’s Origin Certificate to use Full SSL” — I have cPanel with GD, AND, I’m frustrated at how expensive their SSL solutions are.

    What are your thoughts on the complexity of using Cloudfare (or another third party) solution with GD cPanel, especially for someone who is somewhat of a novice?

    • Abby Buzon on December 31, 2020 at 2:30 pm

      If you have cPanel, then you shouldn’t have much problem at all. There’s plenty of documentation on connecting to Cloudflare, so I don’t think you’ll have any issue. You’ll need to have your DNS records managed through Cloudflare, just so you know, you’ll access your domain registration, whether that’s with GoDaddy or or Google Domains, etc. Here’s a YouTube video on setting up Cloudflare CDN if your domain is registered with GoDaddy.
      And then here’s some info on Cloudflare’s free SSL Edge Certificate:

      • Abby Buzon on December 31, 2020 at 2:34 pm

        And that’s it by the way – I think you automatically get the SSL when you connect to Cloudflare. You will need to make sure your site is automatically forwarding HTTP to HTTPS. There’s a setting for this in Cloudflare, but you might also need to add a rule in your HTACCESS file. And then once you’re sure you’re up and running as HTTPS, you might need to go into your website to Settings > General > and change the Site Address and WordPress Address from http: to https:.

  5. Sergio on February 18, 2021 at 10:45 pm

    Sorry for the late reply Abby, and thank you very much for the assist.
    Cloudflare worked out great for what I needed!

    • Abby Buzon on February 20, 2021 at 6:09 pm

      WOOHOO! That’s great to hear Sergio! So glad I was able to help and thanks for coming back to let me know!

  6. Karen F. Ellison on March 13, 2021 at 12:46 am

    Until recently, I had no idea how duped I was using Managed WP on GoDaddy. I’m not a programmer but I taught myself how to use WP years ago and started with GoDaddy 10+ years ago. On my present project, I adopted Astra Pro, Beaver Builder and WooCommerce into my portfolio. I need to move off but stupidly signed up for another 13 months under the Pro 5 plan. I will probably be forced to move this new site somewhere soon. Am open to suggestions. BTW, am a retired American living in Phuket, Thailand and most of my work is charity. Your article confirms that I am not crazy.

    • Abby Buzon on March 13, 2021 at 12:04 pm

      No Karen, you’re not crazy! GoDaddy is awful. Siteground is good but their prices keep going up but their customer service and tech support has been going downhill. A2 is amazing for the price, but they’re not innovating like Siteground is. If you’re on Facebook, there’s a Beaver Builder group that’s amazing. There have been a lot of threads about hosting over the years and there’s a lot of good advice and feedback in there. I don’t have any experience with the big Managed WordPress Hosting companies like WPEngine and Kinsta, or the other popular ones like LiquidWeb and Cloudways, but I know there’s a lot of people in that BB group who have.

  7. Jacques on September 13, 2021 at 5:32 am

    Thank you so much for the advice to add the ?showWorker=1 to the plugins page URL. What a time-saver!!!

    • Abby Buzon on September 13, 2021 at 11:27 am

      Yay! So glad I could help!

  8. Jennifer on September 20, 2021 at 1:14 pm

    OMG! This is amazing! I didn’t much like GoDaddy before and after their “help” on chat I’m actually going to be strongly DIS recommending them to my clients. I have this exact issue – MUST USE plugin? HAH! Then why can’t I use it??? Grrrr. Thank you Abby, you’re amazing!

    • Abby Buzon on September 20, 2021 at 1:28 pm

      Hahahaha! Thank you so much Jennifer! So glad I could help!

  9. Alexandre on April 18, 2022 at 7:23 pm

    Helped me!

Leave a Comment