No severity: Informational
Factor: Application Security
Factor weight: Medium
Why this matters
We detected that you are running a website site that uses TLS Infrastructure. Early in September, 2021, GoDaddy suffered a data breach that exposed the SSL keys for the GoDaddy Managed Wordpress environment. The breach affects more than 1 million active and inactive Managed WordPress users, who had their email addresses and customer numbers compromised. This exposure could put users in your organization at greater risk of phishing attacks.
Note: This is one of two informational types related to the GoDaddy September, 2021, breach. See also Website uses GoDaddy TLS certificates.
How we discovered it
To determine whether your site is hosted by Managed Wordpress, we do the following during a network scan and web crawl:
- Check if GoDaddy issued the TLS certificate.
- Check if
X-Redirected-ByHTTP headers include the value
- Check for browser requests made to paths that include
wp-includes, which denote Wordpress resources.
How you can remediate it
Take the following actions to help prevent further compromise:
- Consult with GoDaddy to find out if your website has been impacted by the breach.
- Have users in your organization change their website login credentials.
- Train your organization to recognize and report phishing emails.
- Rotate your TLS certificates in the event that some of them were compromised.
How you can resolve it in SecurityScorecard
Tip: Although this informational issue type does not impact your score, resolving it and providing explanatory comments demonstrates your cybersecurity engagement to organizations that are following your Scorecard.
When submitting a Resolution request, ensure you include supporting evidence where necessary. This will greatly assist us in ensuring your issue is resolved in a timely manner. See the following options for resolving Website Hosted By GoDaddy's Wordpress findings:
I have fixed this
- Comment that you have taken recommended remediation actions.
I have a compensating control
- If your website was deprecated and had no user accounts—even inactive ones—prior to the September GoDaddy breach, indicate this in your comment.
This is not my IP or domain
- Indicate that the affected website does not belong to your organization.
I cannot reproduce this issue and I think it’s incorrect
- Provide a reason that the finding is inaccurate.
Read about the GoDaddy breach: