Skip to main content

Website hosted by GoDaddy's Wordpress

Mark Glinski
  • Updated

In this article:

    No severity: Informational
    Factor: Application Security
    Factor weight: Medium

    Why this matters

    We detected that you are running a website site that uses TLS Infrastructure. Early in September, 2021, GoDaddy suffered a data breach that exposed the SSL keys for the GoDaddy Managed Wordpress environment. The breach affects more than 1 million active and inactive Managed WordPress users, who had their email addresses and customer numbers compromised. This exposure could put users in your organization at greater risk of phishing attacks.

     Note: This is one of two informational types related to the GoDaddy September, 2021, breach. See also Website uses GoDaddy TLS certificates.

    How we discovered it

    To determine whether your site is hosted by Managed Wordpress, we do the following during a network scan and web crawl:

    • Check if GoDaddy issued the TLS certificate.
      and
    • Check if X-Server and X-Redirected-By HTTP headers include the value Wordpress.
      or
    • Check for browser requests made to paths that include wp-content  or wp-includes, which denote Wordpress resources.

    How you can remediate it

    Take the following actions to help prevent further compromise:

    • Consult with GoDaddy to find out if your website has been impacted by the breach.
    • Have users in your organization change their website login credentials.
    • Train your organization to recognize and report phishing emails.
    • Rotate your TLS certificates in the event that some of them were compromised.

    How you can resolve it in SecurityScorecard

    Tip: Although this informational issue type does not impact your score, resolving it and providing explanatory comments demonstrates your cybersecurity engagement to organizations that are following your Scorecard.

    When submitting a Resolution request, ensure you include supporting evidence where necessary. This will greatly assist us in ensuring your issue is resolved in a timely manner. See the following options for resolving Website Hosted By GoDaddy's Wordpress findings:

    I have fixed this

    I have a compensating control

    • If your website was deprecated and had no user accounts—even inactive ones—prior to the September GoDaddy breach, indicate this in your comment.

    This is not my IP or domain

    • Indicate that the affected website does not belong to your organization.

    I cannot reproduce this issue and I think it’s incorrect

    • Provide a reason that the finding is inaccurate. 

    Learn more

    Read about the GoDaddy breach:

    Related articles