Go Daddy Responds Over Compromised Hosting Accounts

Redirects inserted into .htaccess files of 445 hosting accounts.

Internet security company Securi wrote a blog post yesterday noting that a number of web sites hosted with Go Daddy’s had been compromised.

According to Securi, the .htaccess file on these sites had compromised and a conditional redirect was inserted. Site visitors coming from a set of pre-determined search engines were automatically forwarded to a malware site.

I reached out to Go Daddy to find out what is going on. Todd Redfoot, Go Daddy Chief Information Security Officer, explained the situation:

Yesterday, Go Daddy’s Security Team detected approximately 445 hosting accounts were compromised. The accounts were accessed by using the account holder’s username and password. Visitors who tried to enter these sites via certain search engines were redirected to a site attempting to install malware onto their computer.

We are still investigating the issue, but so far, our security team is confirming this was not an infrastructure breakdown and should not impact additional customers.

We quickly removed the malicious code and will be assisting each of our customers to address the issue.

I had something similar happen to me several years ago. Since it was on a WordPress blog (not this one) I assumed it was a WordPress problem. As it turned out, someone had actually gotten a hold of the ftp password for the web site.

It might be difficult to detect this type of compromise since web site owners rarely visit their sites from search engines. If you host your site on Go Daddy I recommend visiting from Google to make sure your site isn’t compromised.

You may also need to ask a malware review with Google and major internet security companies if they blocked your site because of the intrusion.


  1. says

    Those numbers do not make much sense. We identified 2,100 GoDaddy sites compromised (and we don’t have access to all GoDaddy sites to check).

    Google blacklisted 573 domains because of that malware and Google is known for being slow to blacklist sites (they don’t crawl all of them every day).

    We can even send them the list we found for them to verify…. So it seems they are trying to minimize what really happened.


Leave a Reply