"We Were Not Hacked," Says Go Daddy

Yesterday I reported on the audacious hack by AnonymousOwn3r on Go Daddy, which knocked out most of the servers in Europe and the US. In a statement released today, Go Daddy claim it's not true. What's going on?

It all kicked off some time yesterday when people on G+ started to complain about their websites being down. Later on, people started posting links to news reports about a hack, in which Anonymous was blamed. I followed the links and wrote the report. Today, a different story is emerging with no clear pr0of of who is to blame one way or the other. The real question is, who are the winners, who are the losers, and what will happen next?

The winners

To some people it seems that Anonymous can do no wrong. Well if your livelihood doesn't depend on your website, and it's not hosted on Go Daddy, you're sorted. Get out the popcorn and watch the fun. But if you've paid for hosting for several years and that's where all your stuff is, it's a different matter. DNS was affected so even having your domain registered there makes you vulnerable... if indeed they were hacked. Go Daddy says,

The service outage was not caused by external influences. It was not a "hack" and it was not a denial of service attack (DDoS). We have determined the service outage was due to a series of internal network events that corrupted router data tables.

They're very sorry, needless to say. What's interesting is how they handled it; they handed over all their customers to VeriSign to get them back online.

Supporters are gathering round AnonymousOwn3r, egging him on to do it again. Some Anons are even offering support and the notoriety he has gained may spur him on to another attack... assuming he was telling the truth about what happened. At the time of writing, 40 minutes has elapsed since he claimed to have embarked on a hack of Go Daddy. It's still up. It looks like Go Daddy won the Credibility Contest here. VeriSign won the award for trustworthiness and the customers, if they lost at all, it was temporary. Everything is still online.

The losers

Well the biggest one is AnonymousOwn3r. He claimed to have embarked on a hack, pasted details on Pastebin, got Anonymous on side, then failed to deliver. Lesson to learn: don't brag till the deed is done.

Go Daddy is represented in the image above cocking an eyebrow, pursing lips, and looking down on wannabes. If they lost at all, it wasn't much. Being able to recover quickly from an outage, take responsibility for correcting mistakes, and have someone on side to pick up the slack helps. The hack, if it's being attempted at all, may be failing because everything is still at VeriSign.

A client contacted me today to ask if she should move. I said no. Go Daddy had an outage and instead of making excuses they sorted out the problem and put a plan in place to make it less likely to happen in future. Disruptions happen even on the best of servers. I really hope no one suffered too much as a result of the outage.

What will happen next?

Well at the moment, the hacker claims to have got hold of Go Daddy's source code. A lot of what he's saying doesn't add up. Follow this link. Look at the URL. Now check the source code. No hacking took place, that URL trick is easy to fake. As he continues to fail to deliver, he starts to use distraction by posting more stuff on Pastebin but people are noticing. DDoS attacks don't require hacks, they require lots of spammers using Slow Loris and LOIC. He's claiming to be hacking in order to launch a DDoS attack. Something doesn't sound right. Now people are calling him out and questioning his prowess as a hacker. Go Daddy is still up and running.

Get the popcorn

Prediction: nothing happens to Go Daddy, then a witch hunt by disgruntled "fans" track down AnonymousOwn3r and out him for fooling us (okay, me. He fooled me) and failing to provide the lulz. Corrupted router data tables are accepted as the source of the outage and we all get on with our lives.

Anonymous Hacker Takes Down Go Daddy

It's for teh lulz. It's for security tests. It's for no real reason, other than the fact that he could. Anonymous is starting to distance itself from the attack, which took down all the Go Daddy sites when it knocked out the DNS server.

The website hosting and domain registration company Go Daddy has experienced outages that knocked out the websites it was hosting when a hacker used a sql Ldap injection to overcome the DNS servers and shut them down. They tried to play down any sense of emergency but many of the people I know were affected by it and were complaining about it on Google Plus. For business owners who rely on SEO and ecommerce, it was devastating.

Why did this happen?

The DNS -- from technical, policy, and just about every other angle you can name, has become a rickety, obsolete train wreck.

  Adding on masses of new TLDs, DNSSEC, and all the rest, is like piling more floors onto a high-rise version of the Munster Mansion built on a foundation that makes the Leaning Tower of Pisa look well-sited by comparision.  It's time to thank DNS for its hard work, and prepare it to join the other residents of punched-card and magnetic tape heaven. Whether the replacement is a distributed IDONS-type system or something else, the writing has long been on the wall.  Now the walls are caving in. - Lauren Weinstein

Lauren has had a plan to replace DNS with IDONS for a while now. He needs a million dollars to get it off the ground, if anyone can help him out. He reckons that DNS itself is the problem and we need a new system. He knows more than I do about this kind of thing and I defer to his wisdom. The point is, if DNS is a vulnerability in and of itself, we need to replace it with something more robust.

The hacker

The decentralised nature of Anonymous means that I could post anonymously, carry out a hack, and blame Anonymous for it. Bear in mind that I'm not a programmer and am a conservative, law-abiding citizen with a moral streak a mile wide. The point is, this barely coherent chap who may or may not be Portuguese/Brazilian, has claimed to be the security leader. @AnonOpsLegion, an account linked to the Anonymous collective, praised him while @YourAnonNews has tweeted: "Please redirect your godaddy hate to @AnonymousOwn3r says is the 'leader' of Anonymous." Is he an agent provocateur trying to make Anonymous look bad?

The consequences

Being seen as unsafe or unstable can affect your popularity as a host. People who want their businesses to succeed won't stay with a host that lets them down. I've ditched hosts for being unreliable and Go Daddy may lose business because people are afraid of being caught up in the crossfire. Mashable's Christina Warren may have made herself unpopular for praising "the epicness of the hack." She's already been called out for it. She seems to have made the effort to find out more from the horse's mouth. Anonymous Own3r hasn't been terribly cooperative, though.

Wired reports:

Following a day-long Domain Name Service server outage, web hosting provider GoDaddy is letting its competitor, VeriSign, host its DNS servers.

That's got to hurt on a professional level, but it's good business practice to put customers ahead of your pride. Neither VeriSign nor Go Daddy are answering questions but it seems that the servers are under attack and that it's not a glitch.  Asian servers appear to have continued working normally.

Whether or not the hacker's motives are self-serving or for a "higher purpose" is unknown, but he's caused a lot of trouble for people who host with Go Daddy and the consequences will continue for weeks to come.

WordPress on Go Daddy. Is It Worth The Effort?

So you've bought some domains on Go Daddy, now you want to set up a WordPress installation. It's easier to get them to do it but that particular site is a minefield of links to offers that are fiendishly designed to squeeze money out of your pocket. Should you do it yourself or leave it to them?

Go Daddy is an Internet domain registrar and Web hosting company that also sells e-business related software and services. In 2010, it reached more than 45 million domain names under management. Go Daddy is currently the largest ICANN-accredited registrar in the world, and is four times the size of its closest competitor.

- Wikipedia

As of last weekend, they sold their 50 millionth. Although I am an affiliate and genuinely think they offer good service I grouch about them from time to time because I'm accustomed to hosts that offer cPanel or variant thereof and therefore find it awkward to use.

Anyway, while trying to install WordPress for my latest client, TEDxSalford, I ran into a wall of trouble I don't usually have to deal with.

Installation

Grouch #1: you have to set up a config file even though WP offers an interface for doing this. The thing to do is launch the Hosting Control account for that particular domain then go into FTP file management. Click on wp-config-sample.php then look for the edit icon with the button picture near the top of your screen. Click that to open the file. Click inside the file then select all the text, copy it then exit. Near the top of your screen is an icon with a piece of paper and a +. Click on that to create a new file. Paste the text from the sample config file into it. Now fill in the details for your database username, database name, password and host. Your database hostname is NEVER "localhost." Go to your database and near the top of the page you will find 'mysql###.securehost.net' or something similar. In my case it ended with .mywebsite.com. Now you can go back to the installation screen you started at and complete the installation.

Plugins

Grouch #2: Go Daddy offers WP-compatible hosting so they can do it for you. Forget this at your peril because all the things you now have to do manually can be done for you if you ask them to do it. First of all, you now need to go back to your FTP file manager and change permissions on the wp-content folder and its children or you'll have no end of trouble installing the plugins you need to make WordPress work as you want it to.

Support

Grouch #3: never before have I uploaded TinyMCE Advanced only to have it wipe out the default text editor from the Visual tab. Bear in mind that if you ask for help from Go Daddy about a product they have not developed themselves you have to take pains to point out that they are the ones at fault unless you have goofed up in some way. In any case, it's their system that makes what ought to be a straightforward job so flippin' hard. Be as polite as you are firm in your dealings with them. I have to remind myself of this because I have been blown off from time to time when they tried to send me to the product developer instead of taking ownership of the problem.

Nine times out of ten they'll send you a scripted response from an FAQ they have about the problem, but nine times out of ten it's the right one so that's fine. You don't need an individual response when a common one will do.

Find out all you need to know about manually installing WordPress on Go Daddy here.

What happened next

If you want to do it the easy way get Go Daddy to do it for you on WP compatible hosting. I don't think it's worth the aggro to do it any other way. To be fair to them, when they take ownership of a problem they're pretty quick at solving problems and getting you going. This is what they told me to do:

To Install WordPress on Your Hosting Account on a standard hosting plan, follow these instructions:

1. Log in to your Account Manager <http://mya.godaddy.com/default.aspx?prog_id=GoDaddy> .

2. From the My Products section, click Web Hosting.

3. Next to the hosting account you want to use, click Launch.

4. From the Content menu, select Go Daddy Hosting Connection®.

5. Click WordPress.

6. Click Install Now!.

NOTE: The Install Now! button displays only when the selected value application is compatible with one of more hosting plans in your account.

7. Select the domain name you want to use.

8. If you don't have a Go Daddy Community <http://community.godaddy.com> profile, enter a display name, agree to the Community terms of service, and then click Next. You have to scroll down the page to find the Next button.

9. Enter a database description and password, and then click Next.

10. Choose an installation directory, and then click Next.

To install WordPress in your root directory (ie, it displays as soon as someone goes to your domain name), remove any text from this field and leave it empty.

11. Enter the Admin Name, Admin Password, Email and Blog Title for your WordPress installation.

12. Click Finish.

WordPress will be installed to your hosting account with the options you selected within 24 hours. When it is complete, you will receive a confirmation email. It's a much slower way than doing it yourself, but it's a lot less hassle in the long run.

Troubleshooting

When things go wrong for me online, I usually turn to t'internet to find solutions and nine times out of ten, it delivers. This is what to do when your Go Daddy installation on the standard hosting package moves more slowly than an elderly snail.

One thing people seem to do best on t'internet is have a good old moan. Apparently it's to do with relative anonymity: we end up doing and saying things we know we'd never get away with in real life.

It was on a WordPress forum where people were discussing the slow performance of their WordPress installations -- a situation I didn't think I'd be able to resolve without moving hosts -- that I discovered something interesting. Go Daddy apparently has a rep who will show up at discussions in which they are being dissed and give advice to solve the problem.

Anyway, there are three steps to the solution they offer and I'm going to go through them one by one because there are good principles at work here.

1. Identify the problem

Sometimes when a problem occurs we're too busy being annoyed about it to actually find out what is going on. In my case, the site was... I don't want to use the word "running" to describe it. It was crawling slow. Page loading time ws 87 seconds which is the kiss of death for a website.

Go Daddy says:

Every time a visitor goes to your WordPress® blog, the server processes PHP scripts and establishes a database connection—in laymen's terms, it's doing a lot of work. The busier (i.e. the more visitors are browsing) your site is, the slower this process becomes.

Slow page loads are problematic as they discourage visitors from visiting your site. The usual culprits are improperly configured or misbehaving plugins or using images that are hosted on other, slower servers.

Have you noticed that the last update to this was in June of this year? The WordPress forum thread in which I discovered the link is two years old. That means they update this article every once in a while, giving us the latest news as it becomes available.

2. Try some common solutions

Go Daddy offers shared hosting. Dedicated hosting means you get a server to yourself. Go Daddy offers dedicated hosting, too, but obviously this costs more. The advantage is that you have more control over what is on the server and therefore are less likely to suffer slow loading on your web pages. It's an established fact that shared hosting is slower if they have a lot of busy sites on their servers.

WordPress has been aware of the problem with shared hosting for a while and developers have come up with some excellent plungins for us to use. I've uploaded WP-Super-Cache and WP-DBManager. The site now loads like greased lightning. The plugins work by loading your web page as a static HTML page to viewers who are not logged in, but even though I am logged in it's pretty fast.

Go Daddy says:

Consider installing third-party plug-ins like WP-Cache, WP-Super- Cache, and WP-DBManager.

Replace links to external images with images uploaded to your WordPress site.

I took the first piece of advice and the second I've been doing for a while now. Hotlinking can hurt you as much as it does the person you're too lazy to upload the image from because you need it to load where it is for you, then project itself on to your site. Text links to external sites are okay. In fact, I usually set the link to open in a new tab because I don't want people leaving my site. I know they could always hit the back button, but sometimes we can (okay, I can) get a bit lost when we're distracted by the content on another site, particularly if it's interesting or useful.

3. Trial and error

Ah yes, cause and effect. Too often it's easy to yell at people when something goes wrong when we ourselves are the culprits. Too many plugins or extensions on CMS like Joomla, Drupal or WordPress can slow them right down.

Go Daddy says:

• Disable all plugins.


• Re-enable plugins one-by-one to see which causes the slowness.

For help using plugins, see Getting Started with WordPress.

When I use plugins, I only choose the ones I need and use DHTML code in the widgets where I can. It saves me a great deal of hassle.

It's important to remember that while Go Daddy hosts WordPress and offers it as one of their applications programs, they didn't make it themselves and can't be held responsible for their performance.

The point is, don't just moan at them if something goes wrong; look for solutions and report the problem to support if you can't find what you're looking for. It works for me.

Loading time at the installation I was working on dropped from 87 seconds to 25.

Update: the WP- supercache plugin keeps disabling itself so you have to change the settings, then change permissions. The whole thing turns into a Kafka- eque nightmare if you failed to get Linux hosting in the first place. NEVER choose Windows hosting. We had to move this site but there are still a lot of complaints about Go Daddy not working with WordPress even on Linux so you might be better off going elsewhere for hosting for it.