Last updated 12/8/21
Too long; didn’t read:
- The Fall 2021 data breach of 1.2 million plus sites
- Limited number of backups
- No adhoc backups
- Slow staging site creation
- Slow push of staging site to live
- Staging site push to live server doesn’t remove deleted files
- Unable to replace an image by FTP
- Required GoDaddy “mystery” plugins
- Domain Forwarding Fails
- Zone Records Randomly Update to Point to GoDaddy Servers
- Issues with Managing DNS or Updating/Deleting DNS Zone Records
- Long Waits in Chat
- “Free” domain included is free for a limited period
- “Free” SSL certificate becomes very expensive after first year (see below)
- Issues with clearing cache make it difficult to complete work efficiently
- Issues with shared GoDaddy Pro access to client accounts are frequent
- General sloppiness
These notes are based on my first-hand experiences with GoDaddy managed WordPress hosting and GoDaddy tech support. Your mileage may vary, but I have my doubts.
GoDaddy: The “Bargain” Basement of Website Hosting
Historically, GoDaddy has been known for its domain registration and cheap shared web hosting services. While it is reasonably competent at the former, the company’s cheap hosting packages are notorious in the industry for underperformance due to server over subscription— that is, placing too many accounts on a single server and not managing the use of server resources by customers. This situation causes slow, unpredictable website load times that cause financial loses for customers when frustrated visitors prematurely leave their website.
In my experience hacked websites are also more common among GoDaddy’s shared hosting customers than many competitors. Even simple HTML-only websites without programming vulnerabilities, experience intrusions and defacements. This appears to be caused by a combination of poor server maintenance and again lack of management of customer use of those servers.
Overall, GoDaddy’s bargain basement shared hosting was never much of a bargain.
GoDaddy Managed WordPress Hosting
Over the years GoDaddy has made attempts to improve its hosting services, mostly recently by jumping on the bandwagon of “managed WordPress hosting” and offering accounts which are in their words: “optimized for speed, effortless updates and total reliability…designed specifically for WordPress.”
So what is my experience of their product you ask? Let me outline a few issues:
The 2021 Data Breach
According to GoDaddy’s own report filed with the SEC, unknown attackers gained access to the system used to provision the company’s Managed WordPress sites for a period over two months. The filing states the following customer information was exposed:
- Up to 1.2 million active and inactive Managed WordPress customers had their email address and customer number exposed.
- The original WordPress Admin password that was set at the time of provisioning was exposed.
- For active customers, sFTP and database usernames and passwords were exposed.
- For a subset of active customers, the SSL private key was exposed.
Access to email and customer numbers presents customers with an increased risk for phishing attacks. Access to an unchanged administative password or database access would potentially allow anything from widespread alternation of a site’s content or function to complete exfiltration of any data stored by the site, such as contact form submissions, personal identifying information (PII), etc. Access to an SSL certificate key would leave an ecommerce site vulnerable to interception or alteration of order or credit card information in transit. After the initial disclosure GoDaddy revealed that the breach extended to a number of GoDaddy brands: tsoHost, Media Temple, 123Reg, Domain Factory, Heart Internet, and Host Europe.
Not a good thing. Really. Not a good thing.
GoDaddy provides daily backups for the most recent 30-days. This is a good start, but not fully adequate. If your website was compromised 60-days ago and you only found out today when Google sent you a malware notification and blocked your site as unsafe for visitors, then you don’t have a viable backup from GoDaddy.
Admittedly, rolling 30-day backups are a common offering among managed WordPress hosts, unfortunately, some of the common third-party backup solutions, like the BackupBuddy plugin, do not work well on GoDaddy servers given aspects of their configuration.
It is up to the customer to pay for, implement and test a solution to further reduce their risk to acceptable levels.
No Adhoc Backups
Typically, immediately before performing low-impact updates such as WordPress theme or plugin upgrades, a backup will be made just in case things don’t work out as intended. GoDaddy does not provide this feature. Other providers commonly do.
Slow Staging Site Creation
A staging site is basically a clone of your live website placed at a location hidden from public view. A developer uses a staging site to deploy and test broad, impactful changes to the site. It is a very useful tool that replaces a typically time-intensive, semi-complex manual process.
However, the GoDaddy’s “one click” staging sites are painfully slow to generate. Creating a cloned staging site often takes the GoDaddy server 15-30 minutes or more. I can send a radio communication to Mars and get a response faster than GoDaddy can create a large staging site. Likewise, once development work is completed pushing the updated staging site back to the live site to publish your changes takes equally as long. The latter also introduces a substantial window of time in which the site is publicly available, but likely incomplete or inoperable while new or modified files are being transferred to the live server.
Staging Site Problems
Worse though, is the way GoDaddy’s staging server works operates. Files deleted from the staging server, are not also deleted from the live server when the later is pushed to the live server. For example, if I have 16 files on the live site, the staging server should initially contain the same 16 files. If I then delete four files from the staging server and add four others, I still have a total of 16 files on the staging server (16 original and four new). When I push the staging server back to live, instead of 16 files the live server will contain 20 files (the 16 originals plus four new). Ideally, a staging server should be an exact duplicate of the original live site and the modified staging site should be returned to the live server as an exact copy. This a huge pain point that can introduce many issues for developers. As it stands, the process is a hot mess.
Apparently, you can’t replace an image file with an updated image file of the same name. For example, replacing a unoptimized 2MB file with an optimized 200K version. Transferring the file via sFTP will complete, however, the updated version is never served even when directly calling it by its URL. Dumping cache does not help. Oh joy!
Mandatory GoDaddy Plugins
The GoDaddy Managed WordPress hosting platform uses WordPress Multisite to serve multiple customer websites from a single WordPress installation. This allows GoDaddy to enforce enable the use of a group of hidden plugins including Limit Login Attempts, Stock Photos, Manage WP Worker and WP Easy Mode as well features such as caching, CDN, IP blacklists, Sucuri scanning, single sign on, updates, hotfixes, etc. A typical WordPress admin would not be aware of when these items have been updated, or when they might be causing issues, conflicts, etc. with the rest of your installation. Furthermore, disabling, or swapping out one of their required features (e.g. caching) with a preferred third-party option, is likely impossible due to conflicts.
The included free domain registration will only be free for the duration of the hosting term you’ve initially selected when purchasing your account. Select an initial 12-month duration, you get the domain free for only 12 months.
At this point everyone with a website should be using a SSL certificate and HTTPS to encrypt website traffic in transit. GoDaddy will provide an SSL certificate free for one year with its more costly WordPress hosting plans. After that year you can renew it at the inflated rate of $79.99/year.
Since Let’s Encrypt has been offering free SSL certificates to the public, many hosts have started offering free or very low cost basic SSL certificates with hosting packages. In fact, I don’t even charge for these SSL certificates myself when hosting client websites on my servers. This is just a balloon payment scheme on GoDaddy’s part—so remember, “the first one is free.”
Update: As of 9/19/21 GoDaddy is advertising free, no charge SSL services with select hosting accounts. If true, it would mean they are no longer attempting to upcharge for a genuinely free service provided by their competition.
Caching is a group of techniques that allow future requests for the same data to be served faster. An analogy might be found in your kitchen—when you go to make dinner it’s much faster and easier if the ingredients are already in the refrigerator instead of the grocery store or lying in a field awaiting harvest. Server caching is a wonderful way to speed up the load time of your website while minimizing overall server load.
Unfortunately, caching can introduce practical issues when updating a site as you generally need to be able to see changes you made and not a cached version of the previous state of the site. Typically, caching systems address these issues—either logged in administrators will be shown an uncached version of the site, or a site’s cache can be purged immediately as needed. GoDaddy states it offers the latter, but it tends to work intermittently and with delay. This can become infuriating in short order and make it impossible to get work done efficiently.
The only solution so far has been to completely turn off caching, which completely defeats the purpose.
As mentioned previously, some plugins, such as BackupBuddy, are incompatible with GoDaddy managed WordPress hosting. Other plugins are blacklisted when they duplicate features already in the GoDaddy offering. This is a common industry practice up to a point, however GoDaddy went further and actively started to remove these plugins in 2016 with little or no prior discussion with account holders.
Long Waits in Chat
While the average wait to get on a customer service chat tends to be 5-10 minutes, the time required to address support tickets of even average complexity can be thirty minutes to an hour.
As an added mini-game, you will need to type something into the chat box every few minutes in order for it to not timeout and disconnect during that period.
Issues with DNS updates and Zone Record Management
When using GoDaddy’s managed WordPress hosting and GoDaddy’s DNS servers updates to DNS zone records can become very difficult.
A good portion of the time navigating around the DNS management area of the site yields a combination of “503 Service Unavailable” and “504 Gateway Timeout” errors. When those occur, you’re basically out of luck. Try again later maybe when the DevOps teams wakes up for their nap.
On other occasions DNS zone record updates needed for a launch wouldn’t save.
Likewise, if you have the Sucuri firewall installed, deleting zone records is actually impossible without intervention from customer service. You will need to contact support have them disable the Sucuri software firewall provided.
During a migration away from GoDaddy, updating a DNS A record to point to a new hosting account required a one-hour chat followed by a 24 hour wait just to find out it wasn’t updated by GoDaddy.
Best to change authoritative DNS servers for your domain completely before you start a migration away from GoDaddy. Cut GoDaddy out of the process like you would cut out a cancer.
The last time I was forced asked by a client to set up a GoDaddy managed WordPress hosting account, GoDaddy decided to place it on an EU server for no reason. The US-based client didn’t want to correct the error at the time, so now their site is potentially subject to EU privacy regulations under the General Data Protection Regulation (GDPR).
Recently, a client had an issue. Their site was mysteriously offline. The issue was traced to GoDaddy wanting to “confirm the email address” associated with their decade old customer account. However, the account link to resend the confirmation email was not working and customer support needed to be called, of course.
GoDaddy Pro is Completely Borked
GoDaddy Pro, the interface that allows designers and developers to help manage client domains and sites hosted with GoDaddy, is frequently buggy. On at least 80+ occasions over the last few years, I have been temporarily or permanently unable to reach a client’s GoDaddy account that has granted me shared access, or found myself unable to access appropriate resources such as hosting, account management or DNS functions.
At some point during 2019-2020 GoDaddy updated their GoDaddy Pro shared client account access system with more granular client controls so that customers could be more particular about the permissions granted to associated developers. Sounds great, except that they defaulted all the settings to off. All of the account relationships between myself and my customer’s accounts which were painstakenly set up over years were effectively unlinked. Everyday activities like updating DNS servers or zone records were no longer possible. There was no notification of this change sent to either party. Estimated time need to communicate with every customer, walk them through the process and correct: at least 40-60 hours plus a similar time on the client’s side.
Domain Forwarding Issues
Some clients have had their domain forwarding fail intermittently with 502 (Bad Gateway) errors without explanation. Simple forwarding requests from, for example, mydomain.net to mydomain.com have been witnessed to fail for periods of 5-60 minutes several times daily for weeks resulting in uptimes below 95%.
Zone Records Randomly Update to Point to GoDaddy Servers
Other clients have found their DNS zone records randomly pointed to GoDaddy servers without explanation.
GoDaddy purchased Sucuri.net several years ago and offers their malware scanning and remediation service as part of GoDaddy’s managed WordPress hosting package. This is good since I’ve had more requests to remediate hacked sites on GoDaddy than all other hosts combined. Other hosts offer similar services for malware scanning from other providers. It is also possible to purchase Sucuri services for use on non-GoDaddy hosted websites.
GoDaddy also purchased ManageWP a service that allows you to monitor and maintain your WordPress websites from one dashboard. ManageWP is included in the most expensive managed WordPress hosting package since that account type allows for the hosting of 5-50 websites in theory. ManageWP is also available for purchase if you need to manage non-GoDaddy hosted WordPress websites
Page load times on hosted sites are typically reasonable and on par with their competition (even though GoDaddy will say they are much faster than their competition).
Use at your own risk.
Let me know if you have had similar experiences.