To read more about what happened, check out the coverage on the WPSecurityLock.com blog.

This hack hit me particularly hard, affecting five client sites — three that were live and two more that were being built.  Fixing the problem was time-consuming but not terribly difficult once I figured out the problem.  I’m not writing this post to compete with other coverage of what happened or how it happened.  What interests me from a PR perspective is GoDaddy’s response to this attack.  Here’s the statement from them that has been posted in many places:

Measures are in place to protect the overall security of the shared hosting server on which your website resides. The compromise of your account is outside of the scope of security that we provide for you. Virus scans are performed on the content that is hosted, but they may not pick up everything, largely due to the fact that hackers tend to upload custom scripts which are not picked up by traditional malware scanners. However, if a virus is detected, you will be notified. The overall security of your password and the content within your account is your responsibility, as password compromises and compromises due to scripting can only be prevented by you.

I don’t know who crafted this statement or who it was even directed to, but it doesn’t appear to me that it was crafted by someone with much experience in crisis communications.  First, it’s all I’ve been able to find from them on the issue.  Second, it reads to me like, “We just host your site … we’re trying to figure out what happened, but it’s really your own fault.”

While I agree that, in the end, the security of a site is the responsibility of the site owner, to say that when hundreds of site owners are really ticked off is not a great idea.  Additionally, there’s nothing that can be easily found on the GoDaddy site that addresses the issue.  My experience with GoDaddy has been that their customer service is quite good and their downtime is minimal, but GoDaddy has many detractors.  Here’s an example of what you see on Twitter right now:

These comments are relatively mild compared to what you’ll see in comments on blog posts about this hack attack.

How would I have handled it?  First, a more sensitive statement would have been issued — something that addressed how the company values its customers and is working very hard to figure out how the sites were hacked.  That statement would have been posted on the front page of GoDaddy, as well as on the company’s popular Twitter account.  Regular updates would have also been posted, even if there’s really no progress to report.  Additionally, instructions like those found at WPSecurityLock would have been made available by GoDaddy.  This is all relatively simple stuff to do.

These days people understand that hackers are out there and it isn’t necessarily the fault of the company that made an operating system or is hosting a web site, AS LONG AS the company responds to it appropriately.

UPDATED 5/3/10: There was another attack this past weekend, one week to the day after the first one.  It hit (it appears) most of the same sites plus some non-Wordpress sites.  The word from GoDaddy is that the non-Wordpress files that were infected were actually part of a site that included some WordPress element.  That’s not the word (pardon the pun) we’re seeing, as many people have come out and said their sites got hit, and WordPress isn’t on their server.  GoDaddy HAS responded this time, with some infection removal procedures.  They’re recommending those who were infected back up their database and customized files, delete WordPress, and reinstall the software.  This doesn’t seem to me like a viable option, as all PHP files on infected sites were affected, and many of the customized files are PHP files.  That said, at least they’re responding publicly now .. however weakly.