Last week we wrote a post about how the web security company Sucuri was hiding the fact that they are owned by the web host GoDaddy while promoting a partnership program for web hosts. Not mentioning that they are owned by a competitor of companies they are hoping to partner with seems quite inappropriate. It also seems problematic since GoDaddy has long track record of poor security, so that seems like material information that web hosts should have when considering partnering with Sucuri.
One example of GoDaddy’s poor security that we have noted before is that they are using a very out of date version of the database administration tool of phpMyAdmin. It turns out they are still doing that, as we found when doing some work on a client’s website hosted with them. While working on an upgrade we created a new database so that the database would be running a newer version of MySQL required by the new version of the software being upgraded. When we went to import the database we found the phpMyAdmin installation it is tied to is the same really out of date version of phpMyAdmin, 184.108.40.206:
The 2.11.x branch of phpMyAdmin reached end of life on July 12, 2011. After that date not fixes or security fixes were not released, so GoDaddy should not have been running that version after that.
Beyond the security concern with this, you have situation where GoDaddy isn’t even managing to update a customer facing piece of software at least every six years.
It also worth noting that GoDaddy is the employer of the head of WordPress security team (they are paying him for his work in that role). You really have to wonder how, if someone who truly cared much about security, they would be employed by a company that doesn’t seem to care about that. That they are willing to work for GoDaddy might go a long way to explain why the security team of WordPress continues to poorly handle things (it also raises questions about the propriety of having the head of the security team being an employee of a company that could profit off of WordPress seeming insecure).