What do you call it when an unauthorized user injects code into every page on your website? I call it hacking.
Well, that’s exactly what GoDaddy did to two of my client sites yesterday. Hacked them. Injected code without our knowledge or approval.
Here’s how it played out…
I woke up to this email from GoDaddy Pro because I use their Pro Sites (ManageWP) service to monitor the uptime and security of client sites:
I log into the Pro Sites dashboard and here’s what I see:
I verify it in my browser. Here’s the injected code between the </body> and </html> tags:
</body>
<script>'undefined'=== typeof _trfq || (window._trfq = []);'undefined'=== typeof _trfd && (window._trfd=[]),_trfd.push({'tccl.baseHost':'secureserver.net'}),_trfd.push({'ap':'cpsh'},{'server':'a2plcpnl0551'}) // Monitoring performance to make your website faster. If you want to opt-out, please contact web hosting support.</script><script src='https://img1.wsimg.com/tcc/tcc_l.combined.1.0.6.min.js'></script></html>
I paid particular attention to the comment:
// Monitoring performance to make your website faster. If you want to opt-out, please contact web hosting support.
and thought to myself “if that doesn’t sound like social engineering to get you to leave this code alone, what does?”
I search the Internet and can’t find any references to this code, so I consider it some sort of new malware and go through the usual drill:
- Notify the clients
- Change all the WordPress administrator passwords
- Change all the FTP passwords
- With the client’s approval, start the hunt for an infected PHP file somewhere in the installation
I’ll shorten the story to say that after hours of looking at PHP files, I decided to take another tack and investigate this “wsimg.com” domain. It turns out wsimg.com is OWNED by GoDaddy. Could it be? Could GoDaddy Pro be alerting me to code GoDaddy Hosting secretly injected into our site? I called up GoDaddy Pro Support, spoke with a nice rep named J.P. and after speaking with a higher up he found out that it WAS TRUE! Talk about irony – GoDaddy rats on itself!
I was furious and I let the rep know (in as restrained a manner as I could muster under the circumstances).
So that’s the story. The injected code isn’t malware (as far as I know). There’s no notification of it being done (unless you are monitoring for such changes). There’s no way to turn it off from cPanel. Instead, if you detect it, you can call your friendly GoDaddy support rep, give them a piece of your mind and ask to manually opt-out. Oh and tell them Larry sent you.
October 11, 2017 Good News Update: See the comment from Mario Frith and my reply for instructions on how to turn this “hack” off without having to call GoDaddy.
This is happening to me right now, as we speak, and it broke every single AMP page in my setup.
Thousands of pageviews gone
Godaddy hesitant to admit fault.
time to move.
God am i glad i left them a little while back, every bone in my body said not to trust a firm that charges for every little thing. Just never had any faith in that firm what so ever.
I have the same problem with my GoDaddy website. Rep I spoke with says it’s not their code. Has anyone been able to opt out successfully? If so, how did you manage it?
There is a solution to this.
Go to gateway.godaddy.com.
You’ll see a purple box about new features. Click “Try it out”
Next to the green button labelled “cPanel Admin” are three dots, click the dots and click “Help Us”
Choose “Opt Out”
Done.
Thanks, Mario! This might be something new since my GoDaddy support rep didn’t mention it — even after checking with developers.
Note that this “Try it out” button only appears on the https://gateway.godaddy.com/ website for accounts that have been selected by GoDaddy to participate. It was not on our own Holy Cow GoDaddy account screen, but I did see it on an affected client’s GoDaddy account.
Here are some screen captures to illustrate the steps:
Onward!
Thanks for the pictures. I was trying to figure this out. The GoDaddy reps are pretty useless.
Greatly appreciated!! I hate code that I didn’t explicitly set or that has no benefit to me or my clients.
Total idiots! After talking to the godaddy rep for 30 minutes and getting no where, I found this and now its fixed thanks to the directions here. Thanks guys!
You’re welcome. Glad to hear it helped!
THANK YOU!!! This GoDaddy behavior is the most invasive thing that has ever happened to me!
?Seriously? Hacked by my own hosting provider?! With NO NOTICE before they implemented it?! FAIL!
Thank you, thank you. thank you!
Ah thanks for that information.
I was scanning the sources for checks of malware as well, and found this injected script.
Am actually fine with monitoring performance… but not with secretive injected coding.
This is called cross-site scripting (XSS), the injection of client-side scripts into web pages. It is a major, if not the major, web app security vulnerability. If it was done without your knowledge, which it obviously was — you can’t ethically have a hidden opt out program — then GoDaddy did technically “hack” your website. You could sue but it is a “no harm, no foul” situation and probably somewhere in the web hosting agreement that you didn’t read (no one does) you agreed to it. You, and as many other people as possible, should at least complain very loudly though. If enough people complain, GoDaddy will be shamed into stopping, or at least into making the opt out program more visible.
Thanks for this article. I was validating a GoDaddy hosted site I was working on and noticed the script injected AFTER the closing body tag, which obviously creates a validation error.
The really stupid thing is: they’re calling it “performance monitoring”, as if they are concerned about my performance. I only noticed the wsimg.com source, and script because it was hanging, not letting the page load complete. I looked down at the bottom of my browser and saw what it was waiting for, then started investigating. It was causing my website to really slow down !!!! Their wonderful concern about my site’s performance.
I was poking around my new godaddy hosting and found that this is opt in. That’s on uk.godaddy.com which may be different to godaddy.com.
It’s now 2021 and in my current GoDaddy Business hosting account I see this option has moved. When you are at the “My Hosting” page for your hosting account, click “GoDaddy Analytics” and then complete the form to opt out if you like.