I get called in a lot to fixed hacked sites.  Here is An Open Letter To Hosting Companies Of Hacked Site Owners
I loath something almost as much as the hackers that perpetrated the crime and that is the way hosting companies treat people with hacked sites.
Here’s an open letter to all stroppy hosting companies out there from the point of view of a normal site owner who has been hacked.
Dear Hosting Company
Thank you for suspending my account after I was hacked,that is really helpful way to make me feel special. You are taking my site down, I’m losing business and you are making me feel like I’m the bad person.
I of course did not ask the hackers to attack my site so thank you for the threatening email saying you are going to kick me out if I don’t fix it immediately.
Thanks for making me jump through technical hoops so many times that I had to hire a techie to make things work again.
Thanks for the interrogation by your representative via Live Chat to make sure everything was fixed. Â Perhaps you could have helped me to do this. Â I have no idea what a .htpasswd file it or how to add basic authentication to my webroot.
I was a victim of a hack attack.,
It sucks.
I feel vulnerable
Some unknown fuckwit in cyber space came after me for whatever reason and defiled my site.
Thanks for making me feel even shittier with your emails and accusations.
Oh BTW it was probably due to your poor  security that the hacker gained access in the first place. Can I review the access logs, what do you mean no they are private.  Can you review the access logs and tell me how the hacker got in …… hello anyone there?
The majority of your customers are none technical. Â They have a website to market their business or send news to their club. Â They are not trained in the dark arts of cyber security. Â They came to you to host their site with the understanding it would be secure.
Thanks again for making a bad situation of teh hack even worse.
Love and Hugs
Your Customer – remember the person that pays to keep the lights on
P.S. Can I have my transfer code so I can go somewhere my business will be appreciated.
An Open Letter To Hosting Companies Of Hacked Site Owners
Need help with your WordPress site get a no obligation quote.
9 thoughts on “An Open Letter To Hosting Companies Of Hacked Site Owners”
So true. I’ve had a similar issue and especially appreciate that they advertise and promote ‘one-click installs’ of your favorite web platforms… and then don’t support them!
Great post Neil. As you may recall, the minute my site got hacked I switched hosting companies. If you can’t trust your hosting company’s security, why stay with them.
Hilarious. Kind of. I remember getting hacked and this is exactly how I was treated. I was the bad dog.
And I suppose in a way I was. I was the one that left the admin login name as “admin.”
Still, it would have been nice to get a “Bummer, dude you’ve hacked” email, instead of the “we are going to cancel your account for being a spammy creep” email.
But, then I reckon that is what those higher end hosting accounts are for.
Maybe it’s time to flood the world with WP Dude’s 10 steps to hardening your site from hackers.
Well said!
Hey Neil, you spoke my mind.
Hi, Neil,
You’re right and you’re wrong.
Of course hosting companies shouldn’t treat their costumers like criminals and should be more helpful.
BUT.
I have a hosting company, too. I have many, many costumers. All of them run WordPress sites, as it is a WordPress hosting company. I tell my customers approx. every three weeks that they should keep their sites up-to-date (I mean updating codes). I offer them a really, really cheap updating service. Besides, I run a WordPress blog (http://wp-suli.hu) where I regularly publish articles on WordPress security. Still, not all of them do the updates or ask for the service.
If a “bad” costumer (bad = not doing updates) risks the others on the same server, of course I warn them, and if they do not react, I have to suspend their sites. I never do this without notice, but I have to protect my “good” costumers.
We had brute force attacks the last two months. We tested and tested and wrote scripts against them, which are placed on a separate firewall server. This seems to solve the problem for the time being.
BUT if somebody puts a code (any code) on the server, they have to keep it safe and if they don’t, it’s their responsability.
If somebody uses open source code, they have to be well informed about the risks and how to avoid them. If they are not techies, they can ask for help, but do it BEFORE their site is hacked.
So the story has two sides… and keeping a website safe has to be a cooperation of the hosting company and the costumer. We do our business (security on servers, extra firewall server, blocking scripts), and costumers have to do their business (using only safe codes and regularly updating open source codes).
Maybe it was interesting for you to hear the opinion of the “other side” 🙂 Sorry if you find it too long 🙂
Hi Moni
Thanks for your reply with an alternative point of view.
I understand your arguments, but the point of my letter is to say you should not be making people who may not have technical skills to feel like the bad guys. Too often people are made to feel like they have caused the problem.
If the hack is impacting your entire hosting infrastructure you should reach out and fix it rather than suspend an account which still contains malware or apply updates like wpengine.
What about hacks that take time to find like the timthumb hack. This was in the wild for sometime before it was discovered, applying fixes to a n unknown hack is not necessarily the cure.
What about brute force attacks, no amount of patching and fixing can stop that.
As a hosting supplier you should be creating an atmosphere of security and trust and help hacked site owners not slam them with a suspension and no technical support to get their site back online
Neil
Hi Neil,
* “Too often people are made to feel like they have caused the problem.”
I only make them feel like that if they really caused the problem 🙂 e.g. they are hacked because they still use WP v2.9 and their admin username is admin and the password is also admin 🙂 and things like that.
If this is the ONLY site that is hacked, then it’s 90% (or I may say 100%) the client’s fault (this means maybe the programmer, if it’s a self-developed code).
If the WHOLE server is hacked, of course it’s our fault.
We are responsible for the security of the server; but we cannot take the responsability for all the codes clients put on our server, e.g. self-developed codes that are easy to break.
That’s why I say that keeping servers safe is a common work of the host provider and the client.
I absolutely agree the rest of what you’ve written.
* “What about brute force attacks, no amount of patching and fixing can stop that.”
Of course, we cannot stop them but at the moment we can keep them out. (Including kicking out certain IP addresses – sometimes hundreds a day… But at least they can’t come deeper than the firewall server.)
* “you should be creating an atmosphere of security and trust”
You’re absolutely right. I hope my costumers feel that security and trust at my company. I do my best to help them – but the first step is to warn them regularly about the security issues of WP and to ask them to do their best, too, on their side.
Hacking is not the only occasion when hosting companies mistreat their customers. I was once working on a site where content needed to be cut and pasted between various pages, and therefore needed to have several windows open at once. The hosting company (who shall remain nameless, and with whom I no longer do business with) saw all this activity, assumed it was some kind of attack, and immediately blocked my IP address. Real nice!
Comments are closed.