Awful support from Bluehost, GoDaddy; Goodbye to both

I’ve just completed a complete migration of all my websites from one hosted server to another — it wasn’t painless but it could have been a lot worse. This migration thankfully marks the end of a frustrating month of security issues with my previous hosting provider and domain name registrar, BlueHost and GoDaddy respectively.

Yes, this is going to be a screed against lousy customer service from both of them.

To be blunt, my server was repeatedly hacked, set up to host malware and become a spam zombie — and I got no help from my service host to improve my server’s security. This is point-by-point rundown of the timeline of the last month, since it’s a laundry list of fail:

• Received email from Bluehost saying my account had been suspended as my server was found hosting malware
• Called customer service, was told probably my password wasn’t strong enough. Probably. Maybe. They’re not sure.
• Changed password to something more secure.
• One week later, received the same email from Bluehost, account suspended.
• Called customer service, was told it was probably something insecure with my php. They can’t tell me what specifically, or how my server keeps getting compromised, but they tell me to fix it “or else.” You know, because I’m a server security expert, and I only decided to pay someone else to take care of my server needs (i.e. Bluehost) for shits and giggles.
• Shooting in the dark, I follow best practice guidelines on how to lock down .htaccess, .ini, .inc files, how to make sure all my directories are properly indexed, how to make sure my set php global variables are as secure as possible. This is all uncharted territory for me, but I follow all the best practice articles I can find and implement their suggestions.
• Two days later, same account suspension email comes from Bluehost. This time my site has been blacklisted because it’s a spam zombie and the spams are pointing to malware hosted on my server yet again.
• I call Bluehost support, they can’t tell me how my site keeps getting compromised but wants me to, somehow, fix it. I’ve done the best I can to keep things secure on my end, but what on earth am I paying them for if they expect me to fix all the security holes on the server they’re providing?
• I tear my hair out in frustration.
• Later that day, email from my domain registrar GoDaddy that my site has been blacklisted as serving spam on URIBL and they are terminating my domain UNLESS I pay a fee of $75 or $200. Otherwise they’ll suspend my account until my URL expires. Essentially, GoDaddy holds my domain for ransom.
• BlueHost emails me not long after that they want me to move to another hosting provider as I’ve now had 3 marks against my account. I have 15 days to move my files off their servers before they delete everything.
• My flight for a week-long vacation in Greece leaves 4 hours later. $%&@!!!

I’ve since moved my files to a new host, Surpasshosting, and transferred my domain to NameCheap. I refused to pay GoDaddy’s fine against my account as the compromised server issues were not my fault — again, what on earth am I paying a hosting provider for if they can’t keep the server secure? As an end user, the entire reason I pay for a hosted server is because I am decidedly not a server security expert.

Adding insult to injury, I work for a computer/network security company, so I hear about these kinds of attacks and security issues every single day. And I know what kinds of easy technologies can prevent such attacks (proactive detection, anyone?)

For years I’d had my site hosted with BlueHost with no issues. Lots of WordPress users have their sites on BlueHost because they have easy WordPress installations (though WP is easy to setup regardless). Of course, my site hadn’t been hacked in those years, either. It’s a roulette game — but when your number’s up and you’re hacked, good luck.

You get what you pay for, that I’ve learned. With BlueHost and GoDaddy as cheap as they are, it’s no wonder that instead of providing any basic customer support around security issues, they’re happier to cut you lose or fine you. So I’ve taken my dollars elsewhere, thanks very much. Good riddance to both those services.