GoDaddy’s Security Wake-Up Call — And What It Means for Your Website
EJ
The FTC just finalized an order requiring GoDaddy to overhaul its cybersecurity practices. If you're running a website, or rely on one for business, this matters to you. The reason? Even large, well-resourced companies are struggling with basic security hygiene. And when they slip, customer data is at risk.
In this blog post I look at why the FTC stepped in, what went wrong, and what you can do to protect your own site.
What Happened with GoDaddy?
Over the last few years, GoDaddy experienced multiple security breaches. In some cases, attackers were inside their systems for months, and in some cases years, before being detected. One breach in particular exposed credentials, emails, and even SSL keys belonging to over a million customers. These incidents weren’t the result of a single flaw, but a series of overlooked basics: no multi-factor authentication (MFA), poor update management, lack of monitoring, and weak segmentation between systems.
The FTC’s response was clear: GoDaddy needs to do better. The agency is now requiring the company to step up its game by putting security controls in place, regularly auditing its practices, and being more transparent when things go wrong.
Why This Should Matter to You
If GoDaddy, with its massive infrastructure and security budget, can be breached, smaller organizations face even greater risks. And while it’s easy to think of security as someone else’s problem (especially when using third-party host), the reality is that every website owner shares responsibility.
There is good news however, many of the changes GoDaddy is now required to make are things you can implement on your own website to improve its security.
How to Keep Your Site Secure
Lets start with the basics. Use multi-factor authentication everywhere you can, especially for admin logins, hosting dashboards, and database access. Make sure to avoid relying on text messages for MFA—authenticator apps or hardware keys are more secure and widely supported.
Make sure to keep your software updated. Whether you’re using WordPress, Joomla, or something custom-built, regular updates help close the gaps that attackers love to exploit. This includes not just your core CMS, but plugins, themes, and any server-side software.
In addation make sure your site uses HTTPS across the board. It’s no longer just about encrypting sensitive forms—modern browsers expect encrypted traffic everywhere, and free services like Let’s Encrypt make HTTPS easy to set up and manage.
Another often-overlooked piece is visibility. If you don’t know what’s happening on your site or server, you’re flying blind. Simple monitoring tools can alert you to unusual file changes or spikes in activity that could point to a compromise.
And finally, have a plan for when something does go wrong. That means regularly backing up your site and testing your ability to recover quickly. Backups aren’t helpful if you can’t actually restore them under pressure.
Closing Thoughts
The GoDaddy case should serve as a wake-up call for everyone in the digital space. It’s not about placing blame—it’s about learning from what happened and doing better ourselves. Security isn’t just a technical issue—it’s a trust issue. And trust is built by being proactive, transparent, and resilient when things don’t go as planned.
If you’re managing a website today, this is your moment to make sure you’re not just hoping things are secure—you know they are.