Update: It seems GoDaddy fixed this issue. Glad they fixed it, though I still can’t say I recommend them. Thanks Sean for pointing that out to me.

I recently gave a talk on WordPress plugins at the Boston WordPress Meetup (slides are online on their meetup.com page). During this talk the question came up of which webhost to use. Everyone has their own recommendation of webhost, but the one host that was universally panned is GoDaddy.

I’ve long since moved on from shared webhosts on to VPSes (I’ve been using VPSLink since they started. Use this link to get 10% off for life and snag me a nice referral bonus ;-) ), but GoDaddy was my first web host, and since then I have heard nothing but terrible things about their marketing practices, upsells, and other sketchiness. But they will show you videos of women taking their clothes off on their website, which is great if you’re into that sort of stuff, but not what I need from a webhost.

But until recently I never discovered anything actually wrong with their hosting service…it worked, and while it was cheap, they at least delivered what you paid for (though granted, you’re not paying or getting a lot). Yesterday, while looking through some code for a GoDaddy site, I discovered something painfully bad with their service that makes them a terrible idea for any ecommerce site.

It seems GoDaddy doesn’t allow outgoing connections from their shared hosting packages. So, for example, you can’t connect to authorize.net or paypal.com from your server. How do they recommend you accept payments? Send it through some unsecured proxy they have.

That’s right, GoDaddy is actually telling people to send credit card information to another server in unsecured plaintext. They then forward it along and send you the response. There are 2 things wrong with this.

1. Man in the middle attacks up the wazoo. Not only can someone possible get in between the proxy and your server, but who knows whether or not the proxy requires valid certificates. If not then the entire workflow is vulnerable.
2. There’s a now a single point of failure for all of that hosting. If that server is compromised, all those sites get compromised too. This is a huge risk.

If I were issuing merchant accounts and knew about this, I wouldn’t accept accounts from anyone hosted with GoDaddy. There are very few reasons for GoDaddy to be doing this. The only one I can think of is preventing the spread of website worms that use holes in website scripts. This is a pretty lame reason to lock websites into their own box, and there are much better ways to stop this.