Last November GoDaddy, which heavily markets themselves to the WordPress community, disclosed a massive breach of the data on customers using the managed WordPress hosting service. A stunning element of that was that they were still storing customers’ passwords in non-hashed form, despite that being a big security no-no for easily over a decade. If they hadn’t been improperly storing those passwords, the damage from the breach would have been more limited. It turns out that another web host marketing itself to the WordPress community is still doing that now.

Cloudways is heavily marketing themselves in the WordPress community. That includes through Post Status (alongside to GoDaddy entities, GoDaddy Pro and Pagely):

And MasterWP:

Special thanks to our sponsor @Cloudways

Check them out and learn more at https://t.co/xumU8Ac3n7

— MasterWP (@_MasterWP) August 4, 2022

Over at our main business, we were just working with a website hosted with Cloudways. Among the issues we ran into with their service is that various passwords were displayed in the hosting control panel.

We found the password used for SFTP and SSH was shown (we blacked the client info shown on the page):

The database password was also shown:

(That is of less concern, since that password is stored in plain-text form in the website’s configuration file, but it still doesn’t need to be stored elsewhere in that form.)

When passwords are properly stored, showing them as Cloudways does, isn’t possible, since in hashed form the only thing that exists is one-way encrypted form of the password, and the password itself can’t be retrieved. It isn’t clear if Cloudways is storing the passwords in plaintext form or if they are stored in encrypted form and then decrypted to be shown. Though it seems more likely that they are being stored in plain-text.

Customers of Cloudways have tried to get them to address that as can be seen with entry of their customer suggestions system from last November, which came in response to GoDaddy’s breach disclosure:

While the CloudWays service is great, I’ve been concerned for a while now that I can simply click to copy passwords for SFTP, SSH, databases & WordPress. My concerns have been amplified as yesterday over 1.2 million compromised passwords were stolen from GoDaddy because they stored their details in a similar way

That suggests that possibly WordPress admin passwords are being stored as well. The website we were working ran Magento, so we didn’t see that (or the Magento admin password being shown, though we didn’t look over everything trying to find all passwords being shown).

Their Breeze Plugin is Still Insecure

The insecure storage of passwords isn’t the only example of poor handling of security by Cloudways. In April, they incompletely fixed a security vulnerability in the Breeze plugin, which has 200,000+ installs. The vulnerability involved failure to take basic security measures and the attempt to fix it somehow missed part of that (part of the blame for that falls on Patchstack, which was a promoted as being a partner of theirs at the time). We tried to address that with them, but they don’t provide a contact method for reporting something like that and we never got a response to our attempts to get in touch with them through Twitter.

Security Standards for Web Hosting Sponsors

As can be seen by GoDaddy and Cloudways, web hosts are not going to follow security best practices on their own. Seeing as they have an interest in marketing themselves to the WordPress community, publishers could help by only accepting advertising from web hosts that avoid things like storing customer passwords in non-hashed form and sell scammy security services (GoDaddy not only sells one but also owns it).