Policy Update: Web Hosting Services Are Not Always Honest About Cybersecurity
The FTC has finalized a settlement with GoDaddy over claims it misled users about serious security flaws.
GoDaddy, one of the world’s biggest web hosts, just got reprimanded by the FTC for failing to fix known security flaws while telling customers their websites were safe. This has led to a major settlement, also including new rules the company must follow.
🔍 What Did GoDaddy Do Wrong?
The Federal Trade Commission (FTC) has finalized a settlement order in its investigation of GoDaddy, a major web-hosting provider in the United States. The order addresses serious concerns about how GoDaddy communicated with customers regarding the security of its hosting services.
The FTC found that GoDaddy misrepresented the level of cybersecurity it offered, while failing to properly address known vulnerabilities in its system.
According to the FTC, GoDaddy was aware of certain weaknesses in its cPanel shared hosting platform, a tool used by many of its customers to manage websites. These vulnerabilities could potentially allow malicious actors to gain access to customer websites and data.
Rather than promptly fixing these issues or clearly informing customers about the associated risks, GoDaddy allegedly continued to advertise its services as secure and reliable. This conduct, the FTC argues, misled small businesses and individual users who believed they were paying for safe and professionally managed hosting services.
The agency’s investigation revealed that internal reports at GoDaddy identified the security flaws as early as 2020. Yet, the company continued marketing its hosting services without disclosing these critical risks.
By doing so, GoDaddy may have exposed its customers to unauthorized access, data breaches, and other cybersecurity incidents. The FTC determined that this failure to act transparently violated federal consumer protection laws.
This case is particularly significant because many small businesses rely on web-hosting companies to handle the technical aspects of cybersecurity. These users often do not have the expertise or resources to detect and manage threats on their own.
The FTC emphasized that web-hosting providers must take reasonable steps to identify and address vulnerabilities, especially when customers are relying on their assurances of safety.
As part of the settlement, GoDaddy must implement a more robust information security program and submit to regular third-party assessments for the next ten years. While the order does not include financial penalties, the conditions imposed are designed to ensure long-term compliance with data protection standards.
The Security Flaws They Did Not Tell You About
The investigation revealed that GoDaddy was aware of specific flaws in its cPanel shared hosting platform that could allow attackers to gain unauthorized access to customer accounts. Despite having this information internally, the company continued to market its hosting services as secure and dependable.
The FTC report shows that internal reviews conducted by GoDaddy identified these security issues as early as 2020. These flaws were not abstract concerns. They involved risks that could result in attackers breaching websites hosted on GoDaddy’s platform. In some cases, the vulnerabilities were associated with weaknesses in how user accounts were isolated from each other. This meant that a bad actor could potentially access files or settings belonging to a different customer on the same server.
The company’s public-facing materials gave users the impression that their websites and data were protected under a strong security system.
Meanwhile, known problems remained unresolved, creating a situation where customers were making decisions based on incomplete or misleading information.
The FTC’s findings highlight that GoDaddy not only failed to repair the vulnerabilities but also misrepresented the security of its platform in its marketing and customer communications. This is not simply a case of technical oversight. The agency concluded that GoDaddy’s actions fell below the standard expected of companies providing services that people depend on to operate online businesses and store personal data.
The final order requires GoDaddy to implement a new information security program and submit to ongoing independent assessments. These steps are intended to ensure that future vulnerabilities are addressed promptly and that customers are no longer misled.
What This Means for Small Businesses Using Web Hosting Services
The recent settlement between the Federal Trade Commission and GoDaddy brings several important lessons and warnings for small businesses that rely on web hosting providers.
This case is not only about GoDaddy’s specific conduct but also about the broader expectations placed on companies that manage the infrastructure for business websites.
When the FTC investigated GoDaddy, it found that the company misrepresented the cybersecurity protections it provided. More importantly for small business owners, the case illustrates how trust in a hosting provider can lead to significant exposure when the service does not perform as advertised.
Most small businesses do not have the capacity to conduct their own cybersecurity assessments. They choose providers based on public information, customer reviews, and advertised features. This makes transparency and accuracy in marketing materials essential.
In the GoDaddy case, the FTC concluded that customers were led to believe their websites were protected by industry-standard security systems, when in fact known vulnerabilities remained unresolved over a period of time. This created a risk environment that customers were not fully informed about, limiting their ability to make decisions that could protect their businesses and customers.
This has implications for small businesses beyond GoDaddy’s customer base. The case shows that the FTC is willing to intervene when hosting providers mislead consumers about their digital safety.
It also confirms that regulators are paying attention to how companies handle vulnerabilities internally and whether they communicate honestly with users.
The settlement requires GoDaddy to improve its security practices and be independently monitored for the next ten years. While this addresses concerns about GoDaddy itself, it also sets a standard for the industry. Hosting providers must not only manage risks but also communicate clearly and act swiftly when problems are found.
Small businesses should use this moment to assess how they select and work with web hosting services. Business owners should consider reading independent audits, asking providers about their incident response practices, and checking whether a company has been subject to regulatory enforcement in the past.
While small businesses may not be able to perform technical reviews, they can pay closer attention to whether their provider is open about security processes and whether those claims are consistent across public channels.
The GoDaddy case also reminds businesses to think about their role in protecting customer data. Website owners should update passwords regularly, review who has access to administrative accounts, and consider enabling extra layers of security like two-factor authentication. Even with a reliable host, these small steps can help limit damage if something goes wrong.
The FTC’s decision reflects a wider trend in regulatory oversight. Companies offering digital infrastructure must take active steps to prevent harm, not simply respond after problems occur. This may lead to more scrutiny in the future and could influence how providers design their internal processes, how they train staff, and how quickly they respond to known threats.
For small businesses, the main takeaway is that digital safety is a shared responsibility. Providers are expected to deliver secure platforms, but business owners also need to stay informed and alert. Choosing a provider should involve more than price and features. It should include a review of trustworthiness, past performance, and regulatory history.
While the FTC’s enforcement action was directed at GoDaddy, its message applies across the board: promises about security must be matched by action, and companies must not allow known weaknesses to remain while presenting their services as fully secure.
Many website owners believe their hosting company is actively protecting their site. In reality, some known security issues can go unfixed for long periods. Always ask what kind of security monitoring is in place, how often updates are rolled out, and what steps are taken when issues are found.
Just because a company says its service is “secure” does not mean your data is safe. Security is not about words. It is about actions, systems, and response times. Before trusting a provider, look for transparency, third-party audits, or service histories, not just slogans.