The FTC vs GoDaddy Case: What the 2025 Settlement Actually Revealed

What the FTC alleged

On January 15, 2025, the Federal Trade Commission filed a complaint against GoDaddy alleging:

• Since 2018, GoDaddy failed to implement "reasonable and appropriate security measures" on its website hosting services.
• GoDaddy "misled customers about the extent of its data security protections" — specifically, that GoDaddy told hosting customers their data was secure while simultaneously failing at industry-standard security practices.
• Per the FTC, GoDaddy was "blind to vulnerabilities and threats" in its hosting environment due to "operational gaps."
• These failures led to "several major security breaches between 2019 and 2022 in which bad actors gained unauthorized access to customers' websites and data," including visitor redirection to malicious sites.

The case was settled via a consent order. The final settlement was finalized on May 8, 2025. GoDaddy did not admit wrongdoing (standard for FTC settlements) but agreed to the remedial measures.

The three documented breaches

The 2023 incident is the most significant for the "host-side malware" question. This wasn't a case where individual customers got hacked because of outdated plugins. It was a case where GoDaddy's own infrastructure was compromised, with attackers able to install malware that then appeared on customer sites. Customers had no ability to prevent or detect this — the vulnerability was in the host's environment.

The security controls GoDaddy was missing

Per the FTC complaint, GoDaddy failed to implement all of the following — controls that are industry-standard and that GoDaddy told customers it had:

• Multi-factor authentication for access to hosting systems and databases.
• Software update management — systematic patching of the underlying hosting infrastructure.
• Security event logging — the ability to detect and investigate suspicious access.
• Network segmentation — isolating different customer environments and internal systems.
• Threat detection and monitoring — active intrusion detection.
• File integrity monitoring — noticing when system files were modified.
• Asset inventory and management — knowing what systems existed and who had access.
• Risk assessments for hosting services — systematic security review.
• Secure connections to data-access services — basic encryption of internal data flows.

Every one of these is table-stakes for a hosting provider. A small independent host running Plesk or cPanel on a single VPS should have file integrity monitoring and MFA. GoDaddy — a $4 billion revenue company at the time — did not.

What the settlement requires GoDaddy to do

• Mandatory MFA for all customers, employees, and contractors accessing hosting tools and databases.
• Non-phone-based authentication available (security keys or authenticator apps) — SMS alone does not satisfy the order.
• Comprehensive information security program covering the controls listed above.
• Biennial independent third-party security assessments. Results filed with the FTC.
• Prohibition on misleading security claims in advertising and marketing.

The MFA mandate in particular is meaningful: as of the consent order, GoDaddy must require MFA rather than offer it as optional. For customers who had opted out of MFA for convenience, this now changes.

What this means if you're still a GoDaddy customer

1. Enable MFA immediately if you haven't. GoDaddy now requires it. If you've been using SMS-only MFA, switch to an authenticator app.
2. Rotate all credentials. If your account existed during any of the three breach windows (especially Managed WordPress in late 2021), assume your original credentials were exposed. Change hosting password, cPanel password, database passwords via wp-config, SFTP, and any saved API keys.
3. Rotate your SSL certificates. The 2021 breach included SSL private keys for a subset of customers. If you can't confirm you weren't in that subset, regenerate your certificates.
4. Audit your site for legacy malware. If your site was running during late 2022 through early 2023, the cPanel-environment compromise may have dropped artifacts. Scan with Wordfence or Sucuri SiteCheck — and if found, investigate the root cause rather than buying a cleanup product.
5. Review what GoDaddy products you're paying for. The Website Security (Sucuri-powered) product continues to be sold. Given the underlying infrastructure issues the FTC documented, paying extra for security add-ons on top of a platform with documented security failures is a questionable purchase.

If you're deciding whether to move

The FTC action does not mean GoDaddy is unsafe in 2026 — the consent order imposes controls that, if followed, meaningfully improve the platform. But it does mean two things:

1. The culture that produced the 2018-2023 gaps existed at a large, well-resourced, publicly-traded company. Culture doesn't change quickly. The controls are now mandated; the underlying incentives that produced the gaps may or may not have.
2. You now know. If you continue hosting at GoDaddy after reading the FTC complaint and something bad happens in the future, the "I didn't know" defense to yourself is gone.

Reasonable alternatives depend on what you actually need:

• Simple shared WordPress hosting with privacy: LaunchPad Host Starter plan.
• Managed WordPress (more hand-holding): Kinsta, WP Engine, Cloudways.
• Technical users who want a VPS: Hetzner, Netcup, DigitalOcean.
• Offshore / jurisdiction-focused: Shinjiru (mixed reviews), FlokiNET (Iceland), OrangeWebsite (Iceland), or us.

For domain registration specifically: moving domains off GoDaddy is straightforward (60-day transfer lock after last transfer, then unlock and transfer out). Our domain registration page walks through the process.