I woke up this morning to an email from GoDaddy that they had REMOVED NextGen from three client websites. nextgen-gallery 3.2.10
Just a warning to the nearly 1 million users of NextGen that this happened. The NEW VERSION IS ALREADY OUT 3.2.11!
I assume the plugin creator is working on a solution to the vulnerabilities. Can you update us on that?
- This topic was modified 3 years, 3 months ago by Cami MacNamara.
The page I need help with: [log in to see the link]
Having the same problem. Can we expect NextGen to be updated so we can get back to using it, or should we be scrambling for an alternative plugin?
Just install the latest version of Nextgen gallery, 3.2.11. It is not blacklisted. We are not happy that GoDaddy did this on Saturday on a holiday weekend with no warning. We will be moving to a different hosting platform.
Thank you for the reply, @coloradocranes. It worked. I hope GoDaddy doesn’t delete it again.
I don’t know the story behind the blacklisting, but that seems harsh!
Totally agree. I was able to update 11 clients sites this morning. Those that aren’t on my maintenance plan are going to have a big issue if they aren’t updating.
I have 3 sites where it was removed. one had 3.2.8 and the other had 3.2.4. The third was 3.2.0 What’s the current version available?
Hey all – Erick (CEO Imagely) here. I want to confirm that all you need to do here is update to the latest version. There was a security issue that’s already been fixed.
If GoDaddy has removed the plugin, just reinstall NextGEN Gallery fresh from your plugins page, and you should be good to go.
For the record: this is a very odd policy. The normal way for a hosting company to handle this would be to email users and ask them to update the plugin. If the issue is serious enough, then they can also force update the plugin.
But deleting a plugin in this way just breaks website content. It’s not uncommon to find and fix security issues for WordPress themes and plugins. Based on this approach, GoDaddy would presumably start just deleting plugins/themes each that happens, regardless of whether the underlying issues have been fixed.
I’ve reached out to GoDaddy to discuss.
But for now, just update or re-install, and you’ll be good. Thanks. For our part, apologies for the hassle.
I happen to be on a customer council for GoDaddy and have shared in a Slack group I am in. They didn’t get the plugin removed from all my sites before I could get the update done this morning. I appreciate you reaching out. I have been most concerned about how to help clients that don’t have me doing backups, etc. If you would like me to send you a copy of the email that went out, please let me know.
- This reply was modified 3 years, 3 months ago by Cami MacNamara.
And I just want to note if the new plugin won’t install, check via SFTP if the current version is there but not in your WP Dashboard. This happened to me and I had to delete it (even though it wasn’t present in my dashboard) before I could add the new one.
Hey Cami – Thanks! We’ve already seen several copies of the email from users affected this morning. But I appreciate the offer, the underlying concern, and instinct for helpfulness. 🙂
While there’s not much we/I can do about this episode now that its done already, I’d really prefer GoDaddy find a more productive way to manage this type of situation – for us, for other plugin/theme devs, and for users’ own websites.
Maybe you can suggest that to GoDaddy via your own channels. I’ll do the same via mine. Maybe if they hear about it from a few directions, they’ll adjust and find a better way. Thanks again.
I plan on it. Spending Labor Day weekend doing this has not been fun. I have dozens of clients sites that are using NextGen and NextGen Pro. Some I have on a care plan, but many others are not. Again, thanks for letting all of us know how to fix this quickly.
@guys You know that there was a sql injection possible? Instead of blaming GoDaddy for beeing evil maybe you should be happy 😉
If they would not have done it someone could have just used this security hole… like many times before in NextGen Plugin… And run a fully auto hack of all your and your clients sites… Someone sitting in Country X and just pushing a button and fully automazied all your sites are hacked and used for crazy shit…
Be happy that you can say to your clients that it was not your fault, it was just GoDady… But they did it with very good reason. They just want to protect your your clients business 😉
Imagine waking up… and all of your client sides are hacked 😀 childporn, virus and other things are available on your clients side… you getting calls about how that could happen?
Isn’t it better just to be safe instead of risiking your clients business? Everyone understands that something is not working because it is highly risky… If you know a oven can explode you will be happy not to use it in your home:D but a super critical security hole is ok :D?
Hi @martinstkonvis – appreciate your security consciousness, but as has been noted, a fix was already available when GoDaddy took this action. That means all that was needed was an update. So GD could have emailed users to update or, if they considered it severe enough, force updated the plugin. For many reasons, this is what almost all hosts actually do in such circumstances.
If GoDaddy is going to delete every thing that has a security vulnerability in its recent changelog, it would need to delete a vast array of plugins, themes, and WordPress itself (WordPress alone has had 11 vulnerabilities in 2019 and 38 sql injection vulnerabilities over its history).
As a side note, this particular vulnerability required admin access. While all vulnerabilities should be treated seriously, it’s still worth noting that once someone has admin access to a website, they can pretty much do what they want anyways.
So based on both the specifics of this case and on industry standards for similar situations, I think it’s fair to conclude that this was a poor and unusual approach on GD’s part.
- The topic ‘GoDaddy has blacklisted the NextGen Gallery on Managed WordPress Hosting’ is closed to new replies.