📆 This is the December 2021 edition of “This Month in WordPress with CodeinWP.”
We are back with yet another dose of WordPress news and analysis.
This month, GoDaddy found itself in the news quite a bit. They made a big splashy acquisition in the managed WordPress hosting space, but they also had a vulnerability in their own managed WordPress hosting that could put millions(!) of WordPress sites at risk.
Beyond that, we got the news that WordPress 5.9 will not be coming in 2021 after all. Instead, it will be pushed back until January 2022 to give the team more time to implement key full-site editing features.
Finally, we’ll talk about WordPress Black Friday deals and Elementor’s new Web Creators marketing push.
December 2021 WordPress News with CodeinWP
GoDaddy acquires Pagely in one of the biggest WordPress hosting acquisitions
The year is 2023. All WordPress hosting companies, themes, and plugins are now owned by one of five entities:
- Automattic
- GoDaddy
- WPBeginner/Awesome Motive
- Liquid Web/StellarWP
- WP Engine
Okay, maybe that’s a bit hyperbolic. But the WordPress acquisition train has shown no signs of slowing down as November just saw one of the biggest acquisitions ever in the WordPress space.
On November 11, GoDaddy announced that it had acquired Pagely. Pagely is one of the most well-known hosts in the space and the first company to actually call itself “managed WordPress hosting” and define what that term means (a definition which many hosts have stretched so far that it’s almost meaningless).
The acquisition seems to be focused on using Pagely and its expertise to launch a new WooCommerce SaaS product, which makes sense as GoDaddy already has their own managed WordPress hosting line with millions of customers (more on that next!).
This is one of the absolute biggest WordPress hosting acquisitions that I can think of; right up there with WP Engine acquiring Flywheel in 2019. I’m not sure whether Flywheel is bigger than Pagely or not.
If you want to go beyond the PR announcements, Joshua Strebel, the former CEO and co-founder of Pagely, shared his thoughts on the Pagely blog.
In his words:
While I’m happy for the entire Pagely team (many of whom are probably looking at some fat bank accounts), it still is a bit sad to see another large independent company get gobbled up by one of the big players.
Is there still space in WordPress for small, independent shops? Well, yes, but it seems to be getting a little smaller every day.
What’s more, new shops getting started will find it to be tougher sledding than ever when they’re forced to compete against the big brands in marketing and SEO from day one.
For example, it’s going to be hard to rank in the SERPs when the entire first page is dominated by Awesome Motive brands.
Oh, and while we’re on this note, Liquid Web/StellarWP also acquired Modern Tribe, a WordPress agency, in November. This finishes the job that Liquid Web started when it acquired The Events Calendar earlier in 2021 (a plugin developed by Modern Tribe).
Huge vulnerability in GoDaddy’s managed WordPress hosting
In addition to the Pagely acquisition, GoDaddy was also in the news for a less positive reason – a massive vulnerability in GoDaddy’s managed WordPress hosting product.
It’s important to note that this was not a vulnerability in WordPress itself. Instead, it was specifically a vulnerability in GoDaddy’s managed WordPress hosting platform.
However, the vulnerability did still affect a massive 1.2+ million hosting accounts at GoDaddy, which means that multiple millions of WordPress sites could be affected.
So – what went wrong? Well, GoDaddy actually wasn’t especially forthcoming here, to be honest. They made the announcement as part of a disclosure to the Securities and Exchange Commission (SEC) because GoDaddy is a publicly listed company.
They said that someone had a compromised password that was able to access GoDaddy’s system to further access the following information:
- Emails and customer numbers
- Original WordPress admin password when the site was provisioned (if people didn’t change their password, this would still be the active password)
- SFTP and database usernames/passwords (this is a huge deal as it essentially gave the malicious actor full access to WordPress sites hosted on the platform)
- SSL private keys for some active customers
The breach occurred on September 6 but wasn’t caught until November 17, which means the malicious actor had over two months to hang out and do nasty stuff.
If you use GoDaddy’s managed WordPress hosting, you will absolutely want to look into securing your sites and assume that you’ve been compromised until you can verify otherwise.
Accessing those types of key passwords is a pretty massive vulnerability, which led to the Wordfence team digging into how a malicious actor would have achieved this.
What Wordfence discovered is that they were able to view their own SFTP password in the GoDaddy dashboard, which shouldn’t be possible if the password was properly stored.
Essentially, this means that GoDaddy was either:
- Storing the passwords as plaintext.
OR - Storing the passwords in another format that was easily reversible.
Either way, this is a big no-no in cybersecurity.
While GoDaddy has reset the usernames and passwords for all accounts, the malicious actor still had over two months where they could have made malicious changes.
I recommend reading Wordfence’s post to learn more about the attack and what steps you should take if you’re hosting with GoDaddy.
Finally, there’s one last piece of news here. After the breach was initially reported, GoDaddy widened the scope of affected services to the following hosts that resell GoDaddy’s managed WordPress hosting product:
- tsoHost
- Media Template
- 123Reg
- Domain Factory
- Heart Internet
- Host Europe
You may also be interested in:
- WordPress 6.5, Plugin Drama, WordCamp Asia 🗞️ April 2024 WordPress News w/ CodeinWP
- A Look at the WordPress Media Experiments Plugin in an Interview With Pascal Birchler
- The “Elementor CMS,” ACF Stories, WordPress.com Creator Plan 🗞️ February 2024 WordPress News w/ CodeinWP
WordPress Black Friday and Cyber Monday deals – are they worth it?
As we pass by another Black Friday and Cyber Monday, there’s been a lot of talk about whether or not it’s worth it for WordPress businesses to run Black Friday deals.
Some people, like Kinsta co-founder Tom Zsomborgi, are strongly against these types of discounting strategies, while many other WordPress companies go all-in on Black Friday deals.
This year, we decided not to run a Black Friday sale for our sister brand, Themeisle. You can read Ionut’s thoughts here, but the basic idea is that Themeisle would rather focus on creating products that people love and keep using than on attracting customers with splashy deals.
It’s not just about that, though. It’s also a question of the overall effectiveness of Black Friday deals.
Do Black Friday deals drive a lot of sales during Black Friday? Undoubtedly so. However, that might not be telling the full truth. If you zoom out and look at broader time frames, the difference in sales isn’t actually that noticeable, according to Ionut.
Ionut’s hypothesis is that a lot of people who would’ve purchased a couple of weeks earlier just end up waiting for the Black Friday sale. That is, these aren’t “new sales”, they’re sales that you would’ve gotten anyway but that delayed their buying time to coincide with Black Friday.
Anecdotally, I’ve noticed the same behavior in myself, and maybe you’ll see it in yourself. A couple of weeks ago, I was planning to buy Brian Jackson’s Novashare plugin. But rather than pick it up then, I figured I might as well wait until the deal. The same is true for the Mangools SEO tools Black Friday deal. I needed an SEO tool weeks ago, but I figured I’d just delay until Black Friday.
Do my anecdotes mean that WordPress Black Friday sales are worthless? Obviously not. But it does mean that you might want to dig into the data and see if Black Friday deals are really as beneficial as you thought.
Or, you can always just go with a different strategy and raise your prices before Black Friday to create a “fake” sale. That’s a joke – don’t do that – it’s not really nice (and maybe against FTC rules if you’re in the USA).
Elementor launches a new campaign for web creators
This one is more interesting than super noteworthy, but Elementor just released a brand new campaign called Welcome Web Creators that’s focused on reaching all different types of people who build websites.
Accompanying it is an introduction video with very high production values. It definitely doesn’t look like something for an open-source piece of software – it looks like it can go toe-to-toe with the ads that Wix is running.
Elementor also surveyed over 1,000 creators as part of the campaign, with some interesting results such as 67% of respondents finding an increase in their business since the pandemic began.
Beyond the fun ad video and survey, what’s interesting about this campaign is how it’s yet another step in Elementor positioning itself as a “website builder” instead of a “WordPress plugin.”
More specifically, Elementor calls itself the “leading open source website creation platform,” which seems to position it as competing with tools like Wix and Squarespace instead of other WordPress page builder plugins.
One thing to pay attention to could be if this is foreshadowing for some type of cloud, SaaS-like Elementor website builder. A lot of people felt like this could be coming when Elementor raised $15 million in 2020.
Elementor does have its own WordPress hosting service, but the Elementor team hasn’t made the push into a totally cloud-based solution like Brizy has with Brizy Pro. They also haven’t promoted the Elementor cloud hosting as much as I thought they would (though I think they’re still in the testing phase with it).
Either way, it will be interesting to see where this campaign leads and what Elementor’s plans are for the future.
WordPress 5.9 gets pushed back
If you were excited to get your hands on WordPress 5.9 this year, we have bad news – it’s been pushed back.
It’s not often that WordPress releases are delayed because, according to Matt Mullenweg, “deadlines are not arbitrary.”
With that being said, the stakes for WordPress 5.9 are too large to rush things. It will bring new full-site editing (FSE) features and, because those features are so tightly tied together, it’s not possible to just remove the features that aren’t ready.
So – what are the new dates? Well, according to the new schedule, the beta rounds will still start in December 2021. However, the first release candidate isn’t slated until January and the tentative release date is now scheduled for January 25, 2022.
That sums up our December 2021 WordPress news roundup. Anything we missed?
…
Don’t forget to join our crash course on speeding up your WordPress site. Learn more below:
Layout and presentation by Karol K.