Creepy Sleepy Gets Bit By Bluehost

Posted on Thu 22 January 2009 in Dispatches • 4 min read

My good friend Dan Patterson of Creepy Sleepy just recently had a rather nasty wake-up call with regards to his current hosting provider, Bluehost. Due to a security flaw on their servers, malicious files were injected into several of the websites he was hosting there, but despite the fact that it was failure to maintain security on their servers (as opposed to his account being hacked due to weak passwords or similar), they suspended his account. Dan sent out an email to both his friends and the folks whose sites he was hosting explaining the issue. Here is an excerpt of that email (reprinted with permission):

According to the tech support guy (who refused to let me speak to his manager) Bluehost recently (he wouldn’t say when) experienced a security flaw/vulnerability that exploited a vulnerability in php. They initially blamed the problem on Wordpress and said that “everyone” with WP sites was experiencing this right now. I told them that upon doing a Google Blogsearch and Twitter search, I’ve seen no other similar problems. I also pointed out that after the last Bluehost security flaw (yes, something similar happened a month or two ago) I made a point to keep every single site up to date. They guy tried to reiterate that it was not Bluehost’s problem if a security vulnerability doesn’t take down every Bluehost site. I replied, calmly (really) that it was their flaw on their servers and that even if it was a php or WP problem, and even if I wasn’t taking care of my servers, they have a responsibility to a) warn me first, b) give me the chance to backup. They killed even backend access. I stayed on the phone until they relented and allowed a short window to backup.

When the long hard ass pain of migration is done, I will look at this as an opportunity to talk about brands. At the core, Bluehost experienced problems that exposed their paying customers to a security flaw. Bluehost lied about the extent of the problem (first they wouldn’t say where the vulnerability occurred, then finally admitted that it originated on their end). Then blamed me, the customer. After prodding, they blamed Wordpress. Finally, they allowed me to back up, but refused to assist in the process or migration. I, the customer, stayed calm during the entire processes. I was not allowed to talk to a manager, and no one apologized or said “I’m sorry sir, we see that you’ve been a customer for a number of years. While we don’t believe the problem is our fault, we would like to assist you in restoring your sites, backing up your data, or migrating to a new provider.” This is customer service 101 and essential for every brand in the digital age.

Forget ethics, forget right and wrong - let’s look at the brand and company. Bluehost’s demo is web-savvy folk looking for affordable hosting. Is this the way a brand should act? Who’s calling the shots? I can understand a car manufacturer, but for a hosting company this is just complete incompetence. And it’s sad.

This is a pretty terrible way for Bluehost to deal with a customer, especially when it appears it was an error on their part. I suspect it has a lot to do with poorly trained, outsourced support staff. But, as Dan said later in his email, this is an opportunity to talk about what a competent brand should do when they make a mistake.

  • Own up to it, confess. “We screwed up.”
  • Apologize.
  • Make it right, or help the customer move on. Stories like this spread fast, make sure you are the good guy.

Anyone competent knows this, because competent people know that the best solution is to use common sense. So the end result is: Bluehost loses a customer, a customer who happens to be an excellent media producer at that. More than that, they will probably lose a lot of potential customers as well. At least, one would hope so.

Stories like this really mark the night and day difference between companies like Bluehost, and my current hosting company of choice. Webfaction (not an affiliate link, I don’t advertise here) has always been highly responsive and helpful. On the rare occasion that they have made a mistake, they have always been quick to take ownership of the error and make it right for any customers affected. This is what good brands do. This is what good people do. The two concepts usually (and should) lead to the same conclusions.

Really, when looking for the appropriate response to any situation, whether as a brand or a person, it’s actually pretty easy to figure out what to do. Use common sense, and do the right thing. Most importantly, remember what Wil Wheaton said and “don’t be a dick.”

Here’s hoping that Dan’s migration goes well, and that we see the return of Creepy Sleepy sometime soon.