Ben Metcalfe, co-founder WP Engine writes…
Earlier this morning, our domain WPEngine.com stopped resolving for a short time. This resulted in our site, our my.wpengine customer control panel, our status.wpengine.com domain, and some customer sites to be unavailable for some visitors, depending on the status of their ISP’s DNS cache.
First and foremost we’d like to apologize to everyone who was effected — although the downtime was brief and was caused by an upstream provider outside of our control, DNS downtime is unacceptable!
I’d like to take the opportunity to explain what happened.
Some time yesterday it was reported that one of our client’s websites was hosting malware. We host tens-of-thousands of domains, and so occasionally such infections do occur, often when a new customer moves to us, taking their existing malware infection with them.
The person/entity reporting this sent emails to the abuse@ email addresses of all of our service providers, including ones that were not involved in the hosting of the infected site. They also sent the report to the abuse@ email address of our domain registrar. Unfortunately, and for reasons unknown, they did not send the report to our own abuse@ email address here at WP Engine.
One of our providers immediately forwarded the email to us and we had our independent security partner investigate and clean up the infected account within a few hours of the original report.
However, our domain registrar decided to take the entire wpengine.com domain offline — including all subdomains — in order to bring the infected site offline (the infected site was pointing their domain to a CNAME of a wpengine.com subdomain). Unfortunately they decided to do this many hours after the infected site had been cleaned up, and also without checking with us or successfully getting into contact with us.
As soon as we discovered our domain registrar was blocking DNS nameserver requests we made contact with them and had this block removed. Initially they actually blamed our DNS provider, which also sent us on a wild goose chase. Eventually they admitted they had done it.
As of right now, all sites should be back up online. We are investigating our next course of action, including whether there are any procedures we can improve on our side, and ultimately whether we need to change domain registrar. We will keep you posted,
Many thanks for your understanding,
Ben
Sounds like you need a new registrar to me.
So if I understand correctly, an infected site with a CNAME pointing to a wpengine.com based domain was sufficient for a registrar block?
What would prevent someone from spoofing such an attack? Seems sloppy on the registrar’s part.
Hey I wanted to say thanks for the info you guys do a great job I know domain registrars are all so different I have had good luck with Dyn.
All the best,
Tom