I have been using bluehost since few years now and I can say that their support has become terrible since last one year. Apart from the downtime, nothing serious has happened which will cost me money but last night I was shocked with what happened.
At 1 AM (Melbourne time), I get an email from bluehost saying that my account is deactivated due to malware/virus being found on the server. I have over 100 websites on this server and all of them stopped working. Here is the email I received from bluehost
Your web hosting account has been deactivated, as of 09/12/2016. (reason: terms of service violation – malware/virus)
This deactivation was due to a Terms of Service violation associated with your account. At sign-up, all users state that they have read through, understand, and agree to our terms. These terms are legal and binding.
Although your web site has been suspended, your data may still be available for up to 10 days from the date of deactivation; if you do not contact us during that 10 day period, your account and all of its files, databases, and emails will be deleted.
Contact us if you feel the deactivation was a mistake. You must contact us to regain access to your account. Please call and speak with our Terms of Service Compliance department as soon as possible at 888-401-4678 (ext. 3).
Please read the following, derived from our Terms of Service agreement, for additional information regarding the matter.
Bluehost uses sophisticated means of security in connection with its services. Notwithstanding the foregoing, it is exclusively the subscriber’s obligation to maintain and control passwords to subscriber’s web site(s), and subscriber exclusively is responsible for all activities that occur in connection with subscriber’s user name, password, and registered domain name(s).
Please review the current copy of our Terms of Service here:
Since I could not access any files, the only option I had was to call the number provided in the email. I called the number and it went to sitelock. This guy from Sitelock started asking about how many domains I have and started giving me a quote. I kept on telling him that all my domains on the server are highly secured and I feel this email is sent by mistake. He then tells me that he does not work for bluehost and bluehost is just their client like many others whom they help remove the malware. This guy was of no help and only insisted on giving me a “quote” to remove the malware.
Why did bluehost give me that number then? Any person with no technical knowledge would have straight away spent some dollars to get his site fixed without even knowing what has happened.
I hangup with the sitelock guy and dial the same number again. This time, I choose another option and get to talk with a bluehost rep. I tell this guy that I am 100% sure that my server is not infected and he starts talking arrogantly. First, he fixes the file access problem and now I am at least able to access my files. He points to wflogs/config.php and says this file is infected along with lots of other files on the server. I hangup and start doing some research. I have wordfence security installed on all the websites and the plugin alerts me whenever they find a malicious code or file on the server. No alerts had been sent, so I was sure there is nothing wrong. On doing some research, I found that this file belongs to the wordfence security plugin and there is indeed nothing wrong with it. I compared the file with websites on other servers and they all look similar. Confirmed, there is nothing wrong!
So I call bluehost again and tell them that the files that they suspect are clean and there should not be any issue. This guy on the phone now starts a scan and keeps me on hold for 10 minutes. Comes back and says he did not find anything wrong, starts the scan again and keeps me on hold. After 5 minutes he comes back and says the scan is running. This happens 2-3 times and then he says it might take some more time and he will send me an email with the results. Its 3 AM at my place and I asked him how long will it take. He says it will take around 30 minutes and I should expect a reply till then. I stayed up till 4:30 and went to bed after that.
When I get up at around 10 AM, I see an email from bluehost sent at 5:40 AM and guess what it says. It says the same damn thing! File wflogs/config.php is infected. New day started on a terrible note. I call the same number again and it seems the TOS department is now closed. Does this mean my sites will be down for another 8-10 hours? In anger, I sent tweets to @bluehost but there was no response. Now, I start looking for new webhosting options, start taking backups and make a plan on making the transfers. Meanwhile, I am waiting for a support staff on chat. He comes online and here is the chat log:
Welcome To Live Chat
Print Rate And Exit
12:43:34 PM System Adam M has joined the chat!
12:43:59 PM Harshad Ghodke hi
12:44:08 PM Harshad Ghodke my domain name is *****
12:44:15 PM Adam M Hi, thanks for contacting Terms of Service! My name is Adam. Please keep in mind I assist several customers at once. Thank you for your patience. Can I please have the last four characters of your main account password to verify ownership of the account?
12:44:25 PM Harshad Ghodke last 4 cahracters of password are ****
12:44:37 PM Harshad Ghodke account is deactivated for malware
12:44:43 PM Harshad Ghodke have checked and confirmed there is no malware
12:44:44 PM Adam M Thanks! I will check for any remaining malware.
12:45:03 PM Harshad Ghodke ur rep said a file config.php inside wflogs is malware
12:45:04 PM Harshad Ghodke s not
12:45:14 PM Harshad Ghodke ts a wordfence file and this has been confirmed with wordfence
12:45:56 PM Adam M Did Wordfence review the code in the file?
12:46:03 PM Harshad Ghodke yes
12:46:06 PM Adam M Because the code looks a lot like malware
12:46:33 PM Harshad Ghodke its not
12:49:01 PM Adam M Upon close inspection, the code does not look like malware.
12:49:23 PM Adam M Looking into why it keeps getting suspended
12:49:37 PM Harshad Ghodke i dont know what to tell u
12:49:40 PM Harshad Ghodke its not malware
12:49:44 PM Harshad Ghodke i have 4 other servers
12:49:47 PM Harshad Ghodke l have same files
12:51:58 PM Adam M I’ll get it activated.
12:53:23 PM Harshad Ghodke over 100 sites down for 12 hours
12:53:27 PM Harshad Ghodke have suffered so much loss
12:53:44 PM Harshad Ghodke u guys shld do some research before u start deactivating sites
12:53:53 PM Adam M I’m sorry for the inconvenience, we should be able to get this up, stand by.
12:53:59 PM Adam M Agreed, I’m sorry that this happened.
12:58:44 PM Adam M Thanks for your patience, my colleague is inspecting the file.
1:05:22 PM Adam M So sorry for the wait, just waiting on a colleague.
1:08:19 PM Harshad Ghodke ok
1:14:12 PM Adam M Looks like this could take a while, do you mind if we send you an email with the results? If we determine the account to be clean, we will activate it right away.
1:14:28 PM Harshad Ghodke no
1:14:32 PM Harshad Ghodke prefer to stay on chat
1:14:42 PM Harshad Ghodke the last person said the same thing
1:15:12 PM Adam M Alrighty, no worries.
1:25:06 PM Adam M Does Wordfence need the file in question to function properly?
1:25:27 PM Harshad Ghodke not sure
1:29:48 PM Adam M Looks good, account activated.
1:30:01 PM Harshad Ghodke thanks
I usually don’t sleep until 3 AM but this night I went to bed early as I was not well. Bluehost wasted my time, my sites were down during peak hours of business and my health got worse due to lack of sleep. Couple or more days again will be spent on changing hosts and transferring 100s of domains. Thank you Bluehost for wasting my time & money. You lost a customer who was with you for last 8-9 years.