All my sites are down. They've been down since at least 7am ET today. I have no idea when they will be back up or what their condition will be when I get to them.
I use a very well-regarded managed hosting provider named SiteGround. With a few limited exceptions, they've been a pleasure to work with.
The idea behind managed hosting (in my case, for WordPress sites) is that the hosting provider does extra support and provides extra services to keep your site up and running. You pay a bit more, but the added help is generally worth the price.
I used to run all my own servers, and when I was faced with a denial of service attack, I had to go it alone. I would normally share with you a link about my story about the time when Connected Photographer got hit by a million computers a day, but the Connected Photographer archives, like the rest of my sites, are down.
This morning, I got an alert that my main site was down. I promptly tried connecting, and it was down for me as well. I checked with downforeveryoneorjustme.com and the site listed as up. That was odd, so I contacted SiteGround support.
I was quickly told that there was a DDoS and a status message I could read in my main dashboard. That status message was at 7am ET and it said there was a DDoS and the company was doing its best to deal with it.
Noon came and went. My sites were still down (and now downforeveryoneorjustme.com concurred). I found two Twitter users reporting problems with SiteGround. Otherwise, no other noise.
After seven hours down, I asked SiteGround to provide an update. They said they were dealing with it. I posted a tweet and got back the reply "As you may know, DDoS attacks cannot be predicted and it takes time to be resolved."
Here's where the "ultimate fail" comes in. The company has provided no update information in seven hours.
They have provided no information about whether their whole service was hit or just the few sites I found mentioning the problem on Twitter. They could not tell me, originally, whether it was an attack against my sites or theirs. They provided no information on what they've learned. They provided no information on whether sites or site data has been compromised.
Look, I know managing a DDoS is a very frustrating thing. But a company offering managed hosting should be prepared with a plan for dealing with such an occurrence. SiteGround hasn't indicated whether they had such a plan, whether this is an unusual sort of DDoS, or whether they were just completely unprepared.
But more to the point, even though systems engineers are undoubtedly busy, keeping customers in the dark for the better part of a day is inexcusable. Communication in a crisis is critical, and this is where SiteGround has fallen down. This is the ultimate what-not-to-do in a crisis like this.
Personally, it's very frustrating. On one hand, it's nice to have it not be my problem. I spent years fending off and building systems to mitigate DDoS attacks on my self-operated servers and it's nice to be able to have a nice lunch, pet the puppy, write a cranky article, and let others do the work.
But on the other hand, knowing that there is absolutely zero action I can take to get my sites back online is excruciating to someone used to being hands-on. It would be less of an issue if the company provided any sort of status information, but going Ostrich (the idea is that your head is in the sand and you can't do anything) is not a workable strategy.
Will I switch off of SiteGround? I sure hope I don't have to. My sites are quite complex and moving and setting them up is a few weeks of full-time work that I'd rather not have to do. But if I can't be confident the company knows how to deal with these sorts of incidents and will provide quality communication, I (and possibly other of their customers) may have to.
Let me be clear: My complaint is not that they're down due to a DDoS. That could happen to anyone. It's the complete lack of communication -- that's the fail. That, and my sites (as of 3:30pm ET) are still down. There's that.
UPDATE 5pm: Still don't know many details, but SiteGround reached out and offered to move my sites to an unaffected IP address. Of course, that's going to cause a propagation delay, but it's still a good approach.