The Joomla! Forum ™

I receive quite a few calls every day from people whose websites have been hacked and in most cases the situation is exacerbated by the shared hosting plan they've chosen to host their website or websites.

Analogy wise, a shared web hosting plan is akin to an open bay college dorm room, or an office building where all of the internal office doors share the same key.

"If someone is going to steal your roommates stuff there's nothing stopping that person from stealing your stuff in the shared space as well."

So, while convenient, "dorm room style hosting" trades security for convenience.

There may also be legal liability issues relating to reselling shared web hosting in this way. If, for example, you host 20 client websites in a shared account, and you give any one of your 20 clients FTP access you will have effectively given that person access to the contents and databases of all of your 20 websites.

Your first thought may be, "Dude, what the heck are you smoking! When I give FTP access out to my clients they only have access to their own directory space…"

Well, here's the rub. If I'm an enterprising hacker, and I somehow get FTP access to any one of your shared domains, or you install a compromisable plugin on any one of your websites, all I have to do is use that to install a back door script, like FilesMan, and I'll have total access to everything within your account, from files, to images, as well as read and write access to all of your clients databases.

Business ethics?
Have you notified all of your clients that if one of your other websites is hacked it's likely their websites will be hacked as well?


What is the solution?
Well, while shared hosting of the "dorm room" variety is fine for a single business, shared website hosting plans can be quite risky for a web design business.

"It takes less than 3 minutes for a hacker to hack or delete the contents of every website sharing the same shared hosting account files space."

If this is not the risk you wish to take with your business then a reseller type hosting plan is your more secure option. A reseller hosting plan is one in which you may set up separate FTP username and passwords for each client, such that no accounts share the same files space. cPanel WHM (Web Hosting Manager) is currently the best and easiest to use reseller control panel. To locate a secure cPanel WHM web host type this into Google, "cpanel whm with daily malware scanning"

Hopefully I've shed some light on the security ramifications of using shared hosting plans. If you have any questions please feel free to contact me.

"Friends Don't' Let Friends Get Hacked"

.

I totally disagree with your dorm room analogy for shared hosting. Unless there is something very wrong with your web host, other sites cannot access your site or data. However, on shared hosting other sites on your server can slow down that server by abusing the resources. For example, if another site is running a script that takes up most of the servers resourse, then all other sites will be slow.

That said, most shared hosting providers do everything they can to monitor this kind of abuse. But it does happen.

A better analogy for shared hosting is broadband cable internet service. Cable can be very fast until all your neighbors start streaming HD video. On cable, you are sharing the cable pipeline with all other people on your branch of the system. The more demand on the system, the less resourses / speed for everyone.

Certainly, a virtual private server or dedicated server give you better performance, but the price of those options is usually too high for most small businesses or bloggers.

I have worked on hundreds of websites and 98% of them are on shared hosting and for the most part, their performance is fine. And not one of them has been hacked due to the host. Of the 100 or so Joomla sites I've worked on, only two were hacked and it's because the hacker got their ftp / cpanel password, probably from a computer virus or because they had not changed their password in years.

_________________
Joomla Website Design / CS-Cart Website Design
http://writenowdesign.com

You missed the point pxforti. Please note my statement:

"...If I'm an enterprising hacker, and I somehow get FTP access to any one of your shared domains, or you install a compromisable plugin on any one of your websites, all I have to do is use that to install a back door script, like FilesMan, and I'll have total access to everything within your account, from files, to images, as well as read and write access to all of your clients databases."

So, if you are using one of those unlimited cpanel "addon" type accounts, common to the so called "unlimited" hosts, then set up all of your websites under public_html, then if one website is hacked all will be hacked or will be open to be hacked.

I see this every day my friend.

Best Wishes,
Jim

I didn't miss yor point. You didn't make it. You said shared hosting, not adding multiple websites to one hosting accounts. In either case a hacker can't get at it without a password or a compromised script.

In the case of adding multiple domains to one account, then all domains are vulnerable if a hacker gets access to your account. But this would be the same on a dedicated server if hacker got access to main account.

I still maintain that shared hosting is fine if you take normal precautions.

_________________
Joomla Website Design / CS-Cart Website Design
http://writenowdesign.com

Seems you are still missing the point of the article. If you have a dedicated server and setup each account under a separate username/password then hacker would not be able to hack the separate accounts. I covered this in my last paragraph:

"A reseller hosting plan is one in which you may set up separate FTP username and passwords for each client, such that no accounts share the same files space. cPanel WHM (Web Hosting Manager) is currently the best and easiest to use reseller control panel."

@HackRepair
I agree with the basic analogy your giving and the point you are trying to make. I have said this same basic information many times in other posts. It is very simple on shared type hosting for a single compromised account to gain access to all others by installation of a script. This is called cross site scripting. It is even easier to gain access to other domains if you are adding multiple domains to one main account. This is cross account scripting. Same methods are used in both cases.
Reseller accounts, shared hosting, and subject to easy hacking across domains under an account.
VPS hosting. This is still shared hosting. Your account shares resources with a number of other accounts on one server and thus subject to compromises.

Dedicated, probably the safest you will find in terms of security for general use. There is only one account on the server. Still subject to compromise through a site insecurity or software insecurity in some cases. Think what the host service uses to host domains on. One reads almost daily about xxxx host service getting their servers hacked.

If a site takes credit card information, then there are requirements set forth in credit agreements that have to be followed. Any type of shared hosting generally does not meet requirements set forth by Visa, MasterCard, Discover etc. and should not be used.

Now, should everyone use only dedicated? No, the type of hosting should be tailored to the individual client and their needs, requirements and what is in the budget.

Is it progressively harder to hack sites depending on the type of account? yes, in general, and that is provided there are no mis-configurations in the servers or security holes in the servers. Many hacking scripts (especially true for the major paid ones) can easily exploit just about any security issue on any type of server with a result of giving full root access to the server. However even free scripts can exploit the server and all within and there are many howto videos on how to set things up to do so.

One of the most common issues I see is the site has a security issue which is taken advantage of and an attempt is made in addition to anything else that is done, to both upload a root kit script and set up a hidden backdoor within site files for later easy access.

@pxforti
You are correct in that misuse of server resources by a few clients on shared hosting affects the response of the entire server. Overselling of server resources on shared hosting is also a factor to contend with. Lack of memory on a VPS is a factor on those setups affecting response. Your only given a slice of all resources and memory tends to be a small slice.

Important factors for the 98%, is to find a host service that is reputable, responds to issues correctly and quickly, reasonable in cost. When selecting a host, look past the marketing fluff and read the TOS. Expensive is not necessarily good and cheap is not necessarily bad. Most popular high profile hosting may also mean a greater potential for hacking. Ask questions. Does the potential host outsource tech support? What server set up is used (php as apache module, as cgi, as fastcgi, etc) and what general security measures (soushin, mod_security etc.) are used?

It is amazing to me that there are still setups out there that require users to set 777 in order to have any kind of valid usage of their site.

As an end user of shared hosting one has certain responsibilities, just as you would if you share a dorm room with someone else. You should make your own backups of files and databases, not set permissions higher than 644/7455, read and learn about some basic security measures and activate the default htaccess file included with Joomla. Also have a disaster plan in place and know how to implement it in case there is an issue. This is of course not all inclusive but a start.

_________________
PhilD -- Unrequested PM's and/or emails may not get a response.
Security Moderator

Very nice reply.
Thank you for taking the time to write that. If there was a plus one I would click it.

Best Wishes,
Jim

Sorry but this entire thread with the provided arguments as per Original Poster is nonsense! Btw: PhilD is in general right!

it depends entirely on the hosting setup

Leo

_________________
--- Joomla Professional Support Services :: http://gws-desk.com ---
--- Joomla Professional and Specialized Hosting :: http://gws-host.com ---
--- Ready to Roll Joomla! Web Sites : 1 - 7 days only! :: @ gws-market.com ---

What you are saying Leo is that if you set up an account at a web host, then setup let's say 10 different WordPress blogs in 10 different directories using the "Addon" feature of that host, that it's impossible for a hacker who hacks one of the blogs to hack all of the 10 websites as well?

Yes a hacker can hack any site on a server (server-wide) once he/she has access to 'root' /or actually any directory since she/he can install a script gaining access to 'root' for instance

When a hacker has already access to the server it makes no differences/sense. He/She can go anywhere/any account and do whatever she/he wants

This relates back to what has been posted thousands of times in the security docs of Joomla (maintained by PhilD and Mandville to best)

Leo

_________________
--- Joomla Professional Support Services :: http://gws-desk.com ---
--- Joomla Professional and Specialized Hosting :: http://gws-host.com ---
--- Ready to Roll Joomla! Web Sites : 1 - 7 days only! :: @ gws-market.com ---

You folks are experts, so this is obvious to you (the above).
Sadly, it's not obvious to many that setting up separate websites using the "addon" option, common to many $5 buck unlimited hosts, instead of breaking them out into separate FTP user/pass accounts is inherently insecure.

It is not about us ! It is sadly about your host! As Phil pointed out...... You might be saving US$ 50/year to host on cheap....... Does it protects you?

Simple as Phil stated: Your Host is darn Importan!

(We spend<example> as a hoster per server per year US$ 900.00 on Security Software (and more) which is a lot of money...Why we do this? Simply because We care protecting YOUR (!) business!)

Leo

_________________
--- Joomla Professional Support Services :: http://gws-desk.com ---
--- Joomla Professional and Specialized Hosting :: http://gws-host.com ---
--- Ready to Roll Joomla! Web Sites : 1 - 7 days only! :: @ gws-market.com ---