In the past month, our forensic analysts ran into two situations where we saw a significant number of site cleaning customers, all from the same hosting companies, all with the same malware. In both cases the sites were infected due to a hosting company security issue.
We reached out to both of them and provided the relevant information and they were responsive. We won’t be mentioning them by name on the blog.
We have seen a third host this week that is not correctly isolating customer accounts on shared servers. They appear to have a filesystem permissions issue. They haven’t had any problems yet, but it is just a matter of time.
We decided to write a quick post that helps you determine whether your hosting company may be putting you at risk and whether that risk can be mitigated or whether you should consider moving to a new hosting company. We have a great article already on how to choose a WordPress hosting company, but what if you already have one?
The following are questions we think your hosting company should be able to answer.
Are you running up-to-date versions of the following products: CPanel, Operating System, Caching Technology, PHP, phpMyAdmin and MySQL?
In our Learning Center article on security hardening for WordPress sites, we have a great section and accompanying graphic on what your hosting provider is responsible for versus you, the site owner.
The important takeaway here is that the hosting company is actually responsible for a lot. Even if you are managing the security aspects of your website flawlessly, you could still be at risk if your hosting company isn’t holding up their side of the bargain.
One of the hosting companies we referred to earlier in the post was running a version of phpMyAdmin that is almost 2 years old and contains multiple known security vulnerabilities. It was no surprise to us that their customers were getting repeatedly hacked.
You should note that a host may be able to run an older version of software if they use ‘backported’ security fixes. That means they are using old software that has had new security fixes applied. If you do find that they are running an old version of something, ask them if they have applied the latest security fixes.
We are constantly reminding everyone to keep their themes, plugins and WordPress core up to date. Make sure that your hosting company is keeping the rest of your site software up to date as well.
Are you completely isolating hosting accounts from each other? Or is it possible for one hosting account to read files in another account on the same server?
We have seen hosting companies who were not correctly isolating user accounts from each other. That means that if an attacker gets a hosting account at one of these companies, perhaps by using a fraudulent card, they can access files in other hosting accounts.
In one case, an attacker was using an existing hosting account to read the wp-config.php file in other hosting accounts which contains the database server address, username and password. The attacker then simply used their database access to create an admin level user and they had full access to the compromised website in the target hosting account.
You should ask your hosting company if other users on the same server as you can access your account. Users on your server should not be able to access any files in your account. Accounts should be completely isolated.
Are my server logs available and how long are they kept?
When a WordPress website is compromised by an attacker, one of the most important sources of information our forensic team has to determine how the site was hacked are the server logs. Unfortunately we often find that customers with entry-level hosting plans either don’t have access to server logs at all, or that they are retained for such a short amount of time that they aren’t helpful.
We recommend a WordPress hosting plan that gives you immediate access to log files going back at least 24 hours. Ideally you should also have the ability to archive log files that are older than 24 hours, for 30 days.
How are you backing up my site and how long are backups being retained?
The fastest way to recover from a hacked website is by restoring a good backup of your site. Having quick access to a backup of your site can save you time, money and a lot of work. Find out what your hosting company is backing up, how long they are retaining it and where they are storing it.
If you’re on an entry-level hosting plan it is very likely that you will need to augment what your hosting company is already doing. In many cases they may not be doing anything at all.
Does my current hosting plan allow me to enable HTTPS?
In the Introduction to WordPress Security article in our Learning Center we explain why it is crucial to only log into your website via a secure connection. If you aren’t currently logging into your site securely, drop everything you are doing and go fix that right away. An attacker who is listening to your network traffic can steal your username and password, taking control of your website.
There are additional benefits to running https. It will improve your SEO rankings and it will protect any other data you are capturing via forms and payment screens on the rest of your site. We strongly recommend that you run an https-only website if possible.
We hope this post helped bring awareness to some of the hosting-related security issues that you need to stay on top of. Your hosting company plays a critical role in securing your website. Unfortunately not all of them are created equal, so make sure that yours is providing a strong security foundation for your WordPress website.