Security problems with cPanel !

Pre-amble

I think it is the HIGHEST-LEVEL security matter for EVERYONE, WHO HAVE A WEBSITE. Probably everyone knows – when you host multiple domains in cPanel, then they are listed in same FTP (even though in different folders). Unfortunately, that is default functionality of cPanel’s end-user dashboard, and probably you might have never imagined how important security problem that lies behind it. You might thought one – “who needs to hack my site?” and then forget to care about security of your site…

Well, that is the HUGE mistake!

Hackers (with internet BOTS) not always  hack your site to steal your money directly, but they do a lot of other things – stealing your information, identification info, users’ passwords and email addresses, visitors information, marketing info, links, website authority and much more. And thus, they get a big profit from any typical hacked site ..

Can cPanel Restrict access from FTP/Domain folder?

So, when you added separate domains in the same FTP, you were thinking that they were “separated” – Actually, that is not true. Although FTP users could be separated and restricted to specific directory, that restriction doesn’t relate to core PHP! Any of PHP file (wherever it is) CAN ACCESS ANY UPPER DIRECTORY !  (DONT TRUST HOSTING’S SUPPORT GUY, WHO IS TELLING YOU THAT DOMAINS ARE SEPARATED! They dont know what they say – Try this simple php filemanager from any of our sub-sites and you will see, PHP can access any folder in your account ! )
So, if one of your domains gets hacked, then the hacker(or bot) can access  whole FTP and all your hosted domains and databases easily. And – we see hundreds of hacked WordPress websites every-day, that’s because people don’t take care of their website security.

Well, when you are going to host multiple domains, and secure them, then the only solution is to get a different USERNAME ROOT for each domain i.e. :

/home/username1/public_html/
/home/username2/public_html/
etc...

However, that is not possible with regular cPanel accounts (a.k.a. “shared hosting”), because all “add-on” domains are put under the same username account directory, like:

/home/username/domain1.com/
/home/username/domain2.com/
etc..

(That means, all files in a CPANEL account are owned by the same user. So, same user’s PHP can access everything from everywhere. Some people said, PHP restrictions could be achieved by using open_basedir and safemode[disables EXEC(),shell_exec,system(),passthru,readfile,escapeshellarg,escapeshellcmd,proc_close. and etc..] options (from php.ini), and AllowOveride option (globally from httpd.conf. NOTE:this file is not available for most shared hostings), but even these options doesnt help, because cgi-bin scripts and cronjobs remains still unprotected..)

However, that could be annoying for many people. BUT, I HAVE FOUND ANOTHER SOLUTION.

 

Solution to Protect any domain/website/FTP

To prevent PHP scripts from accessing files between domains, you would need one of the following:

1) to create the domains as separate CPANEL accounts. This requires root access to the server (i.e. VPS or Dedicated), or a RESELLER account(that has access to WHM), from where you can create separate accounts, and then host only 1 domain in one account.

2) Some people say (but I have not tested personally) is to have DirectAdmin (several hosting companies offer that). You can create subdomains under different User accounts, so each sub.domain.com User can have their own DirectAdmin User account (You’d just enter domain=sub.domain.com for each User).

3) Best thing – obtain a hosting, where the domains are added in separate, restricted root directories (some hosting companies have such system).  You can find out the list here : Comparison of secure hosting companies

4) Another useful trick: If you want to use WordPress CMS and under your server, which you want give them to other people (and dont want to fear of them, hacking your site) then give other people only “AUTHOR” role-users. So, you will be safer.   (About WordPress –  you should also review Must-Have WordPress Plugins (especially, read the “Guard” plugins) to even secure your individual websites. You should install several plugins, like  iThemes Security, Sucuri, BlackBots and etc,,)