Puvox – Blog
  • HOMEPAGE
  • Mobile & Android
  • Browser
  • Plugin
  • Technology
  • Trading programming
  • Website
  • Windows & Software
  • WordPress

Puvox – Blog

Recent Posts

  • Debloat Windows 11/10 with debloaters
  • Configure VPS with details & LAMP
  • Necessary steps to secure your digital life
  • Add user & ssh key in Linux/Ubuntu
  • Install Redis Cache for PHP-8

Recent Comments

  • PHP-8 (zts) & Apache & Swoole/Parallel (+ WordPress) with Docker/ PhpBrew – Puvox – Blog on Install Redis Cache for PHP-8
  • Constantin on Remove (exit) “SmartImage” on Philips Monitor
  • Docker & PHP-8 (zts) & Apache & Swoole+Parallel – Puvox – Blog on Useful commands for docker (Windows)
  • Docker & phpBrew (php-7 zts) & WordPress – Puvox – Blog on PHP-8 (zts) & Apache & Swoole/Parallel (+ WordPress) with Docker/Ubuntu/PhpBrew
  • Hajra on Migrate/Redirect Blogspot without loosing SEO Rank

Archives

  • April 2022
  • December 2021
  • July 2021
  • June 2021
  • December 2020
  • October 2020
  • July 2020
  • May 2020
  • February 2020
  • January 2020
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • January 2019
  • September 2018
  • August 2018
  • June 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • May 2017
  • April 2017
  • March 2017
  • January 2017
  • December 2016
  • December 2013
  • January 2013

Categories

  • Browser
  • Coding
  • Health
  • Information & How to tutorials
  • Mobile & Android
  • Plugin
  • Technology
  • Trading programming
  • Video
  • Website
  • Windows & Software
  • WordPress

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Restrict PHP upper directory access – PROTECTION FROM HACK !

  • Website

php access directory

Security problems with cPanel !

Pre-amble

I think it is the HIGHEST-LEVEL security matter for EVERYONE, WHO HAVE A WEBSITE. Probably everyone knows – when you host multiple domains in cPanel, then they are listed in same FTP (even though in different folders). Unfortunately, that is default functionality of cPanel’s end-user dashboard, and probably you might have never imagined how important security problem that lies behind it. You might thought one – “who needs to hack my site?” and then forget to care about security of your site…

Well, that is the HUGE mistake!

Hackers (with internet BOTS) not always  hack your site to steal your money directly, but they do a lot of other things – stealing your information, identification info, users’ passwords and email addresses, visitors information, marketing info, links, website authority and much more. And thus, they get a big profit from any typical hacked site ..

Can cPanel Restrict access from FTP/Domain folder?

So, when you added separate domains in the same FTP, you were thinking that they were “separated” – Actually, that is not true. Although FTP users could be separated and restricted to specific directory, that restriction doesn’t relate to core PHP! Any of PHP file (wherever it is) CAN ACCESS ANY UPPER DIRECTORY !  (DONT TRUST HOSTING’S SUPPORT GUY, WHO IS TELLING YOU THAT DOMAINS ARE SEPARATED! They dont know what they say – Try this simple php filemanager from any of our sub-sites and you will see, PHP can access any folder in your account ! )
So, if one of your domains gets hacked, then the hacker(or bot) can access  whole FTP and all your hosted domains and databases easily. And – we see hundreds of hacked WordPress websites every-day, that’s because people don’t take care of their website security.

Well, when you are going to host multiple domains, and secure them, then the only solution is to get a different USERNAME ROOT for each domain i.e. :

/home/username1/public_html/
/home/username2/public_html/
etc...

However, that is not possible with regular cPanel accounts (a.k.a. “shared hosting”), because all “add-on” domains are put under the same username account directory, like:

/home/username/domain1.com/
/home/username/domain2.com/
etc..

(That means, all files in a CPANEL account are owned by the same user. So, same user’s PHP can access everything from everywhere. Some people said, PHP restrictions could be achieved by using open_basedir and safemode[disables EXEC(),shell_exec,system(),passthru,readfile,escapeshellarg,escapeshellcmd,proc_close. and etc..] options (from php.ini), and AllowOveride option (globally from httpd.conf. NOTE:this file is not available for most shared hostings), but even these options doesnt help, because cgi-bin scripts and cronjobs remains still unprotected..)

However, that could be annoying for many people. BUT, I HAVE FOUND ANOTHER SOLUTION.

 

Solution to Protect any domain/website/FTP

To prevent PHP scripts from accessing files between domains, you would need one of the following:

1) to create the domains as separate CPANEL accounts. This requires root access to the server (i.e. VPS or Dedicated), or a RESELLER account(that has access to WHM), from where you can create separate accounts, and then host only 1 domain in one account.

2) Some people say (but I have not tested personally) is to have DirectAdmin (several hosting companies offer that). You can create subdomains under different User accounts, so each sub.domain.com User can have their own DirectAdmin User account (You’d just enter domain=sub.domain.com for each User).

3) Best thing – obtain a hosting, where the domains are added in separate, restricted root directories (some hosting companies have such system).  You can find out the list here : Comparison of secure hosting companies

4) Another useful trick: If you want to use WordPress CMS and under your server, which you want give them to other people (and dont want to fear of them, hacking your site) then give other people only “AUTHOR” role-users. So, you will be safer.   (About WordPress –  you should also review Must-Have WordPress Plugins (especially, read the “Guard” plugins) to even secure your individual websites. You should install several plugins, like  iThemes Security, Sucuri, BlackBots and etc,,)

December 21, 2016

Post navigation

Caching & compression with .HTACCESS (TT’s collection) → ← Night Mode for Windows

1 thought on “Restrict PHP upper directory access – PROTECTION FROM HACK !”

  1. Pingback: Cheap Hosting list + Comparison (+ SECURE HOSTINGS)

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Categories

  • Browser
  • Coding
  • Health
  • Information & How to tutorials
  • Mobile & Android
  • Plugin
  • Technology
  • Trading programming
  • Video
  • Website
  • Windows & Software
  • WordPress
Copyright © 2019 | Puvox Software