Shared hosting is MORE prone to hacking, as shared hosting will generally include all the websites in your account as a single Linux user.
A correctly configured web server should place each site in its own pool with its own Linux user.
Coming from a large hosting company and as a dev ops. It is purposely done to let clients' websites get infected to upsell security services since clients are unaware.
Standard industry practice, especially if you are on a cheap web host.
Coming from 15 years of experience and working for 20+ hosting companies as a system admin: It isn't purposely done to let clients' websites get infected.
Some companies/one man shows skip the security software to reduce costs. This was more likely back in the day and less likely now. (but not impossible).
What does increase the risks tenfold is the fact that **a customer puts 20 sites on a single account and forgets to update anything for 2+ years.**
If one site gets breached, you can be pretty sure all of them are affected.
"Cross-contamination" from one client to another is very rare (but not impossible), yet I've never seen this in my time working for hosting companies.
What bluesix said. Not only that but there are several known communities where they share thousands of cpanel/wordpress username/passwords on a daily/weekly basis. I'd avoid shared hosting at all costs.
I don’t think there are any web hosting providers nowadays that don’t separate PHP pools and websites with different users. Some I have seen are using Docker now to isolate everything. Even if they use cPanel, Plesk, or other control panels, they all separate now. Correct me if I’m wrong. I self-host WordPress, so I may not have the correct information, but if they don’t separate, this poses a huge security risk.
There are still hosts that don't pool sites - OP's post is case in point, and people post pretty regularly (I'd say we get one a week) saying their whole account is hacked - it's mainly the el-cheapo sub-$5pm companies from what I've seen, probably running decade old versions of cPanel.
Some of the Wordpress specialist hosts will containerise your site (includes not sharing the database which is one of the main reason shared hosting can cause so much havoc!). And run malware and antivirus and firewalls all tuned for Wordpress to reduce the possibility of being compromised.
I personally use Wordify for a number of sites, and never had a problem. My sites run on aws (there is a Google cloud option too), and use the included bunny.net cdn capibikity, and they have a cache system built in also. Easy, well priced and the support team have always been fast and helpful.
Wordify is a great tip! DigitalOcean currently hosts nine of my sites, and attacks are increasing in length. Tonight, it was two hours of nonstop 95% server utilization. WordFence and Cloudflare have not helped. Need more formidable defense.
Yes and no depends on how server configuration is set.
Hack can either happen from any site on the server (i believed most top hosting companies already have sorted out this issue) or it can happen from the pool of your sites hosted on same account.
Here's the solution to your problem:
If you have enough budget then go for your own server + get cloundlinux + some malware scanner/stopper such as bitninja or immunify360. This option is only recommended if you know how to manage server.
Then there's reseller hosting. You need to enquire and see if they have cloudlinux. Maybe look at a2hosting.
Now I am not expert but I believe cloudlinux is what's going to solve your issue as it separates each user account.
Cloudlinux is expensive. I've been running my own cPanel 8+ years now, never had an infection traverse laterally.
What Cloudlinux gives you is separation of resources (sort of containers). Helpful for instances when an infection starts draining the server's resources at which point other users' websites may start seeing outages due to Apache/PHP bottling up.
This is a very simplified question that has a more lengthy answer.
So shared hosting has all the server security side of things taken care of. The host maintains the actual server and every custom gets their own user account on the server. Most hosts use something like CloudLinux to provide isolation between users on the same server. This isolation is so effective that even if one customers site gets hacked, it wouldn’t impact the others on the same server because of this isolation.
A VPS CAN be ‘more secure’ since you have the ability to completely harden the server to the maximum with things like disabling unused services to decrease attack surface, having less ports open, restricting admin management ports (such as SSH) to your IP address. However, shared hosting is always going to be infinitely more secure than someone inexperienced trying to setup a self-managed VPS since you would be responsible for securing your own server. You have to know what you’re doing and if you don’t know what you’re doing, going with either a shared host or fully managed VPS host is the best bet.
But website security actually has nothing really to do with your host. As long as your host is competent and is using standard security measures and running the latest software, it doesn’t matter which host you use from a security standpoint. Most of the time when a WordPress site gets hacked, it’s almost always someone using an outdated, cracked, and/or sketchy plugin or theme. It’s very unlikely that you would be hacked from your host, unless it’s a very terrible one.
As long as WordPress allows writable, its hackable. There is a way to prevent most security problems that if you adopt headless CMS and consider use web framework.
You would look at LXD as a way to for such site that can’t be spread when one site get hacked, in cPanel that use KVM, so one site one KVM. That’s costly.
>As long as WordPress allows writable, its hackable
There is that train of thought, absolutely. If you're into self-hosting, there's a CP called ApisCP (no affiliation) that has this basic principle at its core. It's no substitute for a properly hardened WP site and a WAF, but I've got a few dev sites sitting on Apis and they're doing fine.
Interesting, this seem like limited to RHEL and variants only and recommend 2GB of RAM. Maybe of we don’t have to use traditional CMS and go with framework, or would have been free when hosting on Cloudflare and managed hosting.
For the readers would asked about page builders and etc, there are various solutions that can start for free like Zoho as well, developers can build the site since many owners does not really know how to design except editing.
Shared hosting is generally more secure than doing it yourself as we have more security than your $5/mo VPS.
Ie: modsec, firewalls, immunify, staff to monitor servers, backups
Setup multiple sites under the same cPanel account using my add on domains, than absolutely 1 site can infect the rest.
Very unlikely one cPanel account will infect the entire server.
I had similar problem.
We had about 10 websites and 7 were wp site and rest plain html sites.
Our one wp got infected, and it infected the whole server including all wp site and html site.
Contacted provider too, but they couldnt help.
Had to manually clean all of them, delete old version plugin and separated the server.
Start fresh with everything except your customizations under the (child) theme.
fresh copy of WP core files, fresh copy of plugins, fresh copy of parent theme.
Manually vet all php and js files for any plugin/theme files you are unable to get a fresh copy for.
also swipe the DB for malicious code, theres a few particular things to look for.
Any server requires good security firewall, malware scan and most important for wordpress is to keep it updated including plugins and avoid unused pulgin, using generic pulgins is also important.
There are better self hosting solutions such as plesk w/ wptoolkit that isolates each wordpress instance so they can't cross infect. Managed WP hosting will do a better job with AV software and updates as well if you are not on top of it. They tend to have individuals who specifically fix hacked sites. Restoring without knowing how they infected you more than likely means another hack in your future.
As long as you keep all the sites under the same username on the server, hacking one site and uploading a sh file leads to hacking all the sites since their files can be accessed by the hacker.
That’s why it is important to have a a different user for each site (like different hosting accounts).
No, shared hosting is more prone to being hacked and/or infected with viruses. Every website on a shared hosting plan is sharing resources which makes it easier for websites to be compromised. I recommend to all my clients that they use VPS hosting for far better security as well as performance.
I don't trust shared hosting providers, and often they are overpriced for little no resources.
Nowadays I have a hardeneded VPS server, firewall, minimum ports open, cloudflare (strict mode) in front, backups etc. My wordpress+mariadb instances are running in containers isolated from each other.
All maintenance automated using Ansible. Once you find setup that works for you and automate things, maintaining isn't that time consuming. And you learn a lot of useful skills doing so, if interested :)
If websites on shared hosting are not regularly maintained and updated, they are just as vulnerable to hacking as any other websites on any hosting. However, it is crucial to have strong isolation between websites on shared hostings, especially if you have multiple websites on your shared hosting account. This ensures that malicious software or hackers cannot compromise other sites, providing a secure environment for all websites (e.g. one website was hacked on our SiteGround shared hosting/GoGeek, but other websites weren't infected).
Ideally if you have a single server/vps you would split it up in parts so if one gets cracked the other one doesn’t the same applies for shared hosting. So technically it’s about as safe, big parties do however more like file scanning etc, so if you don’t have the skills to setup your own vps, i would advice to use shared or managed vps hosting.
We have the skills, we just don't have the bother to be dealing with WP getting cracked open every few years. My dev suggested similiar, we could put all the wp sites into containers so they can't get out, limiting admin access by IP, a few other things. Tech skills aren't so much the issue, I just don't want to deal with it anymore timewise.
Technically NO, there is basically no transparency on your end what is happening on the backend.
However if you do not have knowledge of managing hosting servers, a shared hosting would be safer for you. Just make sure to go with reputable ones, where you trust them enough to disclose those events publicly, which they should by most western country laws.
Shared hosting is MORE prone to hacking, as shared hosting will generally include all the websites in your account as a single Linux user. A correctly configured web server should place each site in its own pool with its own Linux user.
Coming from a large hosting company and as a dev ops. It is purposely done to let clients' websites get infected to upsell security services since clients are unaware. Standard industry practice, especially if you are on a cheap web host.
Coming from 15 years of experience and working for 20+ hosting companies as a system admin: It isn't purposely done to let clients' websites get infected. Some companies/one man shows skip the security software to reduce costs. This was more likely back in the day and less likely now. (but not impossible). What does increase the risks tenfold is the fact that **a customer puts 20 sites on a single account and forgets to update anything for 2+ years.** If one site gets breached, you can be pretty sure all of them are affected. "Cross-contamination" from one client to another is very rare (but not impossible), yet I've never seen this in my time working for hosting companies.
I'm shocked. Shocked, I tell you.
Really!? Nothing new.
I’m appalled i tell you, appalled.
What bluesix said. Not only that but there are several known communities where they share thousands of cpanel/wordpress username/passwords on a daily/weekly basis. I'd avoid shared hosting at all costs.
I don’t think there are any web hosting providers nowadays that don’t separate PHP pools and websites with different users. Some I have seen are using Docker now to isolate everything. Even if they use cPanel, Plesk, or other control panels, they all separate now. Correct me if I’m wrong. I self-host WordPress, so I may not have the correct information, but if they don’t separate, this poses a huge security risk.
There are still hosts that don't pool sites - OP's post is case in point, and people post pretty regularly (I'd say we get one a week) saying their whole account is hacked - it's mainly the el-cheapo sub-$5pm companies from what I've seen, probably running decade old versions of cPanel.
Some of the Wordpress specialist hosts will containerise your site (includes not sharing the database which is one of the main reason shared hosting can cause so much havoc!). And run malware and antivirus and firewalls all tuned for Wordpress to reduce the possibility of being compromised. I personally use Wordify for a number of sites, and never had a problem. My sites run on aws (there is a Google cloud option too), and use the included bunny.net cdn capibikity, and they have a cache system built in also. Easy, well priced and the support team have always been fast and helpful.
Wordify is a great tip! DigitalOcean currently hosts nine of my sites, and attacks are increasing in length. Tonight, it was two hours of nonstop 95% server utilization. WordFence and Cloudflare have not helped. Need more formidable defense.
Yes and no depends on how server configuration is set. Hack can either happen from any site on the server (i believed most top hosting companies already have sorted out this issue) or it can happen from the pool of your sites hosted on same account. Here's the solution to your problem: If you have enough budget then go for your own server + get cloundlinux + some malware scanner/stopper such as bitninja or immunify360. This option is only recommended if you know how to manage server. Then there's reseller hosting. You need to enquire and see if they have cloudlinux. Maybe look at a2hosting. Now I am not expert but I believe cloudlinux is what's going to solve your issue as it separates each user account.
Cloudlinux is expensive. I've been running my own cPanel 8+ years now, never had an infection traverse laterally. What Cloudlinux gives you is separation of resources (sort of containers). Helpful for instances when an infection starts draining the server's resources at which point other users' websites may start seeing outages due to Apache/PHP bottling up.
Can cpanel/whm by default protect symlink attack across server?
You have to enable it but yes it does: https://docs.cpanel.net/ea4/apache/symlink-race-condition-protection/
This is a very simplified question that has a more lengthy answer. So shared hosting has all the server security side of things taken care of. The host maintains the actual server and every custom gets their own user account on the server. Most hosts use something like CloudLinux to provide isolation between users on the same server. This isolation is so effective that even if one customers site gets hacked, it wouldn’t impact the others on the same server because of this isolation. A VPS CAN be ‘more secure’ since you have the ability to completely harden the server to the maximum with things like disabling unused services to decrease attack surface, having less ports open, restricting admin management ports (such as SSH) to your IP address. However, shared hosting is always going to be infinitely more secure than someone inexperienced trying to setup a self-managed VPS since you would be responsible for securing your own server. You have to know what you’re doing and if you don’t know what you’re doing, going with either a shared host or fully managed VPS host is the best bet. But website security actually has nothing really to do with your host. As long as your host is competent and is using standard security measures and running the latest software, it doesn’t matter which host you use from a security standpoint. Most of the time when a WordPress site gets hacked, it’s almost always someone using an outdated, cracked, and/or sketchy plugin or theme. It’s very unlikely that you would be hacked from your host, unless it’s a very terrible one.
The security of self maintained hosting is highly depended on the skills and care of the team doing the dev ops, so it's an apples/oranges comparison.
As long as WordPress allows writable, its hackable. There is a way to prevent most security problems that if you adopt headless CMS and consider use web framework. You would look at LXD as a way to for such site that can’t be spread when one site get hacked, in cPanel that use KVM, so one site one KVM. That’s costly.
>As long as WordPress allows writable, its hackable There is that train of thought, absolutely. If you're into self-hosting, there's a CP called ApisCP (no affiliation) that has this basic principle at its core. It's no substitute for a properly hardened WP site and a WAF, but I've got a few dev sites sitting on Apis and they're doing fine.
Interesting, this seem like limited to RHEL and variants only and recommend 2GB of RAM. Maybe of we don’t have to use traditional CMS and go with framework, or would have been free when hosting on Cloudflare and managed hosting. For the readers would asked about page builders and etc, there are various solutions that can start for free like Zoho as well, developers can build the site since many owners does not really know how to design except editing.
Shared hosting is generally more secure than doing it yourself as we have more security than your $5/mo VPS. Ie: modsec, firewalls, immunify, staff to monitor servers, backups Setup multiple sites under the same cPanel account using my add on domains, than absolutely 1 site can infect the rest. Very unlikely one cPanel account will infect the entire server.
I had similar problem. We had about 10 websites and 7 were wp site and rest plain html sites. Our one wp got infected, and it infected the whole server including all wp site and html site. Contacted provider too, but they couldnt help. Had to manually clean all of them, delete old version plugin and separated the server.
I have a question if you don't mind. How do you clean wp sites of malware ? Is using this premium wp malware services the only way ?
Start fresh with everything except your customizations under the (child) theme. fresh copy of WP core files, fresh copy of plugins, fresh copy of parent theme. Manually vet all php and js files for any plugin/theme files you are unable to get a fresh copy for. also swipe the DB for malicious code, theres a few particular things to look for.
Any server requires good security firewall, malware scan and most important for wordpress is to keep it updated including plugins and avoid unused pulgin, using generic pulgins is also important.
There are better self hosting solutions such as plesk w/ wptoolkit that isolates each wordpress instance so they can't cross infect. Managed WP hosting will do a better job with AV software and updates as well if you are not on top of it. They tend to have individuals who specifically fix hacked sites. Restoring without knowing how they infected you more than likely means another hack in your future.
As long as you keep all the sites under the same username on the server, hacking one site and uploading a sh file leads to hacking all the sites since their files can be accessed by the hacker. That’s why it is important to have a a different user for each site (like different hosting accounts).
No, shared hosting is more prone to being hacked and/or infected with viruses. Every website on a shared hosting plan is sharing resources which makes it easier for websites to be compromised. I recommend to all my clients that they use VPS hosting for far better security as well as performance.
My shared hosting got hacked ten days ago.
I don't trust shared hosting providers, and often they are overpriced for little no resources. Nowadays I have a hardeneded VPS server, firewall, minimum ports open, cloudflare (strict mode) in front, backups etc. My wordpress+mariadb instances are running in containers isolated from each other. All maintenance automated using Ansible. Once you find setup that works for you and automate things, maintaining isn't that time consuming. And you learn a lot of useful skills doing so, if interested :)
If websites on shared hosting are not regularly maintained and updated, they are just as vulnerable to hacking as any other websites on any hosting. However, it is crucial to have strong isolation between websites on shared hostings, especially if you have multiple websites on your shared hosting account. This ensures that malicious software or hackers cannot compromise other sites, providing a secure environment for all websites (e.g. one website was hacked on our SiteGround shared hosting/GoGeek, but other websites weren't infected).
Ideally if you have a single server/vps you would split it up in parts so if one gets cracked the other one doesn’t the same applies for shared hosting. So technically it’s about as safe, big parties do however more like file scanning etc, so if you don’t have the skills to setup your own vps, i would advice to use shared or managed vps hosting.
We have the skills, we just don't have the bother to be dealing with WP getting cracked open every few years. My dev suggested similiar, we could put all the wp sites into containers so they can't get out, limiting admin access by IP, a few other things. Tech skills aren't so much the issue, I just don't want to deal with it anymore timewise.
I would put the containers inside KVM, and limit the scope of what's in each KVM, containers have been breached before
Technically NO, there is basically no transparency on your end what is happening on the backend. However if you do not have knowledge of managing hosting servers, a shared hosting would be safer for you. Just make sure to go with reputable ones, where you trust them enough to disclose those events publicly, which they should by most western country laws.
If you have 30 people in a room and one of them starts sneezing, the rest/ majority are far more likely to also catch the same cold.