New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
cPanel & WP Hacks - Seeing at Several Hosts - New Vulnerability?
MTUser2012
Member
in Help
I have many shared hosting accounts. The majority are cPanel, and the rest DA. Recently, I have had 3 cPanel accounts hacked. What makes this unusual to me is that normal hacks exploit some vulnerability in WP and the hack is restricted to WP installation. But, recently, I am seeing cPanel AND WP hacked.
How is this happening? I assumed that cPanel is "firewalled" from the WP installation. In other words, no way to get from hacked public_html directory to the rest of cPanel. Is this right? If it is, that implies that the hack is into cPanel first, then WP?
Please could providers comment as this seems to be a trend. One provider blamed the problem on Immunify, but wouldn't elaborate beyond that.
Comments
If a WordPress plugin gets compromised, which is generally the case, the attacker has access to the entire cPanel account in terms of permissions.
cPanel accounts are isolated from each other, but sites within a cPanel account are all together as one.
And that's why you always get a reseller account and create one account per website.
This. Anything else is just plain foolish, IMHumbleO.
Your lack of knowledge might be a part of the problem.
You should at least:
1) Use a password tool, secure passwords, and only use a password once. (check if your email addresses and passwords have been leaked at https://haveibeenpwned.com)
2) Secure your WordPress website with WP Cerber Security or another similar security plugin. (Hide the login page if it isn't used by users.)
3) Always keep WordPress, themes, and plugins up to date. (Remember to update staging and test websites too.)
4) Only use themes and plugins that are updated regularly.
5) Only have one website pr. hosting account to minimize damage.
6) Use the newest stable PHP version.
7) Use a hosting provider that regularly uses a vulnerability scanner.
8) Check if your hosting provider has active licenses for the software they use. (https://whatcms.org, https://www.whmcs.com/members/verifydomain.php, https://license.directadmin.com, https://verify.cpanel.net/app/verify, etc.)
9) Make regular backups and store them at multiple locations.
Ban WP and you'll be fine
Thanks. This is helpful. And surprising to me in the sense that I've been at this for about 10 years and most of the hacks I've fixed are restricted to the WP installations. This hacking of the associated cPanel account seems a recent development.
If I had reseller accounts, I agree this is the way to go. But, I never use them. If your work is for SEO purposes you can never have footprints. It is pretty standard when you build networks to have no footprints that be identified. That is why it is always one website/account AND different hosting accounts.
While it seems I do have a lack of knowledge about the relationship between a cPanel account and the WP installation within it, I don't have a lack of knowledge about how to run a network of WP sites successfully. I've been following the items listed below for years.
I agree that these are all essential. And having tested them all, I agree that Cerber is the best security plugin available today. It is far superior to WordFence. For an example: #9 is the reason that from discovering the latest hack to my original website being back up took less than 2 hours, including a stop for a cup of tea.
Let me get this straight. You have multiple accounts on multiplex provider on WordPress on cpanel and all of the cpanel account get hacked?
No. I have multiple cPanel accounts each with a single WP installation. Recently, I noticed that several accounts were hacked, the WP installation AND the cPanel installation. In the past, I've dealt with hackers before, the hack was only of the WP installation. Hence my question about the level of isolation between the cPanel account and the WP account. As answered here, my assumption was incorrect.
In these cases cPanel can be easily hacked because it saves the email contact inside the user's home itself. In /home/user/.contactemail
What variables are common between the cpanel accounts? Contact email? Password? Anything could be relevant in exploring the concept.
I've recently experienced more hacks and have learned more about the problem. These cPanel hacks are invariably Anonymousfox hacks. I didn't pay any attention to seeing that username in WP until I started seeing it repeatedly. Here is what I found:
https://www.wordfence.com/blog/2021/06/service-vulnerabilities-shared-hosting-symlink-security-issue-still-widely-exploited-on-unpatched-servers/
I also found this useful thread on Reddit:
https://www.reddit.com/r/Wordpress/comments/ne5nwk/anyone_else_dealing_with_anonymous_fox_hacks/hglr772/
I have two cPanel WP sites hosted with a provider that advertises here. Both were hacked. One was built out. So it could have a vulnerability, but the other is just a base WP install - I was getting ready to build a site. Both hacked. To me that suggests the symlink vulnerability discussed in the article, once in on the server, a methodical infection of other sites on the same server by exploiting the server vulnerability, not a vulnerability in WP.
I've contacted the host/provider and asked them to investigate this vulnerability on their server, and to look for this Anonymousfox hack/exploit on sites on the server.
Create separate Linux/cPanel user/Ban WP.
RackNerd https://www.racknerd.com/BlackFriday/ Reseller hosting $2/mo starting from 24.99/mo for 10 cpanel accounts.
I bought one. Just $2/mo for 10 cpanel accounts isn't bad.
Footprint, same server, same IP, same nameservers. Doesn't work when you do the work I do. And even if you find hosts that advertise SEO hosting, one place where you can get different accounts (different IPs) over their network, that doesn't work either.
But, agreed the price is good if you just need cPanel accounts.
Are you doing PBN?
FTFY
1.6 Million WordPress Sites Hit With 13.7 Million Attacks In 36 Hours From 16,000 IPs
https://www.wordfence.com/blog/2021/12/massive-wordpress-attack-campaign/
is it really? let's say comparing free to free?
What do you want to know? I have paid subscriptions to both to get full functionality, and use the free versions too.
A few months back I got a cpanel reseller from a "24x7" server management company. When I tested, they never implemented any thing to patch symlink vuln!
To demonstrate, I created 2 cpanel accounts under my reseller, placed my script in one of them and shown accessing a text file on the other account. ( yes, I had access to etc passwd file too to get user list).
I sent the info thru a ticket and they replied that it is fixed. But, it was never fixed! I cancelled and moved on.
Basically, there are certain companies whose support engineers dont have a clue on server security.
Same question - what do you find lacking with WordFence that Cerber "fixes"?
Looking for the info in order to see about switching to Cerber. How is Cerber superior to WordFence?
why do you think it's better in wordfence, I'm curious to know what I'm missing, and the internet seems to ignore it, not enough comparison info out there.
Wordfence número uno (#1). There is no better. Specially the premium. Their WAF is good.
As far as I know, their firewall works once a visitor has already arrived - it's still a WordPress plugin.
Pais Sucuri firewall is placed in between the hosting server and the visitors - so it can "intervene" before they reach the server and the WordPress.
That should be more secure and more efficient in terms of reducing the server load.
But so far, I find WordFence to be good enough, and probably the best (or the least bad) of all the free options.
Curious to hear what makes Cerber better.
I apologize for the delay in answering. I had to remind myself of what I perceive as WF's deficiencies by using it on a new WP site. Once I set it up, and saw how it worked, I remember what drove me to Cerber.
I think both products do a good job of blocking malicious attacks. What was driving me crazy when I used WF was all the spam, comments and contact form spam. I was paying for a separate spam solution that worked better than Akismet for comments, but it was necessary.
I found Cerber when a contractor built a website for me, and used that versus WF. Cerber is great for both comment and contact form spam, completely eradicates it. This was such a time sink for me, and it allowed me to get rid of my paid spam killing subscription, paid plugin. So I started using Cerber exclusively, and put some time into optimizing it for my setup.
Now, I started this thread due to cPanel hacks, which I didn't understand when I started the thread. I've since learned about the AnonymousFox hack of cPanel hosting accounts, due to a symlink vulnerability on the server. Cerber won't help with this kind of hack, andI don't think anything will, but it seems to work well for bruteforce, and spammers.
You may have different concerns than mine, so perhaps WF is better in your environment.
@MTUser2012 Wordfence has what they call "thread defense feed", which basically means it constantly receive rules to block new threats as they are detected in other websites being attacked, including 0day hacks. Is pretty complex. The free version is good, honestly configured PROPERLY it blocks anything but it receives delayed rules. Free version is enough for almost everyone.
Comment spam is not part of what Wordfence defend against. But there are other plugins just for that. Even adding recaptcha will help you with that.
Usually in ecommerce websites comments are turned off anyway so that might not be an issue for everyone.
With WF I like that you get the real-time protection thing, the WAF, scans for every plugin and templates. Scans for every file for detection. Scan for differences between plugin (and theme) sources in comparison to the official repos. Notifications of increased attack patterns, updates, pending, etc.
If I were to use an alternative it would be the sucuri wordpress plugin. But is basically between Wordfence and Sucuri if you want effective protection.
You can complement this with Cloudflare (free or paid) in front of the website, so that's another WAF (External) and CDN benefits.
If you get hacked after all that, then you were going to get hacked anyway. (imho)
Why don't use VPS? Much better than a shared cPanel account. If they do not use CloudLinux the shared account can easily get hacked via localattack.
From what he said, he use VPS / Dedicated and install the cpanel himself.