Security Hole in Cloud Hosting Control Panels - Article: Vladimir vs Hosting Industry
-
Hi everyone, I came across this article that might be of interest.
Teaser: Vladimir vs Hosting Industry
This is what I gathered from the article, and I am no expert:
Vladimir Smitka, a security researcher/hobbyist from the Czech Republic has found that one weak or compromised site on a server can be used to control / manipulate and gain access to other sites on the same server.
That is, many run multiple wordpress sites on a single server - some of these sites are just test or hobby sites that are not secured very well.
These sites, if compromised, can be used to launch attacks on other sites on the same server even if the installations are isolated dockers.Seems like most famous web panel providers like Cloudways, RunCloud, etc have failed the test and more importantly have not taken any steps to address the issue and patch the vulnerabilities.
Providers I tested:
Serveravatar – didn’t found the way how to break site isolation (but was able to bypass some default security measures and you have to be very careful with some of the features)
Enhance.com -fixed instantly
InstaWP – fixed
Xcloud.host – fixed
GridPane – fixed most issues pretty quick
Ploi – investigating for 2 months, will be fixed soon
Cloudways – not fixed after 3 months
RunCloud – investigating few weeks, not fixed yet
FlyWP – investigating more than month, not fixed yet
Cloudpanel – will be fixed in distant future
SpinupWP – feature not a bug
Forge – don’t careConclusion: Docker doesn’t automatically guarantee security.
Should we be worried?
What measures are you currently taking to secure your WP sites.
And what are some good practices that we must adopt? -
My first reaction on reading about cloudways was to smirk at them and feel smug about my decision to abandon that sinking ship of a platform (constant upsells for almost everything), but it hit me - I mustn't be so cocky.
Let me check with our friendly community.
