Hi everyone, I came across this article that might be of interest.
This is what I gathered from the article, and I am no expert:
Vladimir Smitka, a security researcher/hobbyist from the Czech Republic has found that one weak or compromised site on a server can be used to control / manipulate and gain access to other sites on the same server.
That is, many run multiple wordpress sites on a single server - some of these sites are just test or hobby sites that are not secured very well.
These sites, if compromised, can be used to launch attacks on other sites on the same server even if the installations are isolated dockers.
Seems like most famous web panel providers like Cloudways, RunCloud, etc have failed the test and more importantly have not taken any steps to address the issue and patch the vulnerabilities.
Providers I tested:
Serveravatar β didnβt found the way how to break site isolation (but was able to bypass some default security measures and you have to be very careful with some of the features)
Enhance.com -fixed instantly
InstaWP β fixed
Xcloud.host β fixed
GridPane β fixed most issues pretty quick
Ploi β investigating for 2 months, will be fixed soon
Cloudways β not fixed after 3 months
RunCloud β investigating few weeks, not fixed yet
FlyWP β investigating more than month, not fixed yet
Cloudpanel β will be fixed in distant future
SpinupWP β feature not a bug
Forge β donβt care
Conclusion: Docker doesnβt automatically guarantee security.
Should we be worried?
What measures are you currently taking to secure your WP sites.
And what are some good practices that we must adopt?