Security Vulnerability When Using Multiple Domains On The Same Host
DotSauce Magazine was hacked recently, I’ve lost over 20% of web traffic for most of July which previously came organically from Google. I’m writing this update to share how I overlooked an important security vulnerability that may prove familiar to many domain name developers.
[Header image via Flickr]
Multiple Domains Multiplies Risk
I have a semi-dedicated server that I use to host all of my web properties, domain development projects and many client websites. Before today, my public directory had something like 100 folders representing multiple domains for various websites, mainly WordPress installations.
I found out the hard-way that exploits within a particularly vulnerable script on one directory can lead to complete access of the public_html directory. In my case, a neglected old WordPress installation came back to bite me in the butt. I also discovered a vulnerability within an old PHP-LinkDirectory installation.
It’s something I should of known was possible, but never thought an exploit would be so bad as to lead to this.
The hackers placed code within .htaccess files, redirecting Google bots to spam sites. Normal visitors, including myself were none the wiser as search rankings were taken over. It’s an all-too-common, devious form of hacking that you should be wary of.
Luckily, several observant readers reported that something was awry with my search listings (they are still screwed up) and I was able to contact Google to remove the suspected hacking warning.
Avoiding This Disaster
Nobody should have to go through the experience of losing all their hard-earned search rankings. There are several actions you can and should take to prepare for and avoid a potential hack when using multiple domains on the same host.
- Move inactive projects to a new folder, hidden below the public_html level
- Be vigilant and timely about updating all web software
- Regularly check notices from Google Webmaster Tools
- Monitor website content changes through a third-party service such as CodeGuard
I’m not too worried as DotSauce Magazine should bounce back in the coming days and weeks.
I would greatly appreciate your support in sharing our content and +1’ing articles to help speed the process along. You can earn rewards like free domain registration through our loyalty program if you do. Try out one of our share buttons to sign-up for free.