24 Sep, 2020

Cross-Site Infection Endangers Website Security

A single hosting account with multiple websites has several advantages but can leave the entire system vulnerable to malware. Fortunately, some strategies can minimize the risk of cross-site infection and maintain website security.
Having multiple websites on one hosting account is common and convenient. It saves money and simplifies management. The downside is the risk to website security through cross-site infection, but careful management will keep the danger low. There are many scenarios where this approach is useful, such as:
  • Multiple brands, each with its own domain.
  • Subdomains that have their own websites.
  • Versions of a website for different countries or languages.
  • Sites being managed for multiple customers.
Hosting providers offer packages that allow a number of domains, at little or no cost above a single domain. They allow management of all the domains from a single dashboard. There may be just one software installation, with separate content directories for each domain. It's very convenient to run all the domains from one place.
Website Security Risks of Shared Hosting
The shared-hosting approach carries security risks that separate accounts for each domain don't carry. It's a tradeoff. The danger is that an infection to one site might spread to the others. When the malware is removed from the first site, the newly compromised sites can infect it again.

It's similar to the dangers a household faces in a pandemic. If one person catches the virus, they're likely to pass it on to others. It's harder to protect people living in the same house than to protect residents of different homes. People have immunity when they get sick and recover, but computers don't gain immunity without outside help. Computer infections can go back and forth indefinitely if they aren't completely wiped out.

Or maybe the right analogy is the old game of whack-a-mole. Toy moles pop out of holes and you have to hit them with a hammer, but when you hit one mole, another one pops up from a different hole. Malware removal from all the sites is a challenge.

In spite of the problems, shared hosting has at least one security advantage. It puts all the sites under a single pane of glass. It's easier for managers to keep track of all the sites. They may be able to spot hacking and other website security problems more quickly. This is an important consideration if one or a few people are managing a large number of sites.

Sources of Risk
In the simplest form of shared hosting, all the sites have their directories on a common filesystem, and the process running a site has access to all the directories. Typically they're all under one parent directory. An attacker who successfully penetrates one site can deposit rogue PHP code in its files.

When it becomes active, it finds the other sites' directories and writes to them. It will copy itself until all the sites are running the same malware. If you remove the hostile code from one site, the copy on another of your sites will soon re-install it.

Additional dangers crop up when the sites share an instance of the CMS software or use the same database. The attackers only have to deposit their malware once, and it affects all the sites. WordPress allows both of these options. The WordPress Multisite feature lets you run a number of sites from one network admin account, using one database.

If all the sites are for the same business, it's convenient to have a common set of user accounts for all of them. The problem is that if someone steals a password, it gives access to all the sites. A bot can log in to all of them repeatedly, re-installing malicious code if it has been removed. If a compromised user account isn't fixed, all your sites are at risk.

A single hosting account works best when all the sites are similar. But if they all use the same theme or plugins, a weakness in them can make them all vulnerable. Out-of-date or poorly maintained plugins let infections spread easily, either through their code or through the database entries they use.
Ways to Improve Website Security
Several approaches will reduce the risk of cross-site infection. The most effective one is to have a separate hosting account for each site. If website security is a major issue, that's the best approach. However, it costs more, and it requires site managers to log in to each account separately. If the ratio of sites to managers is high, it may not be practical.

It may be possible to run each site under a different owner at the system level, not granting them access to each other's directories. The administrator still has access to all the sites, but the sites don't have access to each other. Not all hosting providers offer this option.

Whatever protections they use, managers need to regularly pay attention to all their sites and check them for problems. You can't just set and forget a site, even if its content rarely changes.

Keeping website software up to date is always important for website security, but it's especially necessary when several sites run under one account. If there's a vulnerability, malware can spread from one site to another like wildfire. It can remain dormant on some of the sites, making it hard to catch all the infections. If one site has malware, assume they all do.
Quttera ThreatSign Protection Against Cross-Site Infection
Quttera ThreatSign Website Security makes your sites safer from outside threats and from each other.

Quttera's WAF (Web application firewall) protects single and multiple website installations from hostile traffic. It analyzes incoming requests for suspicious activity and stops dangerous data packets before they reach the server.

External and internal site scanning discovers unauthorized modifications to sites and suspicious behavior. A site can be quarantined, cleaned up, and fixed before it can spread malware to other sites. When you run multiple sites, it's vital to catch malware quickly, before it can infiltrate them all and do widespread damage.

The Professional Website Security and Malware Removal plan covers as many as five of your sites, with external scanning of all of them every six hours. If you have a large number of sites, talk with us about pricing.

If several of your sites become compromised, they might all end up on blacklists. The ThreatSign package includes help in getting quickly removed from them once the site is cleaned up.
With ThreatSign, you have more confidence that all your sites are safe, and you can clean up any security problems rapidly.