How to secure 20 WP sites in their own subfolders on the SAME shared server

  • Hi everyone, I apologize if this has been already answered – my first attempts at searching the forum didn’t yield the answer I was looking for.

    A few years ago I hosted 20+ WordPress sites on the same shared hosting server (GoDaddy). I know this is far from optimal, but I was just learning at the time ??

    Each of the sites were owned and operated by a different individual (different clients of mine).

    At one point EVERY SINGLE SITE on the server had been hacked with the SAME Russian redirect hack. The hackers found a vulnerability somewhere and targeted all the .js files and all the index.php files.

    EVERY single index.php file on the server was infected in EVERY directory, sub-directory, and parent-directory level where an index.php existed. Luckily I had recent clean backups.

    Now this being it a few years ago and me being completely naive to the threat of hackers, I obviously didn’t have any of the proper protections in place (even the most basic). I’ve since learned my lesson and follow all the standard protocols/tips when I install a WP site.

    Not knowing where “ground zero” was for the hack really bugged me. Clearly the hackers found a vulnerability (probably automatically using a bot), found a way to upload the payload and once executed, “spread” to every other directory on the server – maybe the hack somehow ‘simulated’ having root access?

    When I was combing through each WP site installation in the aftermath, I noticed one of my clients had installed a ridiculous amount of WP plugins – many of which looked really sketchy and poorly coded. Not to mention many of the plugins were out of date.

    This particular site could have had a poorly coded plugin installed with which the hackers took advantage of. It got me thinking – If I am to continue ‘hosting’ clients in this fashion, and still allow them to be autonomous and have a certain level of control of their sites, I need to protect / quarantine / barricade each client folder from other folders on the server.

    So if a client doesn’t know any better and messes up their individual site, it doesn’t affect any of the other sites on the server.

    My initial response was to chmod 444 almost every file on the server (bandaid on a wound). This also got really cumbersome to lift the read-only restrictions when it came time to update the individual WP installations.

    The final question is this:

    Is there a way to protect individual folders on a server from other folders?

    Is there a simple piece of .htaccess code that will completely deny or block a folder’s access to parent folders?

    So that if one site gets hacked, the hack can’t spread into parent folders and implant itself into its target files?

    Many thanks and appreciation for any help or suggestions.

Viewing 4 replies - 1 through 4 (of 4 total)

  • That kind of isolation is possible, but I would suspect it would have to precede or supersede htaccess. I once noticed a certain plugin I use was making it possible for me to see the names of my neighbors’ root folders on shared servers, and my host ultimately assured me there was no access actually possible and that an upcoming upgrade of their own would block that view. So apart from something of that magnitude, I would doubt what you want can be done. One thing I do know, however, is that it is possible to run a single, stand-alone (Pro) version of NinjaFirewall at your public “root” to help filter all traffic to all sites…
    https://www.ads-software.com/plugins/search.php?q=ninjafirewall

    Thread Starter bplimited

    (@bplimited)

    Thanks @leejosepho, If there’s a better ironclad solution other than through .htacess, I’m all for it. Trying not to leave anything to chance – even if it introduces a small maintenance step. Will check out ninja firewall, cheers.

    If there’s a better ironclad solution other than through .htacess, I’m all for it. Trying not to leave anything to chance – even if it introduces a small maintenance step.

    What I mean to be saying there is about that level of isolation only being possible as a server admin providing hosting, not for someone like ourselves with multiple sites at one hosting account. I know almost nothing about multisite, but maybe that would help make more isolation possible.

    Thread Starter bplimited

    (@bplimited)

    Ah okay, I wasn’t aware of ‘Multisite’ and that is was a way for users to create blogs of sort on a single domain.

    I apologize, If an admin wants to move this thread to a more appropriate forum please do.

    If no answers come in a week’s time I may attempt to resolve and repost this thread to another section with a link on here.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘How to secure 20 WP sites in their own subfolders on the SAME shared server’ is closed to new replies.