If you have an account with a webhost which allows you to run multiple domains (or even `unlimited’ domains ala Dreamhost). You may be tempted to run multiple websites under the default account that is provided by the hosting company.
But while convenient, this has a pretty major security pitfall.
For example with my webhost If you run the default single user account on the webserver the layout for multiple domains on the server is something like this.
The files in each website are owned and writeable by the one user and each site is served to the public using the same Apache process.
Therefore if a remote attacker uses an automated attack and compromises one website the exploit can loop up to the highest point they have write access to (the /home/username directory) and then down through the directory tree finding and appending malicious scripts or malware to each web servable page such as index.php, index.html etc.
A better setup is to create a new user account for each website that you create. And while it’s a pain to remember and safely store all the different passwords it reduces your risk of losing multiple sites to remote automated exploits. So the layout for multiple accounts on the webserver looks something like
This particular exploit tried to contact twitter to get it’s commands from the 3v1l h@x0r controller. (I’ve added some random spaces hoping that I don’t get listed as hosting Malware from this code sample)
// attack code appended after last