Separate Websites should be run under separate User Accounts

Written by James McDonald

August 16, 2010

If you have an account with a webhost which allows you to run multiple domains (or even `unlimited’ domains ala Dreamhost). You may be tempted to run multiple websites under the default account that is provided by the hosting company.

But while convenient, this has a pretty major security pitfall.

For example with my webhost If you run the default single user account on the webserver the layout for multiple domains on the server is something like this.


The files in each website are owned and writeable by the one user and each site is served to the public using the same Apache process.

Therefore if a remote attacker uses an automated attack and compromises one website the exploit can loop up to the highest point they have write access to (the /home/username directory) and then down through the directory tree finding and appending malicious scripts or malware to each web servable page such as index.php, index.html etc.

A better setup is to create a new user account for each website that you create. And while it’s a pain to remember and safely store all the different passwords it reduces your risk of losing multiple sites to remote automated exploits. So the layout for multiple accounts on the webserver looks something like


Here is an example of what can get appended to your index files. In this case the index.php page generated it’s normal html output but after the closing </html> tag the attacker has placed a nasty little cross site scripting javascript it’s obsfuscated so you can’t read the code because the attacker want’s to hide the workings of the java script.

This particular exploit tried to contact twitter to get it’s commands from the 3v1l h@x0r controller. (I’ve added some random spaces hoping that I don’t get listed as hosting Malware from this code sample)

// attack code appended after last  tag
var $a="Z63cZ3dZ225nZ2567Z2574h;iZ252b+)Z25 7bZ2574mpZ253dZ2564sZ252eslZ2569ce(Z2569,Z2569Z252b1)Z253bZ22;cdZ3dZ22st Z253dstZ252bSZ2574riZ256
.... [ many more lines of obsfucated javascript code here. And then follows the functions used to decode the obfuscated javascript and execute it ] ...

var ez=window;
ez[S tring.from Char Code(101,118,97)+"l"](f ds()); 
fun ction a s d(s){

Needless to say if you put all your eggs (websites) in one basket one metaphorical boot (cracker) can break them all.

Note: As well as separating your websites to different user accounts. Remember to _regularly_ update your CMS software (e.g. WordPress, Joomla etc).


Submit a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

The reCAPTCHA verification period has expired. Please reload the page.

You May Also Like…

List local disks

GET-CimInstance -query "SELECT * from Win32_DiskDrive" DeviceID Caption Partitions Size Model -------- -------...

Create ISO using Powershell

Usage New-IsoFile -NewIsoFilePath C:\tmp\Hyper-V.iso-sources -ImageName Hyper-V -SourceFilePath 'C:\tmp\Hyper-V'...