Understanding Account Vulnerabilities

Ensuring the security of our customers’ web sites is a top priority for us at Kualo. In recent years we have seen a dramatic increase in malicious attempts to compromise an innocent web site. Generally these “attacks” are by hackers or spammers, who aim to control a web site in order to send out spam, distribute malware, host phishing content, or use the compromised site to launch attacks on other web sites or servers.

Whilst we maintain excellent server-side security, often these attacks continue due to insecurities in customer code which can leave a web site vulnerable to attack.

This article aims to outline:-

• Why the vulnerabilities exist
• What you should be doing regularly to ensure your sites are secure
• What we are doing to ensure your sites (and our servers) are secure

Why are web sites vulnerable to attack?

A large proportion of our customers use CMS applications such as WordPress or Joomla, or shopping cart systems such as Magento or Prestashop (amongst others). Whilst it may not be apparent to end users, there is a constant arms race under way. Hackers and spammers are continually looking for new ways to exploit these applications in order to gain access to the underlying hosting service. Developers of these software solutions are equally constantly implementing new security fixes to counter these attacks and close any security holes that are found.

You may be wondering: “How can I protect my web site from such attacks?”

The answer is actually very simple: “Update, update, update!”

The moment you let the software that powers your web site fall behind the latest version, you deny yourself the security patches and enhancements that the developer is implementing, and leave your web site vulnerable to attacks. Your number one priority therefore is to always use the latest version of the software that powers your web site.

This applies equally to any plugins, themes, extensions or addon software that you may have also installed in your web site. Even a fully updated WordPress installation can be vulnerable to attack if it is using an out-dated theme or plugin.

Why should this matter to me?

The security of your site should be a high priority for you, because sites that are compromised can put you and your clients at risk, as well as cause general issues for the hosting infrastructure. If a vulnerability in your code results in your site being compromised, hackers will generally be looking to either:

• Insert malware or a virus on your web site which could be passed onto your visitors.
• Install covert pages on your site to create 'Phishing' pages - i.e. pages like fake online banking logins where they will then collect peoples credentials.
• Gain access to the server to send spam messages. If spam messages are sent from the server, this then can have the knock on effect of causing your domain or the server itself to be blacklisted and result in email deliverability issues for your genuine emails.
• Add links on your site to theirs - insecure sites often end up with links to pornography - definitely something your visitors won't want to see!
• Use our server as the basis to attack other networks, web sites or servers.

... and these are just a few examples - there are many other malicious purposes hackers want to exploit your site for. 

If a site is compromised, the cleanup can be extremely arduous, especially if it goes unnoticed for a long time and there are now no recent 'clean' backups to restore from. Often the only way to fully recover is to re-upload your entire site from scratch. All of this will take a lot of time and effort - and if you're not doing it yourself, it might cost you a lot to have your developer set things straight again. 

Is there anything I can do to automate my script updates?

Absolutely. You have the option to do things automatically if you'd prefer not to go through the hassle of updating things manually. To do this, your application will need to have been installed using Softaculous, our application installer. When installing it, in the 'Advanced' options you can normally specify that Softaculous automatically updates your app when a new version is released. For some apps, such as WordPress, you can have Softaculous also update plugins and themes automatically. For more details on how to set this up, please visit this article.

What are Kualo doing to help with all of this?

We appreciate that not everyone gets around to updating their site, or setting up automatic updates and backups. Most people simply aren't aware that their site is vulnerable if they don't keep things updated. In a recent audit of our servers, over 65% of accounts contained outdated applications - meaning that there were thousands of web sites that were open to attack. 

This is something that we had to put right. Not only do vulnerable sites pose a risk to the web sites themselves, but they also pose a risk to the stability of our hosting service. We decided it was important to take a very proactive approach to ensure that peoples web sites (and our servers) are safe.

When your site is hosted with Kualo, if you install one of the commonly used web applications such as WordPress, Joomla or Drupal, we will automatically notify you when an update is required to give you the opportunity to get things updated. If we find a specific vulnerability in your application, we will also send you an email to notify you of the vulnerability and the specific file that is vulnerable.

What's more, with certain applications, we'll even patch the vulnerability to ensure that no harm can be caused by it.

Eek. Won't patching my site cause it to break?

This is where the real magic happens. Rather than automatically update web sites, our patching system only patches the specific files that are vulnerable. What we do is take the security patches from the latest version of the application or plugin, and we back-port it so that it fully functions with the version of the application you currently have installed. This means that the patch is applied safely, without affecting your web site.

This patching system will help ensure that sites hosted with Kualo are safe from a huge number of vulnerabilities.

If you're patching my site, do I still need to update?

We still recommend that you do update your software, as there may be some vulnerabilities we cannot detect or patch. Think of the patch as a plaster (or band-aid). It fixes most of the immediate problems, but in the long term, you'll want to ensure that your site is operating natively on the latest version of its software. Not only will this help ensure your site is secure, it will also allow you access to all the new features that the developer will be implementing aside from just security patches.

What if you find malware on my site?

Again, if your site is up to date and patched, the chances of malware is almost zero. However bear in mind that hackers and spammers are always looking for new ways to get access to your site - so sometimes even if you've been super vigilant malware can still creep in. This is where we have your back again. In addition to scanning sites for out of date software and known vulnerabilities, we also scan for known malware. If we find malware, we will quarantine it so that it can do no (further) damage. You'll receive an email from us whenevr this happens, and at that time we'd normally suggest that you examine the site for any evidence of other issues and double check everything that needs updating has been updated.

The fight against hackers and spammers is a long one, and is constantly evolving, however with our automated notifications, security patching and malware removal, your Kualo hosting account is about as secure as things get. To learn more about how this works, and to learn about how you can view and manage your application security in cPanel, please review these articles or get in touch with us if you have any questions!