Disable mod_userdir module if your host uses CPanel

I've just had Google Webmaster tools report phishing attacks on all my sites hosted by HostGator. Initially, I thought my sites had been compromised; but since I always use strong passwords and pay attention to site security, I couldn't work out how. So I contacted HostGator technical support and learned that the phishing page came from another site hosted on the same shared host, and was accessible via a URL like:

http://www.buildyourblog.net/~baduser/zaz/home/

In fact, it turns out that the website of any other user on the same shared host is accessible via my site's address using ~user. Ouch! And incredibly, HostGator enables this behavior by default.

If your website is hosted on a shared host that uses CPanel, get on to your hosting company technical support and ask them to disable mod_userdir.

Liked this post? Subscribe to get more like it via email.

About Graham

I'm the creator of BuildYourBlog.net.
This entry was posted in Hosting and tagged , , . Bookmark the permalink.

One Response to Disable mod_userdir module if your host uses CPanel

  1. Valerie says:

    Amazing that they'd allow that. But then, maybe not. Seems like they don't care lately.

    I've reported to them code injection attempts coming from their servers into an instance of WHMCS I'm running. Never heard back.

    Need to cut and run and find a new host.

    Thanks for sharing this!

Comments are closed.