I've just had Google Webmaster tools report phishing attacks on all my sites hosted by HostGator. Initially, I thought my sites had been compromised; but since I always use strong passwords and pay attention to site security, I couldn't work out how. So I contacted HostGator technical support and learned that the phishing page came from another site hosted on the same shared host, and was accessible via a URL like:
In fact, it turns out that the website of any other user on the same shared host is accessible via my site's address using
~user. Ouch! And incredibly, HostGator enables this behavior by default.
If your website is hosted on a shared host that uses CPanel, get on to your hosting company technical support and ask them to disable