Tag Archives: phishing

Disable mod_userdir module if your host uses CPanel

I've just had Google Webmaster tools report phishing attacks on all my sites hosted by HostGator. Initially, I thought my sites had been compromised; but since I always use strong passwords and pay attention to site security, I couldn't work out how. So I contacted HostGator technical support and learned that the phishing page came from another site hosted on the same shared host, and was accessible via a URL like:

http://www.buildyourblog.net/~baduser/zaz/home/

In fact, it turns out that the website of any other user on the same shared host is accessible via my site's address using ~user. Ouch! And incredibly, HostGator enables this behavior by default.

If your website is hosted on a shared host that uses CPanel, get on to your hosting company technical support and ask them to disable mod_userdir.… Continue reading…

Posted in Hosting | Tagged , , | 1 Comment