Skip to main content
Information Security

Return to Answer

removed duplicate content
Source Link
edit approved Jul 3, 2016 at 19:49
user2320464
edit approved Jul 3, 2016 at 19:49
user2320464
  • 1.9k
  • 1
  • 16
  • 19

First of all, I should note that I disagree with the premise about being vulnerable just for being on a shared host. If your shared-hosting account is compromised by another user, that's because either:

  • The hosting company didn't properly isolate the users
  • The user did something silly (like having 777 files)

With a VPS, the isolation is provided by a different layer, which is harder to overcome. And even more with a dedicated server. So, I disagree with the answer Bluehost gave you.

However, if the compromise originated from your account (eg. a vulnerable wordpress plugin), then it will certainly not matter the hosting option you use.

Certainly, your logo-small.png file looks as if it was uploaded through your application.

As for detecting compromises, I recommend keeping the file in version control. It's easy to make an script that rsyncs your website and commits to eg. a git repository.

This serves as backup and also highlights very clearly the differences when files get modified.

Several answers promote using static files. If the files don't change remotely, and assuming you are the only one changing the web pages (or that they are changed at the same "master" computer) a simple rsync -avz --delete website/ the-server: would roll back to the "clean" version, should such compromise arises. You can even automatically synchronize that way "just in case", although if the website is somehow vulnerable, automatically restoring from backup, although time-effective, is not a real solution.

First of all, I should note that I disagree with the premise about being vulnerable just for being on a shared host. If your shared-hosting account is compromised by another user, that's because either:

  • The hosting company didn't properly isolate the users
  • The user did something silly (like having 777 files)

With a VPS, the isolation is provided by a different layer, which is harder to overcome. And even more with a dedicated server. So, I disagree with the answer Bluehost gave you.

However, if the compromise originated from your account (eg. a vulnerable wordpress plugin), then it will certainly not matter the hosting option you use.

Certainly, your logo-small.png file looks as if it was uploaded through your application.

As for detecting compromises, I recommend keeping the file in version control. It's easy to make an script that rsyncs your website and commits to eg. a git repository.

This serves as backup and also highlights very clearly the differences when files get modified.

Several answers promote using static files. If the files don't change at the server, and assuming you are the only one changing the web pages (or that they are changed at the same "master" computer) a simple rsync -avz --delete website/ the-server: would roll back to the "clean" version, should such compromise arises. You can even automatically synchronise that way "just in case", although if the website is somehow vulnerable, automatically restoring from backup, although time-effective, is not a real solution.

First of all, I should note that I disagree with the premise about being vulnerable just for being on a shared host. If your shared-hosting account is compromised by another user, that's because either:

  • The hosting company didn't properly isolate the users
  • The user did something silly (like having 777 files)

With a VPS, the isolation is provided by a different layer, which is harder to overcome. And even more with a dedicated server. So, I disagree with the answer Bluehost gave you.

However, if the compromise originated from your account (eg. a vulnerable wordpress plugin), then it will certainly not matter the hosting option you use.

Certainly, your logo-small.png file looks as if it was uploaded through your application.

As for detecting compromises, I recommend keeping the file in version control. It's easy to make an script that rsyncs your website and commits to eg. a git repository.

This serves as backup and also highlights very clearly the differences when files get modified.

Several answers promote using static files. If the files don't change remotely, and assuming you are the only one changing the web pages (or that they are changed at the same "master" computer) a simple rsync -avz --delete website/ the-server: would roll back to the "clean" version, should such compromise arises. You can even automatically synchronize that way "just in case", although if the website is somehow vulnerable, automatically restoring from backup, although time-effective, is not a real solution.

First of all, I should note that I disagree with the premise about being vulnerable just for being on a shared host. If your shared-hosting account is compromised by another user, that's because either:

  • The hosting company didn't properly isolate the users
  • The user did something silly (like having 777 files)

With a VPS, the isolation is provided by a different layer, which is harder to overcome. And even more with a dedicated server. So, I disagree with the answer Bluehost gave you.

However, if the compromise originated from your account (eg. a vulnerable wordpress plugin), then it will certainly not matter the hosting option you use.

Certainly, your logo-small.png file looks as if it was uploaded through your application.

As for detecting compromises, I recommend keeping the file in version control. It's easy to make an script that rsyncs your website and commits to eg. a git repository.

This serves as backup and also highlights very clearly the differences when files get modified.

Several answers promote using static files. If the files don't change at the server, and assuming you are the only one changing the web pages (or that they are changed at the same "master" computer) a simple rsync -avz --delete website/ the-server: would roll back to the "clean" version, should such compromise arises. You can even automatically synchronise that way "just in case", although if the website is somehow vulnerable, automatically restoring from backup, although time-effective, is not a real solution.

First of all, I should note that I disagree with the premise about being vulnerable just for being on a shared host. If your shared-hosting account is compromised by another user, that's because either:

  • The hosting company didn't properly isolate the users
  • The user did something silly (like having 777 files)

With a VPS, the isolation is provided by a different layer, which is harder to overcome. And even more with a dedicated server. So, I disagree with the answer Bluehost gave you.

However, if the compromise originated from your account (eg. a vulnerable wordpress plugin), then it will certainly not matter the hosting option you use.

Certainly, your logo-small.png file looks as if it was uploaded through your application.

As for detecting compromises, I recommend keeping the file in version control. It's easy to make an script that rsyncs your website and commits to eg. a git repository.

This serves as backup and also highlights very clearly the differences when files get modified.

Several answers promote using static files. If the files don't change remotely, and assuming you are the only one changing the web pages (or that they are changed at the same "master" computer) a simple rsync -avz --delete website/ the-server: would roll back to the "clean" version, should such compromise arises. You can even automatically synchronize that way "just in case", although if the website is somehow vulnerable, automatically restoring from backup, although time-effective, is not a real solution.

Source Link
Ángel
Ángel
  • 19.6k
  • 3
  • 30
  • 67

First of all, I should note that I disagree with the premise about being vulnerable just for being on a shared host. If your shared-hosting account is compromised by another user, that's because either:

  • The hosting company didn't properly isolate the users
  • The user did something silly (like having 777 files)

With a VPS, the isolation is provided by a different layer, which is harder to overcome. And even more with a dedicated server. So, I disagree with the answer Bluehost gave you.

However, if the compromise originated from your account (eg. a vulnerable wordpress plugin), then it will certainly not matter the hosting option you use.

Certainly, your logo-small.png file looks as if it was uploaded through your application.

As for detecting compromises, I recommend keeping the file in version control. It's easy to make an script that rsyncs your website and commits to eg. a git repository.

This serves as backup and also highlights very clearly the differences when files get modified.

Several answers promote using static files. If the files don't change remotely, and assuming you are the only one changing the web pages (or that they are changed at the same "master" computer) a simple rsync -avz --delete website/ the-server: would roll back to the "clean" version, should such compromise arises. You can even automatically synchronize that way "just in case", although if the website is somehow vulnerable, automatically restoring from backup, although time-effective, is not a real solution.

First of all, I should note that I disagree with the premise about being vulnerable just for being on a shared host. If your shared-hosting account is compromised by another user, that's because either:

  • The hosting company didn't properly isolate the users
  • The user did something silly (like having 777 files)

With a VPS, the isolation is provided by a different layer, which is harder to overcome. And even more with a dedicated server. So, I disagree with the answer Bluehost gave you.

However, if the compromise originated from your account (eg. a vulnerable wordpress plugin), then it will certainly not matter the hosting option you use.

Certainly, your logo-small.png file looks as if it was uploaded through your application.

As for detecting compromises, I recommend keeping the file in version control. It's easy to make an script that rsyncs your website and commits to eg. a git repository.

This serves as backup and also highlights very clearly the differences when files get modified.

Several answers promote using static files. If the files don't change at the server, and assuming you are the only one changing the web pages (or that they are changed at the same "master" computer) a simple rsync -avz --delete website/ the-server: would roll back to the "clean" version, should such compromise arises. You can even automatically synchronise that way "just in case", although if the website is somehow vulnerable, automatically restoring from backup, although time-effective, is not a real solution.