We scrupulously investigated each issue and found out the following:
1. Usernames to cPanel were created automatically during account setup. For example, if you have mydomain.com, username would be "mydomain". This isn't a major security issue, but it's highly recommended to set something rather different, for example, "dommy2"
2. Password to cPanel was easy to guess. We saw following passwords (reported via support desk): "password", "Myblog1i", "sunshine17" "mycpanel" etc. Password must be created via Password generator tool provided by either cPanel or WHM. Also, you must change password every 3 months.
3. Wordpress data base name was weak, something like "username_wordpress". When you add new data base, you should add something not related to content, for example, username_blog27i. For strong username, please see #1 in this article. So final data base name would like like "dommy2_blog27i".
4. Wordpress data base USERNAME (username to DB) was weak. It's good idea to create strong username like "tr128q45". Please avoid special symbols like !@$%&" inside data base names. You can use lower case letters and numbers.
5. Wordpress data base password was EXTREMELY WEAK. In about 60% of reported security issues, we saw these passwords: "password" and "pass123". Please use password generator tool even for db username password setup. Strong password looks like this: @$124&^@!~11mrQ
6. Wordpress security keys in 90% of reported cases were set to default "put your unique phrase here". This is a huge mistake! You must use this key generator tool: http://api.wordpress.org/secret-key/1.1/
7. Wrong permissions on files and folders. In about 30% reported cases, we noticed wrong permissions: 666, 757 and even 777. Correct permissions for all files: 644 (including php files), folders: 755. If you don't know how to set it, let us do it!
8. In about 10% of call reported cases, we found old wp-config.php files, some even in .txt format. Those must be removed at once (basically, all unneeded old files and directories must be removed).
9. Backup files were located on the server. It's illegal and insecure to keep them on the same website. You can generate full cPanel backup via cPanel > Backup > Generate full backup then download it to personal computer. After that, it's important to remove backup file via FTP!
10. Most customers were accessing insecure cPanel channels, for example, http://domain.com:2082. Secure ports are: 2083 (cPanel), 2087 (WHM) and 2095 (webmail).
11. Some customers stored passwords inside browsers. You should really avoid storing data inside any browser for security reasons.
12. In about 20% of cases, end user computers were infected with Trojan horse. If your computer restarts, loads slowly, doesn't open some pages or acts weirdly, you should disconnect it from the internet at once, go to the store and find reliable AV software such is "Norton Suite" or "Kaspersky Internet Security 2011". If you think that finding (or not finding) a virus is important task, you're wrong. The most important task is to resolve VULNERABILITY ISSUES. Most customers get infected even if they run latest Antivirus and firewall software. Viruses are usually getting through insecure applications (Frontpage, Outlook, Java etc).
If you have any questions, if you need ANY assistance with site security, we're here to help. Do not delay. Do not wait until you get reported or suspended.
We're also decided to keep old backups (generated about a week ago) for additional 60 days (until December 9th 2010) on external backup server. Please keep in mind that backup restore will cost $10 per website. If you have own good backup, restore is free (full cPanel backup can be restored by system admin only).
- 24 Users Found This Useful
