When it comes to the security of your website, your web host plays an important part but too often they are failing do what they need to do to keep your website secure. One of the areas we have see web hosts fail at is keeping the control panel software running under website’s up to date. With the Plesk control panel that has lead to large amounts of website being hacked due to vulnerabilities that existed in older versions of the software. In attempt to make it easier to spot when web hosts are failing to keep control panel software up to date we have just released a web browser extension Control Panel Version Check, available for Firefox and Chrome, that provides version information for cPanel and Plesk based control panels and warns when an outdated version is in use.
To show how the extension comes can highlight unsafe hosting let’s take a look at one host. HostMonster claims that “By design our servers are secure.” and that “The security level of your site depends on the code that is uploaded to HostMonster’s Servers.”. You would think when they make such a definite statement about their security and faulting customers for any security breach they would at least being doing basic security, but that isn’t the case. The second item on their basic security check list is to “Update all scripts/applications to the newest versions available.” and there reason for this is that “Old security holes are updated and remedied in new versions of software, so updating to the newest versions available ensures that you are running the most secure option available.”. That sounds like reasonable advice; unfortunately they don’t follow it, despite claiming they are secure by design:
Support for version 11.32 of cPanel ended in August. Since then cPanel has put out several security announcements for vulnerabilities in cPanel. With support ended for cPanel 11.32 none of those vulnerabilities would be fixed in that version.
It doesn’t end there, with our phpMyAdmin Version Check extension you can see that they are also running an outdated version of phpMyAdmin:
That version is over a year out of date and there have been numerous security fixes released in subsequent versions.
Although my problem is not with Hostmonster’s website security my issue plays directly to Hostmonster’s lack of attention to security matters. For months many of my critical outgoing emails have been hitting and being rejected by “reputation” filters in use as spam control by at least 1 major international company. For months Hostmonster has told me all the reasons why they have no control over their customers’ email accounts nor their servers being involved in generating prolific volumes of spam resulting in said “reputation” blacklisting. And, for a similar period of time, they’ve told me to use different outgoing email servers other than those I’m paying for in order to avoid being troubled by these blacklisting spam filters. Months and months have gone by and they still seem to have no ability to meaningfully address this problem. Today their TOS agent told me that they actually HAVE NO RESPONSIBILITY to provide me with a working email server, that their only duty was to provide webhosting. This was news to me. While he tried to tell me all the other reasons that they cannot control this from occurring I told him I didn’t care and he hung up on me. Just one user’s experience.