How I Survived Securing a Fleet of 400 WordPress Installations

Published by Orleando Dassi on

Context

In my career as of now, I had the chance to work in many environments’ setups, different cultures, different projects, different challenges, and so on. One of the most difficult ones for me has been to lead a small technical team in a startup-like routine, the kind of company where almost everything was to be done from the decisions side to the processes and applications.

I have been in the center of some important technical decisions, one of my attributions was to manage the company’s private hosting department till we found the right candidate to fill that spot once the financial resources will suffice, with more than 400 active clients that seemed like 4000 clients to me as a single technical person with the help of a nice decentralized team of live support agents, every single day was a battle.

In this small write-up, I’m going to dig a little bit into the situation I have been in to manage more than 400 WordPress installations for paid customers in a subscription model.

The WordPress Installations

The Reason Behind Choosing Cpanel for the Installations

Managing websites has never been easy, it’s a set of constant and repetitive tasks that ensure the quality and the responsiveness of your web resources to server pages to your readers. Nowadays, WordPress occupies almost 60% of websites using CMS for their content, so there’s a big chance that your choice falls into that one because of its quality, popularity, extensibility, and multi-purpose capability.

Often we call it a Cpanel installation, when in fact it includes only WordPress websites but comes in addition with some more options like a custom professional email management system, DNS records management for domain names, and other options provided out of the box by Cpanel providers.

More advanced Cpanel features come with a lot of automation tools, like doing a few clicks to have a WordPress website properly set up, linked with your domain name, SSL enabled with auto-renew, and backup enabled. Seems to be the perfect combo for non-technical users who are looking to focus on their content rather than on the infrastructure that powers their websites.

I Inherited of the Installations

The company inherited from these Cpanels (Business acquisition) as do I. The thing behind taking in hand a work that has been done with a previous process is that it can lead to two situations, where the most willing one is for sure that all common best practices have been applied to enable easier management of the resources, and the less good one could be that a few decisions have been missed to make the work even greater. As it’s well-known there are no small risks in the security domain since every single opportunity given to a hacker can lead to service disruption or at least over-exploitation of resources. As you have guessed the work has been started with good intention and of course some interesting automation, but the security side has never been a full concern since most of the company energy was dragged on other (also) important problems still to satisfy the customers.

The fleet of installations was perfectly running for some time now, maybe for almost one year before the first security attacks have been noticed by some team members and also reported by a few customers who couldn’t fully take advantage of resources as specified in the terms of usage that we had with them at that time. It was coming from multiple places so it started to be evident to me that once they have noticed the flaws on one Cpanel/WordPress, the attackers automated the process with many Cpanels/WordPress setups to perform their malicious activities.

The Threats Encountered

The malicious attacks were very difficult because it was far from determining the exact causes because of many breaches that have been found after a thorough check. There are malicious intrusions from many sides to accomplish diverse actions like:

  • Spamming other persons (emails).
  • Getting sensitive data from the database.
  • Backlinking to improve some e-commerce websites’ reputations.
  • Almost all core PHP files were infected with encrypted PHP codes you can’t guess their utility at first view.

Common Mitigation techniques for Website Security

A few security strategies were still to apply to improve the hosting quality and therefore increase the trust between the service and the customer, meaning leading to more sales along the way.

At first, we looped over a bunch of the attacked websites (so many)  just to confirm that since they were set up using the same old process, they should be facing similar security threats.

Protection at the Cpanel Level

On my way of making these security issues an old story, I couldn’t think of a single method since it was a challenge of very different types than the ones that usually knock on my door as a Full-Stack developer.

After some analysis, of course still far from being the best strategies that a security expert could apply, here’s the list of what was agreed and considered very important to apply for existing and brand new Cpanel installations:

  • Changed the password of the root Cpanel account, since to solve some specific issues with our account, it has been given to the Cpanel provider’s technical support agents a few times by direct chat messages. Without being convinced of anything, we thought that maybe the attackers got it from the chat logs somehow. It’s just us trying to apply the zero-trust principle to narrow down all corners during the process.
  • Enabled 2FA for the root Cpanel account and force all of the customers’ accounts to do so as well.
  • Disabled terminal/ssh accesses to Cpanel by default for all the customers (sub Cpanels) as well as for the root account.
  • Enabled SSL/HTTPS for customers’ Cpanels and make sure the certificates auto-renew.
  • Enforcing strong password security measures at the Cpanel level.
  • Scanned the whole Cpanel for viruses and malware check using its security tools.
  • Make sure that the backup feature remains enabled since it has been of great help for us to move out of that situation.
  • Force password change for customers’ Cpanels accounts, which leads to their FTP accounts accessed being changed.
  • Take seriously and react to the security warnings received from the Cpanel provider.
  • Keep your Cpanel software updated whenever any updates come in.

Protection at the WordPress Level

Moving forward, once I made sure the Cpanels were out of the scope in terms of security improvements, I went down add more flesh to the websites themselves. Somehow, we have been lucky since each website has at least an existing backup that we kept secured.

As part of the suggested solutions for the customers, we started helping some of them to apply a few of these items in the following list:

  • Enforced a strong password policy for administrators.
  • Installing (on their behalf) WordPress’s Wordfence security plugin which is shipped with many interesting options: enforcing strong password for users, scanning core WordPress files to determine those which have been tampered with and recovering their initial content, enabling 2FA for administrators accounts, IP address blocking strategy for multiple failed login attempts.
  • Making sure WordPress websites could redirect HTTP traffic to HTTPS, some plugins are available for that. Another alternative is to configure this at the Cpanel level (.htaccess file).
  • Make sure the MySQL databases couldn’t be accessed remotely (non-localhost connection).
  • Replaced corrupted core WordPress files with their original content got from wordpress.org while making sure to respect the version in use.
  • Always use the latest versions of WordPress, active themes, and plugins since they keep fixing flaws once discovered.
  • Recommend to add websites on Google Search Console to fight against these hackers who are making false indexes on Google search results using your domain name to promote their content.

My Own Dirty Security Solution For Personal WordPress websites

We are all tempted to buy a Cpanel account for any new ideas that pop up in our minds so that we can create a quick website for it in a few minutes before even thinking about anything else. Just to confess, I’m into that flow as well, I bought many Cpanels for myself during the past 7 years, some have been shut down while I’m still managing a few as of today. Along the way, I experienced difficulties keeping them secure.

For me, the Cpanel dashboard has been easier to secure than WordPress. In addition to all the recommendations listed in the former parts of this article, here’s a special and non-clean approach I still use today to keep my WordPress out of certain security attacks: Always disabling access to wp-login.php and wp-admin.php files by using a few Apache directives in the .htaccess config file, that’s all. By doing so, there are a lot of attacks that will never reach inside my website if they need to perform a login action before their main actions. Then, whenever I want to use the admin part of the website again, I jump into my Cpanel File Manager to disable these directives for the login and dashboard pages/actions to work normally.

I put this in the wp-admin folder .htaccess file so that the admin dashboard remains unreachable:

<Files *.php>
deny from all
</Files>

Disabling the login page by pasting the following three lines in the .htaccess file in WP root folder:

<Files wp-login.php>
deny from all
</Files>

 

Do you Really Need a Cpanel/WordPress Setup?

Sometimes, I feel like maybe Cpanel is over-rated for some particular cases. In my humble opinion, if the intent is just to run a single WordPress website considering that you don’t want to deal with any hassle regarding the security aspect of it, I strongly recommend using a fully-managed service like the dotcom version of WP that comes with everything put in place. This puts all the responsibility on the SAAS service that you chose so that you can simply focus on the management of your website which is much easier for non-technical users, here are some examples:

The fully managed WordPress alternative may come in handy but also costly but if you are truly looking for a scalable and cost-effective alternative to start writing right away while benefiting from fast page rendering (speed) and a high level of security, you should check the following article: ghost as choice over traditional CMS.

I will never regret going on that path to solving these security issues since they opened my perspectives in terms of security concerns, allowed me to surpass myself, and brought my Cpanel skills to the next level that I even decided to take the Cpanel Professional certification (CPP).

Orleando Dassi Cpanel Professional Certification

For some individuals, it all boils down to the real cost of owning and managing a Cpanel installation themselves instead of gaining knowledge and/or recruiting/paying a webmaster/SAAS to take full responsibility for their system. Yes me also, at some point, I let that responsibility to the right person the company looked for to continue the task.

Conclusion

To summarize, we concluded that WP is easy, but as an end-user, keeping a production-grade WordPress installation on a Cpanel is a difficult process that demands constant attention since security is very important and should be taken seriously from day one.

Categories: SecurityStory
Tags:

Orleando Dassi

I'm a Solutions Architect who is constantly learning to better himself while impacting the community by producing technical articles and videos, what describes me the most is my flexibility.

Shares