(Ping! Zine Web Hosting Magazine) – WPHostingSpot, a premium, dedicated WordPress hosting provider, recently discovered considerable control panel flaws and has taken measures to ensure the security of its users and new customers in order to provide sound and safe service.
“Upon review of our own security practices and various methods to keep our clients’ data and accounts safe, we realized that we were missing a BIG security flaw within cPanel/WHM,” stated Matt Williams of WPHostingSpot.
This is the following report and measures taken:
Flaw 1: When a new account is created with reseller privileges, there is a WHM icon within their primary cPanel account for easy access to the account holders WHM account. To us, this is an EXTREMELY HIGH security risk as anyone who successfully compromises the account holder’s cPanel account, not only has access to their primary account information, but also to all their other accounts hosted in WHM.
Flaw 2: We also noticed that when creating cPanel accounts with reseller privileges, they are given the same username/password for both cPanel access and WHM access. To us, this is yet another EXTREMELY HIGH security rick.
How we are taking an extra step…
We want to provide our clients with the safest methods possible to keep their data and accounts safe from unauthorized users. We have implemented a new, safer method for our clients using WHM for domain/account management.
- The WHM icon is no longer in the primary account holders’ cPanel account, thus, preventing unwanted access to the account holders other accounts via the WHM icon.
- Clients who use WHM, a new account is created separately with reseller rights and given a unique username/password using an unknown, randomized, non-registered URL since we use a separate login URL for all cPanel/WHM access.
We already do not allow add-on domains for many reasons, most importantly, for security but also for account performance purposes. We make every attempt to go the extra mile for our clients for support, security and performance of their accounts. We feel this is a safe security measure and a “must do” for our clients and to continue implementing/revising/improving on safer methods for them to keep their data safe as well as their other accounts. We don’t wait for something bad to happen to our clients to implement new methods; we are very pro-active with security so we implement/improve our methods BEFORE an incident occurs.
WHPostingSpot.com is a premium, dedicated WordPress hosting provider that provides affordable, fully managed WordPress hosting to private users and small-to-mid sized businesses worldwide.