I have hosted WordPress sites on the shared servers of two different hosting companies: IXWebhosting and Siteground. With regard to site security, one is much better than the other.

Directory Listing Is a Threat to Your Site and Assets Security

On my IXWebhosting shared server, I discovered to my horror that if I type the blog url plus /wp-content/themes/, or /wp-content/plugins/ or /wp-content/uploads/, I can see what themes I have installed, what plugins I have available, and even whatever documents, images or other files I have uploaded, all listed and accessible. I have to put empty index.html and/or index.php files in the folders to disable listing the contents. (Correction: actually index.php should not be put in the plugins folder because doing so will cause the Dashboard not to show up when you click the dashboard button. I found out about this when this happened and I traced it to the index.php file in the plugins folder. And for that matter, I decided to put only index.html file in the folders under wp-content. It’s a dumb method because I need to put the file in every sub folder that I want to protect. Another way is to use the .htaccess file at the root of the folder needing protection.) I also disabled directory listing using a .htaccess setting at the root of my blog.

On my Siteground shared server, somehow directory listing is disallowed by default. And I do not have to do anything to protect those folders.

PHPMyAdmin Database Access and Backup

On my IXWebhosting shared server, I access the phpMyAdmin via a HTTP link, and download database dump file via HTTP which is not secure, and vulnerable to sniffer attacks.

On my Siteground shared server, phpMyAdmin access and downloading of database dump files are all through a secure HTTPS link.

Hijack/Redirection Attacks via .htaccess Tempering

On my IXWebhosting shared server, my WordPress site has suffered numerous URL Hijack or Redirection attacks where my site is only accessible at the home page, any deeper page will display a links page that the hacker redirects to. The hack was done through modifiering the .htaccess file to insert URL rewrite rules. It turns out that the hackers must have hacked my username and password, and was able to use FTP to temper with my files. I had to restore the original .htaccess file when this type of attack occurs many times. I finally changed my FTP password, and this type of attack has finally stopped.

On my Siteground shared server, this has not happened once yet.

Finally, I have to make it clear that I am in no way affiliated with Siteground or will benefit in any way from them for this post. I am simply a happy customer with Siteground hosting so far.

To you WordPress users hunting for a hosting place, make your choices carefully. By the way, here is a good article about WordPress security tips.

  • Digg
  • del.icio.us
  • StumbleUpon
  • Sphinn
  • Facebook
  • Mixx
  • Google Bookmarks
  • Haohao
  • LinkedIn
  • Live
  • MyShare
  • MySpace
  • Reddit
  • Technorati
  • TwitThis

Related posts:

  1. WordPress Blog Being Hijacked
  2. Search for a WordPress Plugin to Make A Private Blog
  3. Finding a Twitter Plugin for WordPress Blog
  4. Creating a Clone of a WordPress Website
  5. New Discovery about WordPress: external html pages and assets

Tags: , ,

Leave a Reply

You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="">