Hackers nail unsecure websites on Afrihost server

Afrihost trying to be very technical there with the whole website vs server.
 
Afrihost trying to be very technical there with the whole website vs server.

They are correct though. The point of intrusion for most of these "hacks" are outdated Wordpress plugins, search exploit-db for one and RIP. Kali Linux even has a module built in for this...
 
Afrihost trying to be very technical there with the whole website vs server.

We don't want to scare anyone. :) The server security was never compromised. The sites that were hacked were hacked due to outdated Wordpress plugins.
 
They are correct though. The point of intrusion for most of these "hacks" are outdated Wordpress plugins, search exploit-db for one and RIP. Kali Linux even has a module built in for this...

It's not even always outdated WordPress plugins, some plugins are just insecure. Fooling some php modules on wordpress to accept a file upload is arbitrary, getting it to execute the uploaded file is in fact just as easy.
 
It's not even always outdated WordPress plugins, some plugins are just insecure. Fooling some php modules on wordpress to accept a file upload is arbitrary, getting it to execute the uploaded file is in fact just as easy.

OWASP :crylaugh:
 
Ahhh my mistake, I thought they hacked one WordPress site and got access to the rest which would indicate a server breach so in this case these hackers merely got a couple of WordPress sites directly ie afrihost should not even be mentioned in the article.
 
Ahhh my mistake, I thought they hacked one WordPress site and got access to the rest which would indicate a server breach so in this case these hackers merely got a couple of WordPress sites directly ie afrihost should not even be mentioned in the article.

Afrihost's shared hosting is all jailed so one compromised site would be isolated unless a jail escape is used.
 
It's not even always outdated WordPress plugins, some plugins are just insecure. Fooling some php modules on wordpress to accept a file upload is arbitrary, getting it to execute the uploaded file is in fact just as easy.

:( It's rather frightening really. Wordpress has some really cool features and functionality but you really have to be on your toes these days.
 
Ahhh my mistake, I thought they hacked one WordPress site and got access to the rest which would indicate a server breach so in this case these hackers merely got a couple of WordPress sites directly ie afrihost should not even be mentioned in the article.
You know what happens? A client is sold a "Secure hosting platform" which is misinterpreted as a Service which extends its security to the garbage loaded on top of it. The host in 99.99% of the hacking cases remains intact with only the Services running on-top of it being compromised, to which the client tries to hold the hosting company liable for.
 
You know what happens? A client is sold a "Secure hosting platform" which is misinterpreted as a Service which extends its security to the garbage loaded on top of it. The host in 99.99% of the hacking cases remains intact with only the Services running on-top of it being compromised, to which the client tries to hold the hosting company liable for.
Which is why I think this article is incorrectly named... Afrihost had nothing to do with the hacks - it's easy to misinterpret the headline as if it was in fact their fault (I sure did)
 
I must agree. The title is misleading. It is easy to then start doing 2 + 2 = sums about other issues that AH experiences all the time.
I looked at this thread as a result.

So back on topic. What is the solution? What should be done by ISPs that host websites to prevent this without restricting the freedom of many out there who start their own websites? We have all dabbled a bit with Wordpress without necessarily understanding the implications.
 
Last edited:
I must agree. The title is misleading. It is easy to then start doing 2 + 2 = sums about other issues that AH experiences all the time.
I looked at this thread as a result.

So back on topic. What is the solution? What should by ISPs that host websites to prevent this without restricting the freedom of many out there who start their own websites? We have all dabbled a bit with Wordpress without necessarily understanding the implications.

From our side we try to notify our Clients about plugins that need to be updated, but from our side we can't force a Client to update the plugins.

For the most part it is about co-operation and working with our Clients to make sure that their sites are as secure as possible.
 
AfriGenie,

iThemes Security, offers free decent Wordpress security. It can also be set to hid login pages, prevent any php executions etc.

In this day and age, to not update your Wordpress themes and modules, and not run a security add-on like iThemes, is just not acceptable.
 
AfriGenie,

iThemes Security, offers free decent Wordpress security. It can also be set to hid login pages, prevent any php executions etc.

In this day and age, to not update your Wordpress themes and modules, and not run a security add-on like iThemes, is just not acceptable.

Why AfriGenie? This has to do with the website owners not taking charge of their security, it's not Afrihost's problem.
 
AfriGenie,

iThemes Security, offers free decent Wordpress security. It can also be set to hid login pages, prevent any php executions etc.

In this day and age, to not update your Wordpress themes and modules, and not run a security add-on like iThemes, is just not acceptable.
It's not afrihost. It's the client's
 
Why AfriGenie? This has to do with the website owners not taking charge of their security, it's not Afrihost's problem.

It's not afrihost. It's the client's

Yes that is the gist of the article, BUT is there something missing at the Host Service Provider level that can be done Globally?

Some enforceable standards to be met and maintained before a website will be accepted for hosting? Or, does the mighty Dollar rule again?

Website development and maintenance standards should be available. Then we get to website hosting criteria that need to be met before a site will even be hosted.

Not in the field, just interested.
 
Yes that is the gist of the article, BUT is there something missing at the Host Service Provider level that can be done Globally?

Some enforceable standards to be met and maintained before a website will be accepted for hosting? Or, does the mighty Dollar rule again?

Website development and maintenance standards should be available. Then we get to website hosting criteria that need to be met before a site will even be hosted.

Not in the field, just interested.

Well, according to the article, Afrihost does try and make those websites aware of outdated plugins, but I'd be pretty annoyed if they tried to take control of my site (even if it's only to update plugins) as that's not what they are paid for, they are paid to host.
 
Back
Top