HostMonster Doesn’t Do Basic Site Security

When it comes to the security of your website, your web host plays an important part but too often they are failing do what they need to do to keep your website secure. One of the areas we have see web hosts fail at is keeping the control panel software running under website’s up to date. With the Plesk control panel that has lead to large amounts of website being hacked due to vulnerabilities that existed in older versions of the software. In attempt to make it easier to spot when web hosts are failing to keep control panel software up to date we have just released a web browser extension Control Panel Version Check, available for Firefox and Chrome, that provides version information for cPanel and Plesk based control panels and warns when an outdated version is in use.

To show how the extension comes can highlight unsafe hosting let’s take a look at one host. HostMonster claims that “By design our servers are secure.” and that “The security level of your site depends on the code that is uploaded to HostMonster’s Servers.”. You would think when they make such a definite statement about their security and faulting customers for any security breach they would at least being doing basic security, but that isn’t the case. The second item on their basic security check list is to “Update all scripts/applications to the newest versions available.” and there reason for this is that “Old security holes are updated and remedied in new versions of software, so updating to the newest versions available ensures that you are running the most secure option available.”. That sounds like reasonable advice; unfortunately they don’t follow it, despite claiming they are secure by design:

HostMonser is running cPanel 11.32Support for version 11.32 of cPanel ended in August. Since then cPanel has put out several security announcements for vulnerabilities in cPanel. With support ended for cPanel 11.32 none of those vulnerabilities would be fixed in that version.

It doesn’t end there, with our phpMyAdmin Version Check extension you can see that they are also running an outdated version of phpMyAdmin:

HostMonser is running phpMyAdmin version is over a year out of date and there have been numerous security fixes released in subsequent versions.