Is this true about forum security on shared hosting ?

Digital Doctor

Digital Doctor

Well-known member
Licensed customer
vBulletin acknowledged that it's platform never could be really secure on shared hosting servers because each user is essentially running as root (from Apache's viewpoint).

Do you agree with this statement ?
for vBulletin ?
is it true for Xenforo ?
 
erm, I can't see how apache's process has anything to do with vBulletin, to be honest. PHP runs as whatever Apache's user is setup as. I forget what the default is, but it most definitely is not root!

Either-way it applies to all PHP scripts & sites on the server, not just vB or XF...

I'd be interested to see the source for your statement.
 
It's a problem with shared servers, not with any particular forum application. The problem is that your forum can be compromised if another account on the shared server is compromised. The other account can potentially read your config file and connect to your database. In the hands of a malicious person your config information can be used to deface your forum. All of this is by way of another account on the same shared server as you. This affects both vB and XF.

This happened to my forum once.
 
Digital Doctor said:
vBulletin acknowledged that it's platform never could be really secure on shared hosting servers because each user is essentially running as root (from Apache's viewpoint).

Do you agree with this statement ?
Click to expand...
I don't think that's an accurate description of how shared hosting works.
 
Depends on how qualified the shared host is technically. We have a dedicated server we "share" between N no. of users. We have Apache running on worker mpm and php running as fcgid processes separately under each user. So every user's apache and php processeses run separately under their own unix user accounts. So if one account was to be comprised, it would have no impact on anyone else.

Given current hardware prices for server equipment, it makes absolutely no sense for a shared host to run php as a compiled apache module, mod_php. It is inefficient and poses security risk in a shared environment, as Jake explained.

And Yes, I would also like to see the source of your claim. I see no reason why a software company would say such a thing.
 
He's a linux God.
He says his method makes upgrading vB3 "very hard".
I'll ask him what are his workarounds.
He's looking to migrate away from vB3 and won't touch vB4.
I wanted to know if Xenforo was any different than vB in respect to his wishes.
 
Digital Doctor said:
He's a linux God.
He says his method makes upgrading vB3 "very hard".
I'll ask him what are his workarounds.
He's looking to migrate away from vB3 and won't touch vB4.
I wanted to know if Xenforo was any different than vB in respect to his wishes.
Click to expand...
If he believes an application like vBulletin can alter the way shared hosting works then he is not a linux god. Once the OS is setup to run PHP as the same user for all hosts on the server then nothing can change that unless he is exploiting the kernel.
 
Digital Doctor said:
vBulletin acknowledged that it's platform never could be really secure on shared hosting servers because each user is essentially running as root (from Apache's viewpoint).

Do you agree with this statement ?
for vBulletin ?
is it true for Xenforo ?
Click to expand...

I'm going to get a lot of heat for this comment and perhaps others will want me to explain further in detail (which I would rather not).......

YES.

Any shared environment adds to the risk to every site on the server. This includes shared web host, but also VPS host as well. Does not matter how good you've configured the setup... The risk is there. You can limit the risk, but never to a complete zero (never as good as a dedicated).

Their statement is generally correct, except Apache isn't the root of all evil. They are forgetting MySQL, PHP, WHMCS, Xen, OpenVZ, Cpanel with WHM, and there are other routes one could use to compromise a shared environment.

A complete dedicated environment has the least risk, when properly secured.
 
TheVisitors said:
I'm going to get a lot of heat for this comment and perhaps others will want me to explain further in detail (which I would rather not).......

YES.

Any shared environment adds to the risk to every site on the server. This includes shared web host, but also VPS host as well. Does not matter how good you've configured the setup... The risk is there. You can limit the risk, but never to a complete zero (never as good as a dedicated).

Their statement is generally correct, except Apache isn't the root of all evil. They are forgetting MySQL, PHP, WHMCS, Xen, OpenVZ, Cpanel with WHM, and there are other routes one could use to compromise a shared environment.

A complete dedicated environment has the least risk, when properly secured.
Click to expand...
True mate however what I do say dedicated servers aren't fully the most reliable to security unless it's a Xen dedicated with Litespeed or Varnish and CSF. But even the secure servers can be hacked.

Oh and forgot this I recommend you have cloudlinux and cloudflare protection.
 
Title change request.
Is this true about Xenforo security on shared hosting ?

Is this true about forum security on shared hosting ?
 
You must log in or register to reply here.

Similar threads

Saburov
  • Question Question
What should i do about forum security?
Replies
1
Views
542
Jake Bunce
Jake Bunce
Back
Top Bottom