Understanding account vulnerabilities

Keeping your website secure is one of the most important things you can do as a site owner. This article explains why vulnerabilities exist, what you should do regularly to stay protected, and how Kualo helps safeguard your account.

Why are websites vulnerable to attack?

A large proportion of our customers use CMS applications such as WordPress or Joomla, or shopping cart systems such as Magento or PrestaShop. Whilst it may not be apparent to end users, there is a constant arms race under way. Hackers and spammers are continually looking for new ways to exploit these applications to gain access to the underlying hosting service. Developers are equally constantly releasing security fixes to counter these attacks and close any holes that are found.

You may be wondering: "How can I protect my website from such attacks?"

The answer is actually very simple: "Update, update, update!"

The moment you let the software powering your website fall behind the latest version, you lose the security patches the developer is shipping, and your site becomes vulnerable. Your number one priority is always to run the latest version of whatever software powers your site.

This applies equally to any plugins, themes, extensions, or add-on software you have installed. Even a fully updated WordPress installation can be vulnerable if it is using an outdated theme or plugin.

Why should this matter to me?

A compromised site puts you and your visitors at risk, and can cause wider problems for the hosting infrastructure. If a vulnerability in your code is exploited, hackers will generally look to:

• Insert malware or a virus on your website that could be passed on to your visitors.
• Install hidden pages to create phishing content - for example, fake online banking login pages used to harvest credentials.
• Gain access to the server to send spam. If spam is sent from the server, your domain or the server itself can be blacklisted, causing email deliverability problems for your legitimate messages.
• Add unwanted links on your site - insecure sites often end up with links to harmful or inappropriate content.
• Use the server as a base to attack other networks, websites, or servers.

These are just a few examples; there are many other malicious purposes hackers may exploit your site for.

If a site is compromised, the cleanup can be extremely arduous - especially if it goes unnoticed for a long time and there are no recent clean backups to restore from. Often the only way to fully recover is to re-upload your entire site from scratch. All of this takes significant time and effort, and if you are not doing it yourself, it can be costly to have a developer put things right.

Can I automate my script updates?

Absolutely. If your application was installed using Softaculous, you can configure it to update automatically whenever a new version is released. For some applications, such as WordPress, Softaculous can also update plugins and themes automatically. For details on how to set this up, see the article on configuring software auto-updates.

What is Kualo doing to help?

We appreciate that not everyone gets around to updating their site or setting up automatic updates. Most people simply are not aware that their site is vulnerable if they do not keep things current. In a recent audit of our servers, over 65% of accounts contained outdated applications - meaning thousands of websites were open to attack.

We decided it was important to take a proactive approach to ensure that your website and our servers stay safe. When your site is hosted with Kualo, if you install a commonly used web application such as WordPress, Joomla, or Drupal, we will automatically notify you when an update is required. If we find a specific vulnerability in your application, we will also send you an email identifying the vulnerability and the specific file affected.

With certain applications, we will even patch the vulnerability automatically to ensure no harm can be caused by it.

Will patching my site cause it to break?

This is where the real magic happens. Rather than automatically updating your entire site, our patching system targets only the specific files that are vulnerable. We take the security patches from the latest version of the application or plugin and back-port them so they work fully with the version you currently have installed. The patch is applied safely, without affecting the rest of your website.

This patching system helps ensure that sites hosted with Kualo are protected from a large number of known vulnerabilities.

If you are patching my site, do I still need to update?

Yes - we still recommend you update your software, as there may be some vulnerabilities we cannot detect or patch. Think of the patch as a plaster. It fixes most of the immediate problems, but in the long term you want your site running natively on the latest version of its software. This keeps your site secure and gives you access to all the new features the developer is shipping beyond just security fixes.

What if you find malware on my site?

If your site is up to date and patched, the chances of a malware infection are very low. However, hackers and spammers are always looking for new ways in, so even if you have been vigilant, malware can still appear. In addition to scanning for outdated software and known vulnerabilities, we also scan for known malware using Imunify360 and Patchman. If malware is found, it will be quarantined so it can do no further damage. You will receive an email from us whenever this happens, and at that point we would normally suggest you examine the site for any other signs of compromise and check that everything that needs updating has been updated.

The fight against hackers and spammers is a long one and constantly evolving. With automated notifications, security patching, and malware removal, your Kualo hosting account is about as secure as things get. Get in touch with us if you have any questions.