Addon Domains. So alluring. Pay $7.43/month, host 67 WordPress sites. It’s a siren song for cash strapped internet marketers.
Essentially all of the major shared hosting providers offer addon domain schemes – to the point that this is an expected feature of hosting. The gist is: You buy a hosting plan, and you can host large (sometimes unlimited) numbers of domains on them – as long as you fit inside the disk space, bandwidth, and CPU limits set by your host, there’s no problem. Unsurprisingly, people take advantage of this. I know, because we see these servers when we go to clean malicious code off of them. Occasionally we’ll find a server with 1 site on it. Most commonly, it’s somewhere between 2 and 8 sites. Maybe 20% of the time we’ll see somebody with 15-20 sites. And then, once a month or so, we get a whopper. 50 sites. 100 sites. More.
So what’s the big deal? It’s permitted by the host, you’re within your expected limits, so what’s the problem? The problem (ok – one big problem) is Cross Site Contamination. I didn’t know what to call this phenomenon for a long time, and I recently heard Sucuri use that term – it’s fitting. In most cases, when a host sells an “addon domain” (Note: I’m specifically not referring to “reseller” plans, which generally don’t suffer from this), the setup works like this:
Your host has a server (which is just a computer, not *that* unlike the one you work on), which is running special software to partition it into hundreds or thousands of “accounts”. These accounts are segregated from each other, so you can’t access the files on other customers’ sites. However, when you set up on addon domain, this site is going into your account, along with all your other sites. These sites have access to each other – a plugin installed at my site blue-widgets.com could access the files on my site at purple-widgets.com, assuming they’re addon domains on the same account.
A few weeks ago we saw what I think was our biggest server ever – 152 WordPress installs. The server hummed along just fine until one day, a hacker managed to find a vulnerable timthumb installation in one of the sites, and used that to switch every single WordPress install on the server to foreign political propaganda. Needless to say, her client (these sites all happened to belong to one client) was not pleased to wake up the next day and see their business websites being used as a platform for these messages.
Because these were all addon domains, every single one got hit. Instead of dealing with the one site with a vulnerability, every single one had to be scanned, cleaned up, and tested. It was a terrible day for her, and them.
Aside from that, we were now tasked with cleaning up a site with 500,000+ files on it. Each one needed to be scanned and vetted, and cleaned up if there was a problem. It took hours to get cleaned up because of the sheer size of the server, and then entire time, she had the client breathing down her neck.
If all of these sites were separated, she’d have had one site infected, and we likely would have had it cleaned up in less than an hour.
You’ve probably guessed where this is going. Everything is fine as long as all of your code plays nice, and only tinkers with files that it’s supposed to. But what happens when a hacker manages to get a backdoor on one site, and that backdoor has access to all of your other sites? I want to make this absolutely clear, so I’ll spell it out: A hacker with access to one domain will infect every addon domain on the server.
Here’s the deal: Your website is inherently insecure. For the majority of sites today, it’s a safe bet that at some point, you’re going to get malicious code. That’s cynical, but it’s true, and you should recognize it. Over time, the likelyhood that you’ll forget to upgrade WordPress, or install a plugin that wasn’t vetted properly, or miss an email about a vulnerability discovered in the theme you use goes up. Odds are, you’ll get caught with your pants down at some point.
So, if the odds are that you’re going to experience trouble on any given site, say, once a year (Hypothetically. Don’t quote me as saying that any given site will get hacked once a year), what happens when you have 2 sites that have access to each other? And, each time a hacker hits either one of them, they both get infected? Your sites are now infected twice as often. What happens when you have 20 sites on a server? 100? You end up spending as much time dealing with hacks as you do building your business. This can literally sink you.
You can make sure your sites don’t have access to each other. For most site owners, the best way to do this is to move over to a reseller plan. Reseller plans segregate your sites enough that hackers no longer have ludicrously easy access to every site on the server if they manage to find a hole in any one of them. It’s not a bulletproof solution – if the hacker can break into your host, or they get your main account password, they may still be able to get at all of your sites – but these situations are very rare compared to addon domain cross site contamination.
I thought you’d never ask.
So, there you have it. There are a couple of caveats to this article, but the basics are: If you have lots of websites that you can see when you log in via FTP, you’re playing a risky game.
Have questions about your specific setup? We’d love to talk to you about it. Email us at email@example.com, and we’ll try to get you back on the straight and narrow.