: Website hacked, cpanel password not encrypted? Yesterday I found out that all the websites that are hosted on my webhosting site were hacked. I tried to change my password, and unbelievably,
Yesterday I found out that all the websites that are hosted on my webhosting site were hacked. I tried to change my password, and unbelievably, I COULD SEE my password there. This means my password is able to be decrypted.
I asked customer support, and they say, its normal, CPanel saves the password like that. Is it true? I mean, cpanel password able to be decrypted?
They blame me because my wordpress version is out of date. But 2 of my website are on different platforms. One made by CI and one by Wordpress, and all are hacked.
Is this hosting reliable?
More posts by @Phylliss660
2 Comments
Sorted by latest first Latest Oldest Best
It's most likely a vulnerability in a plugin installed on one of your domains. Your theme could even be using a vulnerable version of timthumb.php. Most reputable hosts scan for vulnerable versions of this file and notify you of it being updated.
Hostmonster.com makes you set a very length and strict password with both upper case lower case and special characters. Clear text passwords shouldn't be stored anyplace it's bad security for your host to be allowing that.
That said it's most like your WordPress sites which were vulnerable and now affected. You should download the entire file system from one WordPress site, re-install WordPress with a fresh copy. Do the same with all the plugins then compare files. You may find some extra .php files on your backup which could be backdoors into your system.
There are a few entries which could have been added to your wp_options table. At the least some base64 code in your index files. After determining that your core WordPress files and plugins have been updated to the latest versions and that no other PHP files are on your site including checking hidden directories and files beginning with periods (.) and making sure no new entries in your db were made. Then change all your passwords MySQL, FTP, Control panel, email, WP Logins etc. Then scan your local PC for any malware.
Install WP File monitor, it'll notify you next time any files are changed.
This is a question that only you can answer.
If your web-hosting provider and their choice of control panel is returning your password in plain text formatting, it would suggest that they don't take the security of their platform seriously.
Typically, a good hosting provider will provide security in depth. That is, multiple layers of security ranging from one-way hashed passwords at the storage level, all the way up to access controls and procedures for staff members on who and how passwords can be reset.
If your hosting provider is returning a plain-text password and failing at the first step of one-way hashing passwords, you need to weight up if your hosting provider is worth it or not and consider if they take the security of their platform seriously.
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.