Category Archives: Security

Security Digest – May 25

A targeted security release from cPanel was scheduled to be released on Wednesday (5/20) but was pushed out around 12 hours early due to a critical privilege escalation vulnerability that was discovered in the LiteSpeed cPanel plugin. We had already been made aware of this and uninstalled the plugin in question immediately. It remains uninstalled on all of our servers as a precaution since it is not necessary and rarely used. There were two separate updates to this plugin over a short period, both addressing critical vulnerabilities. Details of the patched cPanel vulnerabilities are not public at this time.

A second cPanel update was released just a day later (5/21) to address vulnerabilities patched in Unbound. Nginx related updates were also made available but do not impact us. We’ll continue to stay on top of these for you.

Security Digest – May 18

The past several weeks have brought a whirlwind of new security vulnerabilities, many of them critical in nature. While we’ve been posting updates to the notification section within our portal, we wanted to begin posting these here given how frequent they’re likely to continue given recent AI developments. If you would like to stay up-to-date on these, you can subscribe to our blog to receive email notifications for any updates. For the most part, though, these have little impact to clients other than an occasional server reboot to get updates fully applied.

cPanel / WHM Authentication Bypass Vulnerability (CVE-2026-41940)

This recent wave was kicked off by the most severe of the vulnerabilities thus far, an authentication bypass vulnerability within cPanel / WHM  scoring a 9.8 out of 10.

Our advanced and extensive monitoring of all servers that we manage helped us to detect and address this well before this vulnerability was public. We first encountered this in the wild on April 8 and confirmed its presence on April 20. We immediately reported this to cPanel and disabled public WHM access to our servers at that time.

cPanel finally released updates to address this vulnerability nine days later, on April 29. We installed these updates as quickly as we could and lifted the WHM access restrictions. Afterwards, it only took a few hours of this being public before we began seeing extensive attempts to exploit this vulnerability. This highlights the necessity in patching these vulnerabilities quickly. Continue reading

Imunify360 Now Available

We are pleased to announce that the Imunify360 security suite is now installed across all of our servers. We evaluated this product for some time and after an extended period of testing we are very confident in its ability to better protect our servers and our clients.

Security has always been at the forefront of our minds and Imunify360 has helped us to take this to the next level. Here are just a few things that Imunify360 provides:

  • Faster, real-time malware scanning – Each file is scanned almost as quickly as it is written. Malware uploaded via the cPanel file manager can even be blocked in real time.
  • Advanced Web Application Firewall – This helps to stop web application attacks before they even reach your website. From known vulnerabilities to more general protection, the WAF examines all traffic to your website for malicious requests.
  • Proactive Defense – Imunify360 is able to detect and block malicious code in real time as it is being executed. Malicious code is often hidden or fetched remotely and Proactive Defense is able to stop this activity in its tracks before it causes harm.
  • Automatic Cleanup – In many cases, Imunify360 is able to remove injected malware from infected files automatically. This is particularly useful for those moving their sites from another host where they may have been previously compromised.

While many of these functionalities were already present on our servers to a degree, Imunify360 has further improved upon these and added even greater security with a focus on prevention. Preventing issues before they occur allows you to better focus your time and resources where they are needed.

Critical WP Plugin Vulnerabilities – All in One SEO

With more than three million active installs, All in One SEO is a very popular WordPress plugin. Two critical vulnerabilities, one privilege escalation and one SQL injection, were recently discovered in all versions of this plugin from 4.0.0 through 4.1.5.2. We have already seen exploitation of these vulnerabilities on client websites. If you are using this plugin, please urgently make sure that you have updated it to the latest version (4.1.5.3) which addresses these vulnerabilities.

Warning: cPanel Phishing Emails

Please be advised that we’ve been seeing an increase in the number of cPanel phishing emails being reported to us. Phishing emails are those that look like legitimate emails but they often contain malicious links disguised as legitimate ones in an attempt to obtain login information from the recipient.

As an example, below is a redacted copy of an email that one of our clients received just a few days ago.

These emails will include your actual domain name and at first glance, will look like a legitimate cPanel disk quota notification. The anchor text of the links even correctly points to cPanel URLs on your domain. However, if you hover over those links, you can see in the bottom left corner that their target is a third party phishing website on an unrelated domain. If you were to enter your cPanel login information at that URL, attackers would then have your login information and use it for malicious purposes.

The best way to avoid getting phished is to not click on links in emails. Instead, visit cPanel or whatever service you need to by directly entering the address into your browser. Once you login, you may find that the details in the email (disk usage in this case) don’t align with reality which can be a good indicator that this was a phishing attempt. In this particular case, though, the client’s domain was actually quite full so that alone wasn’t helpful in distinguishing a difference.

If you ever have concerns about the legitimacy of any such email notifications just submit a ticket with the full headers and source of the message and we would be happy to take a look for you. It’s always best, though, to just assume the worst and not click on any of these links. Instead, just enter your desired destination directly in your browser.

Critical WP File Manager Plugin Vulnerability

The WordPress plugin File Manager contains a critical vulnerability that is actively being exploited by attackers to compromise WordPress sites. We saw a handful of these incidents on September 1st as the attacks were just starting to ramp up and a few more since then. Fortunately, in these cases the solution has been relatively simple: restore from a prior backup and delete the plugin.

This particular vulnerability has been present in the plugin since version 6.4, which was released in May. It was patched with the release of 6.9 on September 1st.

Due to the rate at which these attackers were occurring, we have proactively identified every single instance of a vulnerable version of this plugin being used on our servers and have removed it. Since this plugin merely offers a file management interface within the WordPress admin section, removing it doesn’t impact the functionality of the website. Users are welcome to re-install the latest version of this plugin if so desired.

This particular incident does bring to light an important topic though. It is best practice to use as a few plugins as possible, those that aren’t needed should be deleted (not just deactivated). There is certainly an argument to be made that a file manager plugin like this should never be installed but even if you disagree with that, there really isn’t strong justification for keeping a plugin like this installed beyond its intended use. It just allows another possible point of entry for attackers to exploit should a vulnerability be found.

Please keep this in mind as you continue to develop and secure your WordPress instances. If we can help in any way, please drop us a ticket and we’ll be happy to do so.

Beta: Dathorn WordPress Scanner

WordPress is not only the most popular script that we host, it is also most frequently targeted by attackers. While critical vulnerabilities in the WordPress core are relatively rare, they are fairly common in plugins and themes. It is important that these items are always kept updated to help prevent a compromise.

This can be a confusing process because the WP admin interface may not accurately portray certain situations. For example, if you’ve installed a plugin or theme outside of the WordPress repository, it may always show no updates being available even though that is not the case. The WP admin interface also doesn’t warn when something hasn’t received an update in a while, indicating it may no longer be actively maintained. These are both scenarios that require special attention but are easily overlooked.

Further, if a WordPress is compromised due to a vulnerability it can be very difficult to get the site back online in a secure state. Typically, we recommend a complete fresh re-install because there is no easy way to tell what attackers may have modified or left behind. Last modified dates on files can’t even be trusted once an account has been compromised. Continue reading

Hardware Upgrades Complete!

Our goal is to provide the best performing, most reliable service that we can and a lot of this comes down to the hardware that we use. Newer hardware can easily provide performance benefits but proper deployment of it is crucial as far as reliability and security is concerned. We always try to avoid any service interruption whenever possible and building redundancies into our infrastructure has allowed us to do this more easily.

Over the past five months, we’ve been working diligently to overhaul our entire hosting infrastructure.  The individual server upgrades were a big part of this process and these were all completed by the end of July. Behind the scenes, though, our work has gone far beyond just the server upgrades. We’ve also upgraded every other piece of hardware that has a role in providing our services. All switches, power distribution, and even cabling has received upgrades in some form or another.

  • Switches – All of our public and private network switches have been replaced which provides greater performance and continued security updates. This was done without impacting any services and zero downtime on our public network. Our private network has received an even bigger overhaul with it now being entirely 10G, allowing for even better backup performance.
  • Power Distribution – All of our in-rack PDUs have been replaced with new zero U PDUs. This has saved at least 4U per cabinet and cleaned them up considerably. The new PDUs also have additional control and monitoring features. Because all of our gear has redundant power, we were able to swap these out without any power loss or downtime.
  • Cabling – As a result of the PDU changes, we wanted to re-cable everything to clean it up and allow for even better airflow. New slim Cat6A cables handle 1G connectivity and most 10G connectivity is over DAC.

Many other items were upgraded over these past few months as well. I just wanted to provide a brief look behind the scenes here that you wouldn’t otherwise know about. We’re very focused on providing the best service possible and our continual hardware upgrades play a large role in this.

Forcing HTTPS Connectivity

Once you have an SSL certificate installed, it is good standard practice to make sure that all requests on your website use HTTPS. Our last post concerning mixed content covered one aspect of this. One other important element, which we’ll discuss here, is to force HTTP requests to use HTTPS instead. This way, if someone tries to visit your site via http://domain.com the request will be redirected to https://domain.com.

There are many different ways to accomplish this but if you’re using something like WordPress, for example, you might want to see if the functionality is built-in or if a plugin is available that could make this process easier. In this case, the Really Simple SSL plugin for WordPress is a great option and can even correct mixed content issues automatically.

Another common but easy way to handle this is by adding a simple mod_rewrite rule to your site’s .htaccess file. There are a lot of perfectly valid variations of these rules to get the desired result. A good generic option is:

RewriteEngine On
RewriteCond %{HTTPS} !on
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}

Continue reading