In our constant endeavour to improve our Shared Hosting infrastructure we have made a few changes to our infrastructure so that we can keep them safe from security vulnerabilities.
Some of the changes that we have done are listed below:
* PHP upgrades: One of the recent improvements we are planning is to reduce the number of vulnerabilities on our servers because of older versions of PHP. For the benefit of our customers and their applications, we have been supporting older versions of PHP that even the PHP community had stopped supporting long ago (reference). Having said this, we will be implementing the following changes to increase the level of security:
* Deprecate the oldest versions of PHP 5.2 and 5.3 from our servers. These versions have shown the highest number of vulnerabilities and insecurities over the last few years. Any website running on these versions would be upgraded to versions 5.4 and above.
* For websites running on PHP versions below 7.1, we will upgrade our customer websites to the highest possible version of PHP that satisfies our compatibility tests. If all our tests fail, the original PHP version will be retained for the websites.
* We have enabled the latest stable PHP version 7.4 on our servers so that you can select the PHP version 7.4 for your websites from the MultiPHP Manager inside the cPanel dashboard.
* cPanel Terminal UI: Terminal UI is a web shell and an ssh client which can be accessed locally without spending additional resources on the server. In-order to mitigate the risk and provide better security as well as performance, we have disabled this option inside cPanel. You can use any of the SSH clients such as PuTTY, OpenSSH to access the cPanel accounts via SSH terminal.
* Cloudflare Plugin: We have disabled Cloudflare plugin inside the cPanel interface. You can manage your DNS records with Cloudflare by accessing their portal.
* Catch-all email addresses: The Default E-Mail/Catch-All feature has been disabled by default for all shared accounts due to Spam and Security concerns. Although it is not advised, customers can enable this option for Reseller accounts by enabling it in the Feature manager option in the WHM panel.
- Webmail login URL: We have configured Apache in such a way where the reverse proxy connections are handled by Nginx+ to serve the web pages in an accelerated manner. Thus, the webmail can be accessed using https://domain.com/webmail instead of using proxy subdomain URL https://webmail.domain.com. Additionally, please ensure that you select "If you are not behind a firewall that blocks port 2096, Enter Here" when you access the webmail. You can refer the below image for more details.
* Multiple shared IP addresses: In-order to mitigate the risks associated with single shared IP addresses towards DDoS attacks, cPanel has a feature where we can enable multiple shared IP addresses on the server. One of the shared IP addresses configured on the server will be assigned to cPanel accounts. The IP addresses assigned for shared accounts are the same for subdomains and addons under the primary cPanel account whereas, in Reseller accounts, each cPanel account under the reseller user may not have the same IP address. You can identify the IP address assigned to a cPanel account from WHM > List Accounts section.
* TLS version: According to the PCI Data Security Standard, TLS 1.0 and 1.1 are out of date protocols and contain security vulnerabilities. We have now deprecated TLS1.0 & 1.1 for all essential services running on the server in order to enhance the security and made TLS1.2 available.
Applications which do not have the latest update and do not use TLS1.2 will be seeing a error message similar to: "your server does not support the connection encryption type you have specified". It is recommended to disable TLS 1.0 and TLS v1.1 at the operating system level as well.
All the aforementioned updates are carried out meticulously to foster the requirements of the various client application’s which require latest yet secured versions of software on the server. We hope these changes will continue our efforts to provide a better hosting experience for all our clients.
If you need more information about how these changes will affect you, you can reach out to our Support teams to help aid in making the right decision.