Sucuri Blog

Website Security News

What is cross-contamination?

What is Cross-Site Contamination?

How many websites do you currently have on your server? If the answer is something along the lines of,  “One that I really care about, some older ones that I don’t really use, and maybe a dev site that could be live…” then you might want to familiarize yourself with the concept of cross-site contamination.

What Is Cross-Site Contamination?

Babies in daycare are more prone to picking up germs than babies who stay home most of the day. Why is that? Well, one baby gets sick and spreads the virus around to the other babies who are in the general vicinity. The same general concept applies to websites.

If a website gets hacked, it might spread the infection to the other websites on the same server.

The biggest danger is not the website that people care about, the one that gets all the attention. The website that has been monitored and updated daily is usually the healthy kid. However, remember the old, neglected websites which are not being updated and use admin as a password? These are the sick kids that can pose a significant risk to other neighboring sites.

The Danger of Shared Servers

Some hosting companies offer shared servers with unlimited domains. And people like to hear the word unlimited and take advantage of this offering, adding a few sites here and there. One might even have a mytestsite.com for trying new themes and plugins.

Years go by and you forgot about that test website which has WordPress plugins that have been removed from the official WordPress repository for (surprise!) containing a serious security vulnerability.

Next thing, your primary website is hacked, and why? You have always taken good care of it. There are no outdated plugins or themes. What happened? Cross-site contamination could be the answer.

Automatic Hacks and Attacks

Blackhat hackers waste no time in finding and exploiting plugin vulnerabilities. You might be wondering why my site? Well, the great majority of attacks are automated and malicious actors are not picky. They go after any website vulnerability. Cybercriminals look for any potential attack vectors, including:

  • Older CMS versions
  • Vulnerable/outdated plugins and themes
  • Weak passwords

The bad guys have a full arsenal of tools to brute force a website with weak passwords. In this short video, we show how easy it is to break into a website by using dictionary attacks:

In our previous example, mymoneysite.com was following website security best practices and hackers could not get ahold of it. However, mytestsite.com has many weak access points — and now the site is hacked. You wouldn’t worry about a test site, would you?

My Site Was Hacked

Well, now your money site is also hacked and blacklisted. The way you find out about it is not so pleasant. Your website users have emailed complaining that mymoneysite.com is showing a warning: “This site may harm your computer.” You type the URL and see the same surprising warning. The website is hacked.

How did that happen? When someone forgets to apply good website security principles to all websites on a shared account, any vulnerable website can compromise the whole account, infecting all websites in it.

Once a bad actor gets on the server, they can introduce all kinds of malicious code, from backdoors to phishing kits. In some cases the malware will operate like any other virus — it replicates itself, getting inserted into every website file it finds.

This includes spreading across the available directories to the user, so any parent and sub-directory can end up having malware placed in it, so long as the user has the proper file/group permissions.

Making Cross-site Contamination Less Likely

We have two pieces of advice on how to prevent cross-site contamination from happening. The first, is having an exclusive account for each website, which can get a bit expensive. The other is applying good website security principles to all websites in a shared account.

One of the most effective barriers against website attacks and hacks is having a website firewall active in front of all your websites. A website firewall is an invisible barrier that filters out all malicious traffic and virtually patches your website, even when you cannot keep it updated.

The problem with  not cleaning up all websites in a shared account is that even if your moneywebsite.com is clean and the other ones aren’t, the clean website will be reinfected. Attackers don’t care how important a site is to you, they just want an access point.

It’s unfortunate, but here at Sucuri, we see cross-site contamination happening all the time. One of the first things we do before starting to clean up a hacked website is scan the server for software versions and known vulnerabilities. We often find many outdated CMS installations alongside one another, making them prime targets for cross-site contamination.

Server Checklist

When checking your server, follow this checklist:

  • Uninstall test installations, plugins, and themes that you no longer use
  • Delete old websites on the same server that you don’t use
  • Check if you have any compromised websites on your server with  our free malware scanner.

To sum it up, only keep the minimum necessary files, themes, and plugins that allow your site to function perfectly. Everything else should be disabled or moved to a separate server. While you can never say your risk is zero it doesn’t mean you can’t work to reduce it. If you are looking for a complete website security solution, we have you covered.

About Juliana Lewis

Juliana is a brand evangelist and a localization specialist at Sucuri. She is very passionate about technology, foreign languages, and books. Follow her ​o​n Twitter at @julianadflewis.

Reader Interactions