Website security for shared hosting accounts

It seems like everyone likes to save money.

Often times when it comes to hosting websites, that frequently means you select shared hosting.

Shared hosting doesn’t mean that you share the same file system as websites on other hosting accounts. It simply means you share the server.

We’ve been removing malware from websites since 2007 and during our time in this industry there have only been a couple of times that hackers were able to cross over from infecting one hosting account into another.

You see, each shared hosting account has a separate user which separates the file system from one shared hosting account to another. This actually makes shared hosting extremely secure from being infected by another hosting account.

Is Shared Hosting Less Secure?

Despite what many security “experts” and many hosting providers tell you, the road to a more secure environment does not mean that you move to a VPS or dedicated server. More about that in another blog post.

What I do want to educate you on is the need to secure every website on a shared hosting account.

It seems other companies in our industry will sell you security or malware removal services for one website in a shared hosting account with multiple websites.

You may “fall” for this, but please don’t.

Maybe you don’t have the budget to secure all of your websites or to have them serviced for malware so you elect to just secure or service one or two.

This is playing into the hands of the marketing scheme for the security company.

They know all your sites won’t stay clean and malware free and any one of your sites may in fact be the point of entry for the hackers.

They know your sites will continually get infected and you’ll have to call them to get your other sites under their service. That’s why they charge per website.

It’s All About the Decisions You Make

This scenario is the same as if you have your house broken into. You have valuables in one room, so you put bars up on the one window to that room. But due to financial limitations you don’t secure all the other windows.

The next time thieves want to break into your home they simply go through another window, then once inside they go to the room with all the valuables and steal everything.

It’s the same with your shared hosting account. For simplicity, let’s say you have 20 websites on the same shared hosting account.

If hackers find a point of entry on website #2, they have access to all the files on that shared hosting account. By protecting only one site, or only removing malware from one website, you will get re-infected.


Also, if you don’t find out what the original point of entry was, you’ll never get your sites secured.


Login to your control panel on your hosting account and go to File Manager.

If you’re on an account that uses cPanel, open up File Manager and go to the public_html folder. It might look like this:


With File Manger open you’ll see the list of folders. Locate public_html and double-click on that.


Once inside that folder, you can see all the files and more sub-folders. Typically your folder structure will show a list of all the add-on domains you have on your shared hosting account. This view shows what hackers have available to them once they gain access to any of your websites on this account.

If you have 20 websites on this shared hosting account, they can infect them all.

A Typical Scenario

One scenario we see is where they gain access to one site in a shared hosting account and they don’t infect that site, because that will draw attention to it.

They infect, let’s say, websites #3, #4 and #5, whatever they might be.

This way you focus your attention on those websites and maybe pay to have those serviced by a malware removal service that charges per website. Maybe you even pay the extra $$$ to have those 3 websites “protected”.

I’m sure you can already see the direction this is going…


There is no way anyone can protect those 3 websites without including all of the websites on that shared hosting account or cPanel.

No way!

The hackers might continue using the original point of entry, because that website isn’t protected, or scanned for malicious backdoor shells. The hackers could continually infect those 3 sites, even though they’re “protected” because hackers are coming into those sites through the file system. Not from the outside where a web application firewall (WAF) might slow them down a bit.

The website security and website malware removal companies know this, but they’ll take your money for individual sites anyway – knowing that you’ll be back to spend more money after your sites get infected again and again.

Our service covers all the websites on a single shared hosting account with one cPanel for $39.95 a year.

We use one FTP account and we service all of your websites individually and together. Our service also includes: root cause analysis (finding the point of entry), protection and monitoring.

Let me know if you need more information!

Thank you.