Why Subdomain Hosting Is Bad

As I’m browsing around various personal websites and forums I see people offering up space on their domains for those who can’t/won’t buy ‘proper’ hosting for one reason or another, and every time I see these offers I cringe. I cringe at the naivety of these trusting website owners, and at the lack of published guidelines when it comes to hosting.

By “published guidelines” I don’t mean “1. you must stalk me on AIM!! 2. you must be my bestest friend EVER!”, I mean real guidelines and advice for potential ‘hosts’ to consider. Many of these unknowing individuals aren’t aware of the risks they’re putting both their own websites and, potentially, other online accounts under.

For starters, most actual hosts provide packages with the assumption that they’ll be used by one person. After all, they sell resellers, why use a shared hosting package if you’re providing hosting to friends? This means that the person who paid for the hosting is solely responsible — your ‘hostee’ infringes on a person’s intellectual rights, direct links or is generally abusive to somebody via their subdomain and YOU, the website ‘hoster’ will be the ones suffering. Depending on the host this can be anything from a written warning to complete cancellation of your hosting account.

How many people have different passwords for every different site they visit? If you answered yes to that was it because you really do, or was it because you know you should but can’t be bothered? If you answered no, or answered yes but not really: hello, welcome to a huge percentage of the Internet population. The problem is, multiple-site passwords are not just a security risk because of people guessing your password, they are a security risk if you offer subdomain hosting.

A malicious hostee only has to play around with <?php include('home/your-username/public_html/wp-config.php'); ?> or <?php $f = file('wp-config.php'); print_r($f); ?> (assuming that’s the right WordPress path) or the direct path to any another script configuration file, and bye bye goes your supposedly secret password and possibly your MySQL databases/WP install/entire website. This is the same level of complete non-security that Amelie had when she left her password in a public script. You could be putting all manner of accounts (forums, online banking, etc) in the hands of a stranger.

The moral of this story? Don’t offer subdomain hosting if you don’t know what you’re doing, or don’t know and trust the person you’re offering the hosting to. Alternatively, have the common sense to keep your script passwords different from everything else and change them regularly. Make sure you keep files containing sensitive information CHMODed to the lowest you can go without breaking the script too — 600 is usually safe.

31 comments so far

  1. Amelie said:
    On 20 Jul at 12:31 pm

    All my script passwords and such are random. Every time I want to login or the cookie’s expired I have to look up what the password is… Ho hum.

  2. Jordie said:
    On 20 Jul at 2:16 pm

    I miss my domain now.

  3. Anne said:
    On 20 Jul at 2:39 pm

    Good point you have! Thanks for the warning! I do subdomain hosting (shame on me) because it brings in a little money if someone takes me up on it. So far, just one has. This girl I’m aquainted with on a Christian girls’ forum, so she’ll be all right. *goes to change passwords*

  4. Erik said:
    On 20 Jul at 2:51 pm

    I gave up trying to make a comment jem, due to your input error. Couldnt find any reference I made that has anything to do with ****, ****, or ****, tho. Make list over words you dont approve. easier to make a comment that way

  5. Becky said:
    On 20 Jul at 5:13 pm

    I’ve never actually owned my own space, I know, I know bad Becky (but I never had the money to buy my own space… until recently :D). As such I don’t fool around with the space I use for free. This includes hosting anyone I don’t know. I’ve hosted close on/offline friends in the past but never any random person. And I’m a good little girl, my script passwords are different from my CP password and other passwords (forums, e-mail, etc,.). I’m not so great with keeping my other passwords different though :|

  6. Amber said:
    On 20 Jul at 5:13 pm

    I have two passwords that I use all around the web; it varies. If I forget my password it can only be one of two things. Both a god send and a curse. It means I will never forget a password but it means once you know my passwords you can access everything. Fortunately for me I am a subdomain hostee not a domain owner offering hosting. I am, however, a perfectly trustworthy person (yeah right) and have no intention of see my hosts details!

  7. Mira said:
    On 20 Jul at 7:50 pm

    Guilty as charged. I use the same password all the time for message boards and similar. I don’t really want to bother. But I use different passwords for more important stuff, such as websites and e-mail.

  8. Chans said:
    On 20 Jul at 9:49 pm

    I use a few different passwords on message boards and such, but even though I only have to pick out of a few passwords I still need to write them down in a little notebook, I keep forgetting what I used where unless I use it a lot. For scripts and things I use completely different passwords though. Good you pointed out the dangers of subdomain hosting, I would have never thought of those things.

  9. banshee said:
    On 20 Jul at 10:36 pm

    When I create a subdomain login & password for my hostees it only allows them access to their folder. They can’t go up a level to /public_html/ – they can only modify/add/remove files in their own sub-folder. Forgive my ignorance, but how can they get access to one of my files in /public_html/ and edit them? (I’m not being rude, I genuinely want to know if any of my files are at risk!)

  10. Stephanie said:
    On 20 Jul at 11:14 pm

    Even if it’s dangerous for the hoster, being hosted is really helpful if you can’t afford to pay for a domain because you can get the some of the benefits of having a domain without paying for one.

  11. Stephanie said:
    On 20 Jul at 11:16 pm

    Wait..don’t you host Rosemarie (http://sillyish.jemjabella.co.uk)? Have you found some loophole that makes it safe for you to host? Sorry for posting twice. I remebered this after I posted my last comment.

  12. Julie said:
    On 20 Jul at 11:40 pm

    It’s also not a good thing when you say every two weeks that you’re thinking about closing down so that your hostees should start looking for another host. I used to have one like that. I currently use 8 or 9 different passwords, but then again I don’t have a domain. @Stephanie: I think the ending of Jem’s post is important, where she mentions knowning and trusting the person.

  13. Gemma said:
    On 21 Jul at 12:23 am

    I’ve never hosted anyone since I only have one FTP account, even though I’ve got far more space than I can possibly use myself. My hosting company is strange: big on the space, less on the basic functionality. I dread to think what state my site is in re. security. I know it survived at least one hacking attempt which I traced, fascinated, through my log files. Sometimes I wonder if hackers just aren’t interested in breaking ASP scripts – don’t know whether to feel proud or snubbed :)

  14. Amelie said:
    On 21 Jul at 1:50 am

    @Stephanie: Jem doesn’t host Rose any more – Rose has her own domain now :P

  15. Carina said:
    On 21 Jul at 4:20 am

    All my passwords for ‘config.php’s are just…. things like ‘cheese’ and ‘house’. I never put my actual passwords. I used to host, and it was okay, I met 1 or 2 cool people by hosting but I hate being hosted, you know? I feel like I have no control. I usually like to play around with PHP scripts, ’cause I’m a newbie and I’m learning and when I screw up the whole thing I have to contact my host… and it sucks. I have free time now and I scre somwthing up, so I can’t work until my host fixes the problem. It really sucks.

  16. Belinda said:
    On 21 Jul at 5:24 am

    I was a hostee once and I was pretty sure that my host (as the password to my space was given by her) was playing around with my files… I left as soon as I could. I wasn’t aware that hostees themselves could pose such a threat though. Thanks for the heads up.

  17. Ruthann said:
    On 21 Jul at 6:06 am

    I know what your talking about, I own my own domain and have people aways asking me, will you host? I always tell them no I don’t have enough space but I really don’t like giving them access to my personal stuff. Its like asking someone to come ruin all of your files. I guess you should only host if you personally know and trust someone but they can still cause problems.

  18. Vera said:
    On 21 Jul at 8:56 am

    *sighs* Yes, well it’s all nice and fine for you to say that… but some of us truly can’t afford a domain and hosting space. I guess there are always malicious people… still I’m ever so grateful to my host. I veen feel bad I’m not giving her anything in exchange.

  19. Amanda said:
    On 21 Jul at 9:02 am

    While I wouldn’t say I’m paranoid about getting hacked, I think subconsciously, that’s why I don’t have hosting open at my site…I offer it to people I know and trust of course, but not to randoms. Bad randoms, bad! *waggles finger*

  20. Lynn said:
    On 21 Jul at 9:22 am

    Hmm. I’ve been hosted before – when I first got on and I was trying to get used to coding and whatnot, but that was on my boyfriend’s server. After that, I bounced around pick-me, until I got annoyed and just bought my own domain, figuring I’d figure out coding and stuff on my own space. I don’t think I’ve ever gone to a subdomain after that, unless it was a subdomain on my own space (she.joshualynn.com, for example). I know that felicitate (jess – that site has since become frangible) used to host me, but it’s been a while. As for hosting…I used to do it. Then I got tired of having such a full account (if I wanted to randomly upload 20 2mb files I couldn’t – not that I would now, but I have the option!) and decided not to host. I extended my offer of hosting to those I knew, like lyn (who is now on lj…I believe she reads this site but I could be wrong) and whatnot, but eventually I only offered to host friends/family/etc. And I don’t now because my website is personal. I could safely host, I know, but it’s a personal preference. Yet, for those who don’t know how to protect their “stuff” (for lack of a better word), this is a really good warning entry. =) I think it’s nice of you, Jem, to care about others in this way and warn them so nicely. Oh, and sorry for such a long, rambling comment. It’s 4:20 AM and I’m tired, but unable to sleep. *sigh*

  21. Jim said:
    On 21 Jul at 10:28 am

    Easy solution: 1) Don’t host children. 2) http://catcode.com/teachmod/ There’s nothing wrong with hosting subdomains, let’s not start spreading FUD.

  22. Jem said:
    On 21 Jul at 11:17 am

    @Jim: It’s easier to explain to *my audience* the risks of letting n00bs onto your hosting than it is trying to explain why you need to chmod certain files to 600 (which AFAIK is the best one to use to prevent other people being able to abuse your files but feel free to correct me).

  23. Rosemarie said:
    On 21 Jul at 5:12 pm

    Haha, Steph/Amelie: I must have moved out because I hacked Jem’s website. Woot. I am 1337. I think most people who host without taking precautions also tend to host random beginners who can barely code in html, let alone figure out how to write a php script that will screw their host over. Well, until now. Way to go, you’ve probably inspired a rowdy group of hostee terrorists! :P

  24. Xeronia said:
    On 22 Jul at 2:34 pm

    Hmm…thanks for the advice on the passwords…as a subdomain hostee, maybe I should watch out.

  25. Elea said:
    On 23 Jul at 7:59 am

    Very good points. That is exactly why I take care to set up separate FTP accounts for hostees, and only host people that I’m familiar with (or really, just one person at the moment).

  26. Ellen said:
    On 02 Aug at 1:46 am

    Well written, other than: “How many people have different passwords for every different site they visit? If you answered yes…” and so on. “Yes” or “No” doesn’t really answer that question; a number would.

  27. Bekki said:
    On 30 Aug at 7:38 pm

    I’ve known this for ages.. now all the potential hostees do now too.. great..

  28. Hillarie said:
    On 07 Oct at 1:20 am

    *counts* I have four different passwords…er, not good…

  29. Melanie said:
    On 24 Nov at 8:19 pm

    It has been hinted to me by a couple of people that I might be getting a domain (and space paid for a year) for Xmas. I would be overwhelmed and so grateful if that happened… on the other hand, I would also be afraid of screwing it up. As a hostee I don’t have to worry about dealing with technical support etc, I just do my thing with the space. I certainly understand that security is an issue. As for passwords, mine tend to be mnemonic in connection with the site, its purpose, or a word-association thing that I hope others aren’t likely to think of. Most of the time I manage to remember all my passwords, though I’ve had to give up on some sites because I couldn’t remember the password and they didn’t have a “remind” facility (or I never got the reminder email).

  30. Mobile Reviews said:
    On 19 Oct at 5:26 pm

    […] Ho-hum, hosting. All the basic rules: I have to like your site, keep in touch with me, know HTML/CSS, no long hiatuses, no illegal content. Good to see that you’re discouraging the use of Cutenews, though. If only more people would do that! However, and this is a big however, I would strongly recommend reading about the dangers of subdomain hosting. […]

  31. Bubblez said:
    On 13 Dec at 9:23 pm

    Wow! I feel guilty since I am sub domain hosted. But I have no intention to see my host’s details nor ruin their site.