Question if a wordpress website is hacked, can they damage my entire server?

[giordanosoftware]

Server operating system version

ubuntu 22.04 lts

Plesk version and microupdate number

18.0.45

Hi everyone, as the title suggests, I have this great doubt .. but if a WordPress or prestashop site is hacked, etc., is the attack limited to the specific plesk account or can I suffer damage to my entire system? a thousand thanks

 

[mow]

That entirely depends on how it was hacked. If they just exploited a rotten plugin you might be in luck. If they got shell access and managed further privilege escalation ... you're not.

 

[giordanosoftware]

when I create an account, I deny the permissions to access the shell

 

[mow]

That would only help against the hacker getting a leaked password and using it to get shell access the normal way.
The question here is whether the security hole they used to get in was big enough to give them shell access by other means.

 

[Cike76]

The way Plesk is designed on the users ( domain accounts ) just allows most of the time access only to that user files. If you dont change the original permissions on the folders its likely it wont access other domains ( and clients ) on a server.
A secure setup is to deny shell access.
I modify my ssh to only accept keys