• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Question Subdomain security

vic666

New Pleskian
Server operating system version
Ubuntu 20.04
Plesk version and microupdate number
18.0.57 #5
I'm running various web apps on my domain and several sub domains. It seems that one of these apps (based on PHP) had a vulnerability that was exploited. As a consequence, not only the app of that particular (sub) domain was affected but the main domain and all other sub domains, too. Code was injected all over the place and new files have been created, it's a complete mess.

Is there something I can do to establish a better separation of the main domain and its sub domains? It's bad enough when one app gets hacked, but when one hack can affect all other apps on the domain, that's really bad.
 
I think I can answer my own question. Simply don't use the function "Add Subdomain" and instead add a regular domain that actually points to the subdomain.

I guess the only good reason to even use the function "subdomain" is to avoid restrictions in terms of how many domains can be added to a subscription.
 
The only way to avoid this is to have separate subscriptions for each domain. Subdomain or Domain makes no difference. The issue can occur, because all domains and subdomains share the same system user. For that reason scripts can access all paths inside the same subscription. They cannot access paths outside the subscription, so if you separate domains into different subscriptions, you are much safer.
 
Hi Peter, yes, I figured. Just to be clear, when I say "subdomain", I'm referring to the functionality "Add subdomain" in Plesk. As far as I understand, it's not possible to create a subdomain this way and still add it to its own subscription. So, the only way to do this is to "Add new domain", and then enter the name of the subdomain in question, making sure that a new subscription is created.
 
Back
Top