• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question Webspaces... a good or bad idea?

Dave W

Dave W

Regular Pleskian
Hi all,

I just wanted to start a discussion about the topic because I am starting to not like the idea that one compromised site has access to the other sites within the webspace.

Why were webspaces brought in at all?

I just wanted to know what opinions are out there?

Rgds
Dave
 
If done properly, a compromised site should _not_ have access to files of other customers.
By default, Plesk subscriptions won't have access to files of other subscriptions on the same server.

Did you have a security incident? If yes, what was the incident?

Things to consider:
* Make sure "Restrict the ability to follow symbolic links" is checked in your service plans
* But be aware of this: "Restrict the ability to follow symbolic links" option is not synced with Subsctiptions

Also read:
How to secure a Plesk server
 
If any site fun under difert user you will not have any security issue, if you have multiple sites under suscription runing under same user, you may have some issues if one of that sites be compromised.
 
What I'm referring to is when there is more than one site in a webspace, if one of those sites is compromised then because PHP is running under the same user, malware can move to other sites within the webspace quiet easily. I'm just curious as to what the purpose of a webspace is, shouldn't each site have its own webspace?

I'm just not seeing the advantage of allowing more than one site per webspace, subdomains maybe, but even then I don't think its a good idea. Am I missing something here?

Dave_W
 
Hello,

For security reason (isolation by using different system users) each website (domain with website hosting) should be in it's own webspace/subscription until two websites need to share some local files.
 
You must log in or register to reply here.

Similar threads

Code-Specialist
Question Additional (no root) User for PHP Script across all Resellers
Replies
1
Views
1K
Reinier Post
R
C
Issue New Configuration not created
Replies
3
Views
1K
Peter Debik
P
QWeb Ric
Issue Server pool SSL not showing for selection
Replies
0
Views
370
QWeb Ric
QWeb Ric
M
Issue Wordpress + Nginx -> connection timeouts / 503 error
Replies
0
Views
1K
milez-oh
M
Gary W.
Input Why I'm quitting Plesk after nearly a decade
Replies
3
Views
1K
manni
M
Back
Top