Ages ago I used php-nuke to manage my forum and it got hacked and I thought it would get taken seriously

Seeing these CPanel hacks remind me how old these codebases are and how much more vulnerability remain

CPanel and hosters who use them are in big trouble now; there are millions of servers running them, many of them for decades. Their clients can run code as an user without much sandboxing/guardrails at all.

So CPanel's security is just as bad as their UI, who would have thought?

We've been running Centminmod on our servers for years. Love the software. There is no fancy web UI but it does have CLI menus, etc... so, definitely not for the novice but it's really good at what it does. I'm not affiliated, just a happy customer:

https://centminmod.com/

I love Centminmod but some of our clients need a UI so we settled on a mix of https://hestiacp.com/ and https://www.cloudpanel.io/

CloudPanel worries me more than CPanel honestly. Relatively new, smaller team, aggressive feature pace. HestiaCP at least has years of scrutiny. The "modern UI" panel space is where security debt accumulates fast.

Most LAMP FOSS web apps have a long history of being hacked.

Is there any specific LAMP web app(s) that has a very good history of not being hacked?

I can't think of any readily but I imagine someone here knows one or two.

Mediawiki seems pretty solid on that front in my 10+ years of running and using it

MediaWiki's security model benefits from having Wikimedia Foundation's dedicated security team upstream, which most comparable FOSS projects lack. That's probably a bigger factor than any architectural advantage, as far as I can tell.

Wow, similar sentiments about this being a throw back. I’d rather roll my own almost everything these days, may not be as good, but certainly won’t be targeted exploited broadly.

Many years ago. Maybe 2005 to 2015? I had a friend who used cpanel to run a web hosting company. He made quite a bit of money doing that. He was not a programmer, but he could setup up wordpress and install plugins. I remember asking him once if he was worried he would get hacked and then lose control of his servers? Lose his customers?

He said he was worried but he had backups upon backups. I saw him restore a bunch of websites once, using cpanel, and I thought it is an amazing little bit of software with all of the click a button to setup many different things (like WAF). A real time saver and provides some guidance if you are not a unix-internet guru.

We tried the same thing - rolled our own nginx/postfix stack. Worked great until DNS management became a nightmare. Ended up using Virtualmin for just that piece. Rolling your own gets expensive in time pretty fast.

Not all webhosting companies are using cpanel. Cpanel increased their prices exponentially in the last few years.

Friendly reminder that there aren't that many ways for a normie to create their own (sub)domain with TLS and an email in under five minutes. That's cPanel for ya.

The alternatives to cpanel would mostly be all-in-one hosting providers like 'squarespace' or similar, which have rolled their own web GUI to automate a basic normie workflow of domain registration, putting basic DNS records in a zone, hosting the DNS, getting TLS certs, putting basic content on a httpd. It's interesting to see the "set up your small business website now!" advertising to totally non technical people.

Yes, there are many ways to do that now, in under 5 minutes. Cloudflare will set all of that up just fine. GSuite is much easier to set up than CPanel.

"AI safeguards" are not working I guess.. or maybe they're only working against those who'd like to secure their software.. good job Anthropic + OpenAI!

The AI safeguards are indeed a joke, you can get around their classifier by simply masking out all the unsafe words and it will happily work on your rootkit.

44,000 servers compromised? Sounds like somebody could've used a software building code

> CPanel

Now there's a name I haven't heard since the 2005 or so era.

How is that thing still around?

Next you're going to tell me people still run phpBB and vBulletin somewhere. And use FileZilla FTP. And manage their database with phpMyAdmin.

Why, is there a better alternative to the PHP-based forums? (I tried Discourse and it sucks.)

Nothing wrong with those stacks. They’re akin to assembly language for the backend. Nitty gritty but super close to the metal.

People are still using cpanel?

Most shared hosting plans use cpanel. It's still widely used yes for a lot of smaller websites.

CPanel on shared hosting running WordPress PHP is literally half of the entire internet still.

There are a lot of things that have been up for decades. The ROI on moving a simple PHP or static website to new hosting situation hasn’t been that compelling… though that could change. Thing is, I suspect most users of shared hosting which is Cpanel’s bread and butter are not reading the latest cybersecurity news.

I run an entire saas that 36 companies pay for, built in PHP, and I drag and drop the files to the server via cpanel.

But has anyone measured what the actual attack surface looks like for a typical cPanel install versus, say, a barebones VPS? I suspect most compromised servers were also running outdated cPanel versions.

IIRC the article says 44,000 attempts, not 44,000 compromised servers. The headline conflates the two, which is a pretty significant distinction worth getting right.