You’ve got a brand new super hosting account so you can’t wait to create an amazing web project. Just when the installation package is uploaded and you are about to install the CMS, your phone suddenly starts ringing. It is your boss calling and you need to run an errand ASAP! Well, it is inevitable – the installation should wait for a better time.
But what can happen until that “better time” comes? At first glance, there is nothing to worry about. But let’s have a closer look.
What is required for installing a CMS in your hosting account?
Contemporary content management systems usually consist of two parts – files and databases. To start the installation, you first need to upload the files in your account. Then create a database and a user. Run the CMS installation script by accessing the URL in a web browser and follow the steps to finish up the installation. On the different steps you usually enter the website’s name, admin data, a password, database to be used, etc.
You’ve reached the step for running the installation script, but the information is still not entered, hence the installation is not completed. Here is how this step looks in the most popular content management system – WordPress:
However, the URL (which is usually your domain name) can be accessed by anyone. While you are not working on your website, other users can reach it. But, believe it or not, they might not have good intentions.
Malicious activities can occur when other people finish the CMS installation on your behalf. The database should not necessarily originate from the same account where your website is hosted. Most often the website’s files and the database are hosted in the same account. But this is not the only available option. It is possible for the database to be on a separate server.
That’s exactly what “bad guys” use to their advantage. They create a database and a user on another server which they have access to. Afterwards they finish up your installation and connect your website to their database.
This provides them with: access to the website’s administration.
Anyone who has access to the website’s administration is enabled to install plugins, themes or add-ons. What is worse, compromised files might be also uploaded to your website without your consent. Usually this is the only malicious activity performed. In this way changes might stay unnoticed.
And you will not figure out what have happened to your website. Why?
Because after all actions are performed to your installation, the “bad guys” usually delete the configuration file. In this way they terminate any connection with the database so that the CMS installation looks just like you left it – waiting for you to finish it.
You can install the most widely-used CMSs trough Softaculous.
Keep your account well-ordered. If there is a CMS which you have only tested but you do not intend to use, we recommend that you delete it as soon as possible.