On shared-hosting systems, don't overlook the possibility of another user
of that same system! Many shared-hosts make it very easy for group ftpuser
to access pretty-much everything anywhere. That means that another user can probably browse all of your source code at their leisure.
This can be plenty enough to give them access to your databases ... carte blanche
access if you were lazy in setting up your permissions.
Hosting companies also try to make things "easy ... too
easy" by offering "convenient" hosting systems like Plesk ... which by definition
make it possible for web-users (it's supposed to just be "you") do highly privileged things. They also set up convoluted and non-standard, but
very well-known(!), directory structures, use powerful kernel-modules, and so on. These are the subject of intense attack, and when vulnerabilities are found they can be mass-exploited in seconds. A "root kit" is installed and you're none the wiser.
You need to use dedicated
servers ... virtual is presumably okay-enough ... and you need to set up minimal
configurations of these ... using only what you must have and no more. In fact, I always subscribe to two or more of them. One very-minimal server only
runs the HTTP server, and it uses (secured...!) TCP/IP communications to its brethren which, through an interface known variously as PSGI
, or Web Server Gateway Interface
, or Rack
communicates the actual request to a different computer which has the actual capability to run it.
On these servers, you should use only
the web-server extension modules, only the software plugins of any sort, that you actually
need. To paraphrase the investment advice given by Peter Lynch: "Know what you run, and know why you run it."
It is most important to consider that (it is my opinion that ...)
most server penetration attacks are nothing more or less than "crimes of opportunity." You left the front-door unlocked, and I felt like being an a*shole with your system and, indiscriminately, hundreds more just like yours.
The attacker doesn't know you and doesn't care about you. (He's just an a*shole.) A "determined, knowledgeable, deliberate and cunning" attacker is a very
different kettle-of-fish, but also much less common.