Hackers Have Better Access to My Domains Than I Do


#1

I have been a Dreamhost customer since 2006. Until about a year ago, I have been a satisfied customer, and for the first few years, I was a very happy customer.

In the past year, it has gotten more and more difficult for me to publish content to my sites without having to go back and forth with tech support.

At the same time, Chinese hackers have been given free reign to my server space. At this point, I might be satisfied with equal access.

Security doesn’t seem to be a word that has any meaning on Dreamhost anymore and whenever a domain is hacked, the response from tech support is that it’s my fault somehow. How is it my fault when the sites that are hacked are using either no third-party software at all, or installs that are installed and updated through Dreamhost?

If, somehow, it is my fault, then could they tell me what it is that I am doing wrong. If there is something that I could be doing that I’m not, other than choosing another host, then could they tell me what it is? No, instead all that I get from them are canned messages about updating software, although I have chosen the option to allow Dreamhost to automatically do so, and the only domains in which I am using third-party software not supplied by Dreamhost are the ones that have not been hacked.

If it’s not secure, and you can’t make it secure, don’t offer it.

Over the past year, I have had to delete nearly half of my domains because the responses that I get from tech support would require me to spend the next year in hacker school just to learn what they are talking about, and they are unwilling to take any steps to actually help with the problem.

The lack of security on Dreamhost is Dreamhost’s problem, not mine. I have domains on other servers and Dreamhost is the only one that has been hacked, and my Dreamhost domains are hacked every couple of months.

Things happen, and I could understand that, but only if Dreamhost tech support would take some amount of responsibility for helping their customers recover from their lack of security, short of deleting all of their content.

I have deleted sites and forums that I have had up for many years because of Chinese hackers having free reign over Dreamhost, and I hated to lose the content, but nothing that I received from Dreamhost tech support made a bit of sense to me, and they couldn’t have been more unhelpful.

I couldn’t be more unhappy than I am with Dreamhost.


#2

From your description here I have no clue to what your problem is.

But very often the problem is with the CMS-systems used, which of course will have security problems. If that is the case for you, then it is not a problem for Dreamhost.


#3

The interesting part is that OP claims that the CMS systems are only the one-click installs from DH and set to automatically update. If that’s true, and no third-party plugins, themes, etc have been added, then some of the onus should be on DH for not getting things updated promptly.

I’m not suggesting that users bear no burden in securing their websites, but it is an interesting point. I’d be very interested to know whether OP has installed any third-party themes or plugins. The only time I’ve had a brush with hacking was when I installed a third party WP theme and found that it was sending out extra requests to websites that I’d never heard of. I went through the code and found that, sure enough, the theme was not 100% legit.


#4

I agree Dreamhost carries more liability if it is a simple one click install. The waters muddy very quickly once custom is used however, and unless the user can state to support “I have not touched any file or permission setting, installed additional themes or plugins, etc” then security of the site falls l on largely the customer. If the customer has no intent on installing additional themes or plugins, etc then perhaps a simple one click is the approach that customer should take. Since the customer has no access to the files dreamhost must step up to the plate and assist as the customer has no means to investigate and plug the hole.

The clue in the OP’s post is this:

I would say that means that it is NOT a simple one-click and other customizations or changes have been made since the OP seems very familiar with his server space.