For users of Dreamhost, one of the many misunderstood concepts is your exposure of hackers from one directory to another. You’ve gotten your new dreamhost account and you immediately create a user MYUSER, you have a domain MYUSER.ORG and your all set to go! You pay for a second domain (NEWDOMAIN.COM) and you add this to MYUSER. So login to MYUSER and you see two directories MYUSER.ORG and NEWDOMAIN.COM. These files are ‘owned’ by the same user.
Let me explain why this is BAD! One of the most common hacks to a website is PHP code insertion, which if the hacker finds a weakness, allows him or her to insert THEIR code in YOUR php file. THEIR code is now running as if they were logged in. Any file associated with MYUSER is now readable assuming they know how to look around directories (trust me they do!).
Just as BAD are us old time users, who had our account before the ‘enhanced security’ feature; because DH didn’t know if we would be affected by enhancing security for us (ie. our website broke), they told us about it but didn’t enable it for existing users. This means that all the files are viewable across an entire DH account. Got 15 users? They can all see each others files unless ‘enhanced security’ is enabled.
Dreamhost allows you to get and unlimited number of USERS! If you have one user for each website AND AND AND you enable enhanced security, no information will leak between users. So instead of one user with many websites, you need to have many users each with one website and each with enhanced security enabled. If enhanced security is NOT enabled, then it’s the same as before, one hacker can take down all your website. So, MYUSER1 :: MYUSER.ORG, MYUSER2::NEWDOMAIN.COM!
So, two items for you to do right now
ensure that enhanced security is enabled on ALL your DH users
Create new users if you have more than one website per user
USERs are FREE for account holders! Use them!