Published: Tuesday, 16 April 2013 15:24
Written by Alan Langford
It's common practice for developers to put test or new development sites in a subdomain. Most hosting control panels, notably cPanel, default the root directory of the subdomain to a subdirectory of the main site, so if I was going to create a "test" subdomain, cPanel will suggest "/home/youracct/public_html/test" as the root directory (youracct is the name of your hosting account). The problem is that these test installations are soon forgotten and can become a major security risk.
Let's say your client — let's call them client.com — finally has the budget to get off the old Joomla 1.5 site you built years ago. You create a subdomain to hold that shiny new web site. Maybe you call it "new.client.com", or being a leading edge kind of person maybe it's "joomla31.client.com" (Joomla 3.1 will be here very shortly). If you use the default directory and don't password protect it, anyone can see the new site by accessing the subdirectory. Entering client.com/joomla31/ exposes the new site to the world. If you used "new" it's an easy guess. There's a also good chance that backups of your main site are also now a lot bigger (you are backing up the site, right?) because they include also include the new version.
You work away on your spanking new Joomla 3.1.0 site and a few weeks later it's ready for launch. If you have the site in a subdirectory, you make a backup there and restore the new site in the web root. Over time you update the new site, applying security updates, fixing a vulnerable extension... everything is running smoothly. Then months later despite thinking you've done everything right, the site is hacked! What happened?
Read more: Joomla Security: Beware the Forgotten Installation