Important safety recommendations

⚠ DATA SECURITY

Your site could be compromised today — and you might not know it

Unpatched systems, outdated CMS platforms, and poor cyber hygiene make websites easy targets. We understand why this is a problem and what you can do about it.

 

Why hosting security is your problem

A common misconception among hosting users is this: “My hosting provider protects my data.” That’s partly true — quality hosting providers manage the physical infrastructure, implement network-level firewall protection, and maintain the servers. But they don’t manage your WordPress, update your plugins, change your passwords, or perform backups for you on a contract basis. This means there is a clear line of responsibility: the infrastructure is theirs, the content and applications are yours. And the applications — WordPress, Joomla, Magento, custom PHP scripts — are where attackers come in.

 

⚡ IMPORTANT FACT

According to Sucuri’s reports, over 95% of infected websites are victims of known vulnerabilities — not zero-day attacks. This means that the patch already existed; the owner simply didn’t apply it.

 

Regular updates: not an option, but an obligation

When a CMS, plugin, or theme manufacturer releases a new version, in 90% of cases that version patches the security vulnerabilities found. The moment the update is publicly available, attackers analyze it — and within hours or days, they begin scanning the Internet for sites that still have the old, vulnerable version.

 

The minimum standard of cyber hygiene

✓ CMS core (WordPress, Joomla, Drupal…) — update immediately with every new version, especially security patches.

✓ Themes and plugins — check them regularly. Deactivate and delete those you don’t use.

✓ PHP version — check if your server is using a supported version of PHP (≥ 8.2).

✓ SSL/TLS certificate — keep it valid and up-to-date;

✓ Passwords and 2FA — use strong, unique passwords and two-factor authentication for all admin interfaces.

✓ Inactive user accounts — regularly review and delete users who do not have an active role.

→ Logs — enable access logging and regularly review suspicious entries.

 

Zero-Day vulnerabilities: when the patch comes too late

So far, we’ve talked about known vulnerabilities — those for which a patch exists. But there’s a more complex category: zero-day vulnerabilities. These are security weaknesses that attackers discover before the software vendor is notified or has a chance to respond. The name zero-day comes from the fact that there are zero days of defense — the patch doesn’t exist yet. A zero-day attack can strike anyone, no matter how well you maintain your systems. But some situations increase the risks: when the system is not updated even after the official patch, when there is no monitoring of suspicious activities, and when there are no backups for quick recovery.

 

CVE-2026-41940 · Actively Exploited

Critical Vulnerability in cPanel & WHM — 70 Million Domains Exposed

 

CVSS SCORE   EXPOSED DOMAINS  EXPOSED SERVERS  ZERO-DAY WINDOW

9.8                  ~70,000,000             ~1,500,000             ~64 DAYS

 

The vulnerability allowed for a complete bypass of passwordless authentication — just with a specially crafted HTTP request. An attacker who could access the cPanel / WHM interface would gain root-level control over the entire server: all websites, databases, emails, DNS records, and SSL keys of all clients on that server. The vulnerability was actively exploited for 64 days before it was publicly patched — many sites were compromised even before the patch was available.

Why is cPanel such an attractive target?

cPanel is the standard control panel on a vast majority of world-wide shared hosting plans — and its interface is accessible over the internet by design. One compromised server means all the clients on that server are compromised. cPanel manages four critical roles at once: website, email, DNS, and databases. When it goes down, everything goes down.

🔴 KEY LESSON

Organizations that used an unpatched version of cPanel after February 23, 2026 cannot be sure that their data was not accessible to attackers — even if nothing obvious happened. Silent breaches are the most dangerous.

Signs that your system has been compromised

! Unknown admin user accounts or new API tokens

! Unknown SSH keys in ~/.ssh/authorized_keys

! Unexplained DNS changes — new MX or A records pointing to unknown IP addresses

! New cron jobs not set up by your administrators

! Unexpected changes to files under /etc/ or /usr/local/cpanel/

Backups: the last line of defense

Even the best security practices are not 100% foolproof. Hardware failures, natural disasters, human errors — all can cause data loss. That’s why regular backups are not a luxury but a basic business necessity.

⊞ THE 3-2-1 RULE FOR BACKUPS

3                                                              2                                         1

Copies of your data        Different types of media / locations      Offsite copy                

Recommended backup solutions

There are dedicated software solutions that automate the backup process, encrypt data, and allow you to quickly restore:

 

🗄️ Veeam Backup & Replication – The industry standard for enterprises. Supports physical, virtual, and cloud environments. Commercial

☁️ Acronis Cyber ​​Protect – Combines backup and antimalware protection. Strong support for MSP environments and small businesses. Commercial

🔓 UpdraftPlus (WordPress) – The most popular WordPress backup plugin. Automatic scheduling, support for Google Drive, Dropbox, S3 and FTP. Freemium

🏗️ Duplicati – Open-source solution with encryption (AES-256). Support for over 20 cloud providers. Open Source

🌐 JetBackup (cPanel) – Designed for cPanel server environments. Automatic backup of accounts, databases and emails. Commercial

⚡ AWS / Azure Backup – Cloud-native solutions for organizations on AWS or Azure. High availability, geo-redundancy. Cloud service

Steps to establish a backup strategy

1 Identify critical data – Databases, media, configurations, and email — know exactly what must be protected.

2 Define RPO and RTO – Recovery Point Objective — how old can the data be? Recovery Time Objective — how long do you have to be back online?

3 Automate your schedule – Backups that depend on manual execution will be forgotten. Set up automatic daily or weekly backups.

4 Encrypt your backups – A backup without encryption is just another unprotected set of sensitive data. Use AES-256 encryption.

5 Test your recovery regularly – A backup that is never tested is a backup that may not work. Perform a recovery test at least once a quarter.

6 Keep offsite copies – If a fire or hacker destroys both your server and your backup at the same time, you’re lost. An offsite copy is a must.

✅ GOOD PRACTICE

Document your recovery procedures and store them off-system. In the event of a ransomware attack, you may not even have access to your backup documentation.

— Conclusion —

Security is a process, not a product

The case of cPanel CVE-2026-41940 is just one example — but it is illustrative. Sixty-four day zero-day window. One and a half million servers directly exposed. Seventy million domains at risk. And yet, many website owners were neither aware of the vulnerability nor knew whether their hosting had applied the patches. The security of your online business requires constant vigilance: up-to-date systems, clean access practices, activity monitoring, and — above all — regular, tested backups. Backups don’t prevent an attack, but they are the difference between an incident and a disaster.