What is Apache Userdir Module and why is it disabled on shared servers?
This article gives an overview of the Apache mod_userdir module and a more detailed explanation why it is disabled on our shared servers.
mod_userdir allows accessing a user's homepage using the temporary URL with the /~user/ syntax, like http://ipaddress/~user where 'ipaddress' may be replaced with the server's hostname or any domain name that is resolved to the server you wish to check the content on.
Having mod_userdir enabled poses considerable security risks and disadvantages:
1. Usernames are exposed - it is possible to access different websites hosted on the server via the same domain name (server`s IP address or server`s hostname) replacing the /~user/ part only (e.g., http://ipaddress/~user1, http://ipaddress/~user2, http://ipaddress/~user3, etc.) what makes hosted accounts more vulnerable to hacking attacks.
2. When the mod_userdir module is used for accessing a website, the traffic is added to the total of the users through which visitors access the website but not to the bandwidth usage of the user who is a real website owner.
3. mod_userdir should be disabled for root access in order to make the server protected from modification by non-root users, thus, you need to include a "UserDir disabled root" into your configuration.
As you may know, we tend to introduce the latest technology in order to protect your account and data all the time. The mod_userdir module is currently disabled on our shared servers that allows us to increase the security level and decrease chances of your account as well as server from being hacked. This is in line with our highest security standards and lets us provide you with the level of security you expect from us.
Of course, it is possible to disable/enable Apache mod_userdir the separate accounts having root access that is available on our VPS and dedicated servers only.
In order to do it, access your WHM with the root details > go to Security Center > choose Apache mod_userdir Tweak:
In order to allow/prevent the website access using the mod_userdir module, you need to do the following:
1. Check/uncheck the Enable mod_userdir Protection checkbox
2. When mod_userdir Protection is disabled, but some specific users still would like to use it, select the appropriate Exclude Protection checkboxes in order to make mod_userdir available for these users
3. If you have selected the Exclude Protection checkbox, it is possible to allow additional users to access these hosts using the mod_userdir module. In order to do this, insert their usernames in the Additional Users text box (for entering multiple users, separate each account username with a space).
4. You can allow users to access their accounts through the mod_userdir module and to not steal any bandwidth by selecting the Exclude Protection checkbox for DefaultHost (nobody).
5. Click Save in order to save your changes:
For the users hosted on our shared servers, there is a workaround. For accessing the content of your website before changing the DNS records, you will need to update the ‘hosts’ file on your PC. The detailed guidelines can be found here
Need any help? Contact us via Helpdesk