Monitoring your staging area for vulnerabilities

A staging area is a great way for a hosting company to provide customers with a way to develop and test their website before making them live or updating them. With the increased popularity of content management systems like WordPress, of which 43% of the web is built on*, the number of staging sites has grown immeasurably.

Widely used by agencies, web developers, in-house teams and the one-person "do it all", offering a staging area is a great feature to have.

But staging areas can be a security risk for hosting companies. While customers' main websites are (usually) kept up to date, staging sites can become neglected. Old plugins and themes become vulnerable access points. Deprecated core files offer other avenues of attack.

Unfortunately, as we've seen, this happens more often that it should. Web developers move on, customers forget (or don't know how) to update their plugins. Or they simply forget that they had a staging site at all!

This leads to hundreds of thousands of sites being compromised every single day.

Not only becoming a threat to anyone who click on the link but potentially providing additional access to your infrastructure and sensitive data.

It can further cause your TLD's Registry to put the domain on serverHold or, if you're not the Registrar of record, to be placed on clientHold**. Essentially stopping all services on that domain and it not resolving for anyone. The effects to the hosting company of this can vary from low, if it's simply a bad customer's domain name. Or your business can be at high risk of losing hundreds of thousands in revenue, if the domain that's on serverHold also provides hosting to live sites as well as staging sites. Add reputational damage to this and the costs are compounded.

Monitoring staging URLs is therefore just as important as keeping an eye on your customers' main live domain. With iQ Abuse Manager's staging area checker, this becomes a cinch.

Screenshot 2022-07-20 at 10.56.41.pngSimply add the domain(s) used for the staging area and you're done. Monitoring can be set to various time intervals and you can monitored as often as every hour. Ensuring you are aware of any staging site being used for nefarious actions such as phishing, scams, spamming, hosting of malware or part of a botnet.

AM-categories.jpgOffering you an additional powerful tool in your security arsenal, helping you keep your customers and internet users safe.

To start monitoring your domains now, click here for your no commitment, free trial of iQ Abuse Manager.


** serverHold is an EPP Status Code set by the domain's Registry Operator. When set to serverHold, the domain is not active in the DNS.

** clientHold is an EPP code that tells your domain's registry to not activate your domain in the DNS and as a consequence, it will not resolve.