Overview
A common occurrence when when working on large sites is to spin up a copy of the site as a staging or development copy of the live website to make changes to.
While this is a great way to avoid issues with breaking the main site, many forget about the copy of the site after the task is complete. As most of the security patching only occurs on the live sites, these forgotten clones therefore mean you have a large security risk just waiting to happen.
As the cloning of a website can be as quick as 4 clicks, Conetix recommends that you delete the staging site as soon as you’ve completed the work and synchronised the changes with the live website.
Alternatively, if you want to keep a copy of the development / staging site, you can disable this site within Plesk so that the files can’t be accessed externally. This allows you to quickly enable the site again as required to complete work and disable once you’re done.
Note
Moving older copies of sites to guessable names such as old or backup is equally as risky. Automated scanners can use a Directory Traversal Attack to find the name of these old sites, knowing that they in nearly all instances out-of-date and therefore likely to be exploitable.