How to Achieve PCI Compliance with Bluehost Hosting
PCI compliance is critical if you process credit card payments on your website. This guide explains how compliance works across different Bluehost hosting types and provides step-by-step solutions to common issues flagged during PCI scans.
Important:
Bluehost does not guarantee PCI compliance on all accounts. Here's what you need to know:
Here's what you need to know:
- Shared Hosting: Not PCI compliant by default. However, you can achieve compliance using a full CDN solution, like Cloudflare, where DNS is fully pointed through their network.
- VPS & Dedicated Hosting: These accounts can achieve PCI compliance, but it's up to the user to configure the environment properly. If you have a valid PCI scan report, our support team can help review or clarify the findings.
- Common PCI Scan Issues and How to Resolve Them
- Guide to Achieve PCI Compliance (VPS/Dedicated Users)
- Frequently Asked Questions (FAQ)
- Summary
Common PCI Scan Issues and How to Resolve Them
Below are common findings during PCI scans, with steps to resolve or understand each one:
- Weak Ciphers
- UserDir Option Vulnerability
- Mod_FrontPage
- Mailman Login Disclosure
- /scgi-bin Vulnerability
Weak Ciphers
Issue Example:
Protocol: TCP
Port: 443
Program: https
Synopsis: The remote service supports the use of weak SSL ciphers.
Description: The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.
See also http://www.openssl.org/docs/apps/ciphers.html
Solution: Reconfigure the affected application if possible to avoid use of weak ciphers.
Explanation:
In this case, this is NOT cPanel related but a problem with the Apache .conf file. We can identify this by the port number that was reported. If the port had been 2095, 2082, etc., then it is cPanel, and a Bluehost administrator will need to fix the ciphers. But if the port is 443, it means the cipher line in the Apache .conf file is missing for that domain.
Solution:
Ask Bluehost support to rebuild Apache. This will regenerate the .conf file and add the required cipher lines.
UserDir Option Vulnerability
Issue Example:
Protocol: TCP
Port: 443/80
Program: https/http
Explanation:
Some distributions of Apache, especially in Red Hat 7.0, allow an attacker to probe a system for user names via requests for user home pages (e.g., http://host/~username).
Disabling the UserDir directive in the Apache configuration file (httpd.conf) will prevent this. However, it will also prevent users from providing their own web pages. Alternately, specify ErrorDocuments for both 403 (Forbidden) and 404 (Page Not Found) Responses. We can disable UserDir on an account. Contact Technical Support to have this changed.
Solution:
Request Bluehost support to disable UserDir. Ensure both the standard and SSL userdata files are updated:
/var/cpanel/userdata/username/domain.com/var/cpanel/userdata/username/domain.com_SSL
We plan to automate this change in the future, but for now, technical support must update both manually.
Mod_FrontPage
Some scans flag Mod_FrontPage, but this is typically a false positive.
- Our current version:
frontpage-2002-SR1.2(secure) - Apache compiled via EasyApache replaces
fpexewith/scripts/fp-auth, which is secure and non-root.
No action is required.
Mailman Login Disclosure
Issue Example:
Unencrypted Login Information Disclosure for the following link: http://example.com/mailman/admin/mailman
Explanation:
Mailman is a globally configured tool. It cannot be disabled per account.
Reassurance:
Mailman runs via suexec, meaning it operates under a separate system user. Even if flagged, it doesn't compromise customer data. Bluehost is working on a secure solution.
/scgi-bin Vulnerability
Issue Example:
scgiwrap: Caller must be the nobody user
Explanation:
This is a false positive. The /scgi-bin alias runs only as the nobody user, making it inaccessible via direct HTTP requests, as demonstrated below:
No action is required.
Guide to Achieve PCI Compliance (VPS/Dedicated Users)
- Run a PCI scan using a trusted third-party provider.
- Review scan results for issues like SSL ciphers, UserDir, or unencrypted admin pages.
- Contact Bluehost Support to:
- Rebuild Apache (for SSL ciphers)
- Disable UserDir
- Review/confirm scan findings
- Re-scan your site to verify compliance.
For shared hosting users, consider using Cloudflare’s full CDN mode to meet compliance requirements.
Frequently Asked Questions (FAQ)
Q: Can I be PCI compliant on shared hosting?
A: Not by default. You'll need a full CDN setup like Cloudflare to meet compliance.
Q: Does Bluehost guarantee PCI compliance?
A: No. Compliance depends on how your environment is configured and maintained.
Q: Can you help interpret my PCI scan?
A: Yes! Our team can review scan reports and suggest actionable steps.
Q: What’s the easiest way to ensure PCI compliance?
Summary
If you're handling credit card data, PCI compliance is a must. While Bluehost shared hosting isn't PCI-compliant by default, using a full CDN like Cloudflare can help. For VPS and Dedicated Hosting users, our support team can assist with configuration changes to help you meet PCI standards. Be proactive in reviewing scan results and applying the suggested fixes to keep your site secure and compliant.
If you need further assistance, feel free to contact us via Chat or Phone:
- Chat Support - While on our website, you should see a CHAT bubble in the bottom right-hand corner of the page. Click anywhere on the bubble to begin a chat session.
- Phone Support -
- US: 888-401-4678
- International: +1 801-765-9400
You may also refer to our Knowledge Base articles to help answer common questions and guide you through various setup, configuration, and troubleshooting steps.