Using cPanel’s Addon Domains? There’s a Footprint that links your sites together

Disclosure: We receive compensation from some of the companies whose services we mention below, or the brands mentioned here may form part of our portfolio of companies. If you click through on the links from this article, we may receive compensation at no additional cost to you.

One of the popular methods of hosting a PBN is to buy a hosting account with a company like Bluehost, HostGator, SiteGround or A2 Hosting and put a number of sites in the same cPanel account as addon domains.

When cPanel’s AutoSSL feature which was introduced in July 2016, most people were happy to see the introduction of a new feature that made it easy to get free SSL certificates for all of their sites from Let’s Encrypt or cPanel’s partnership with Comodo, especially as Google started to push the web towards HTTPS with their “Not Secure” messages in browsers for non-HTTPS sites.

However, with the release of this feature, it became a lot easier to link all of the addon domains in a cPanel account together – whether they are your PBNs from different sub-networks that you’ve put in the same hosting account, or several of your Money Sites.

In this guide, I show you how you can check to see if any sites are linked together and why you should avoid using addon domains in a cPanel account to host multiple PBNs or advertising/affiliate/lead gen sites.

Let’s See An Example

To prepare an example for this article, I went to Dynadot and registered two domains – sslexample.com and unrelated.xyz – one to be the main domain for a cPanel account, and one as an addon domain.

Once I’d registered both domains, I created a cPanel hosting account with Domain Name Sanity for sslexample.com, and then added unrelated.xyz as an Addon Domain, per the screenshot below – which shows the subdomain “unrelated” that was created for the addon domain “unrelated.xyz”. This subdomain name is important, which you’ll see later.

I also installed WordPress on both sites, which is common for most people building PBNs or advertising/affiliate/lead gen sites.

After the cPanel AutoSSL ran, I then checked the certificate with the free SSL certificate check tool offered by SSL Shopper, although you can also do this in most browsers by clicking on the padlock and choosing “View Certificate”.

Below is the details of the SANs (Subject Alternative Names) in the certificate for sslexample.com, our primary domain for the cPanel account:

You’ll notice in there that there are all of the standard cPanel subdomains (cpanel, cpcalendars, cpcontacts,mail, webdisk, webmail), as well as the “unrelated.sslexample.com” and “www.unrelated.sslexample.com” subdomains that were created as part of the process of creating an Addon Domain in cPanel.

If you visit www.unrelated.sslexample.com in your browser, it will show the same content as unrelated.xyz, which includes many references to that second domain in the source code.

This makes it extremely easy to find the actual domain name that the subdomain is for. In some instances, it will automatically redirect to the correct domain as well.


via GIPHY

Next, I took a look at the SSL certificate that was created for the addon domain, unrelated.xyz:

Again, it has all of the standard cPanel subdomains in there, but the certificate also has the subdomains unrelated.sslexample.com and www.unrelated.sslexample.com that was created for the primary domain of the cPanel account.

With that piece of info, someone could go back to the main domain and retrieve all of the other subdomains and create a map of all of the sites that are in that single cPanel account.

And that’s something that could easily be automated as part of a search engine’s algorithm – mapping all of the domains that share an SSL certificate.

But I haven’t set up SSL on my sites… I’m safe, right?

SSL certificates are issued automatically to all domains hosted on a cPanel server with most hosting providers, whether you have requested an SSL certificate or not.

This includes Bluehost, HostGator, A2 Hosting, SiteGround and most other popular providers.

How can I check this for my sites?

If you’ve used cPanel’s Addon Domains feature, you can check the SSL certificates for those domains using the free SSL certificate check tool offered by SSL Shopper, or your web browser by clicking on the padlock and clicking through until you get the option to “View Certificate”. The steps are slightly different in each browser.

You’re looking for anything that links the domains in your hosting account together, either:

  • the main cPanel account domain appearing in the SSL certificate for an addon domain
  • or subdomains that refer to your addon domain appearing in the SSL certificate for the main domain

In either case, you’ve created a footprint between all of the sites in that hosting account which shows that they’re all linked to you.

What sneaky things could you do with this info?

If you’re exploring the PBN (or a money site) of one of your competitors, check the SSL certificates to see if there are any other domains linked together.

It might reveal some other lucrative niches that you could start a site in, regardless of whether you’re in affiliate, lead gen or ecommerce.

What should I do if I’ve done this myself?


via GIPHY

Change the way that you’re hosting your sites. And do it quickly!

Rather than hosting multiple sites in the same cPanel account, you should put each site in its own cPanel account. That way, there’s nothing linking all of the sites in that account.

If you’re using LaunchCDN or our sister brand, Bulk Buy Hosting, we’re already doing this for you.

We create a unique hosting account for each domain that we host for you on LaunchCDN or Bulk Buy Hosting.

This is just one of the many things that we do to avoid footprints that could link sites together and result in your network being deindexed.

If you’re not hosted with us yet, we offer free migration of your sites to our service.

For your money sites, again each site should be hosted in a separate account, such as the WordPress Hosting plans from Domain Name Sanity.