One of the growing trends (perhaps the largest) we’re seeing in the shared hosting industry is the number of account compromises as a result of lax security by website owners. As a host we implement a number of technologies to try and reduce these “automated” exploits, but it’s simply impossible for us to protect every website we host from every attack. As a website owner and operator, there are a number of basic and easy steps you can take to add additional security (and peace of mind) to your website. Trust me when I say an hour of your time now to prevent an exploit will save you days of work down the road if you’re compromised.
While this post is by no means all inclusive, nor is it a “one stop shop” for website security, it should at least provide you a basic understanding of how to keep your site safe and defend against run of the mill attacks.
Be smart about what you install – Without a doubt the most common attack vector we see is from customers running untrusted or vulnerable themes/plugins on their accounts. Just because a theme for your WordPress blog ‘looks cool!’ or the latest plugin ‘guarantees higher traffic!’ that isn’t a reason to trust and blindly install them. A lot of these themes/plugins/addons have nasty code embedded deep in their config files which a remote attacker is just waiting to exploit. There is also the possibility that what you’re installing relies on a library or module with plenty of known exploits, and again those remote attackers are just waiting to find your installation and gain access through those holes. Before you install *anything* on your website, do your research. Read reviews, make sure it’s in active development, and most importantly don’t install random software from a random website. It’s the same idea your parents taught you as a kid, don’t take candy from a stranger.
Keep your software updated – If an account is not exploited from a vulnerable addon, the next most frequent reason is due to running outdated software. Whether it’s WordPress, Joomla, Magento, or any of the hundreds of other platforms our customers use, running the most recent version (especially for security patches!) is the most important step you can take to stay safe. Software platforms like Softaculous (which we provide through cPanel on all shared, reseller, and semi-dedicated plans) provide you notifications and an easy way to upgrade, but almost every administrative panel these days offers a one click way to upgrade your software. Most popular software suites also have a mailing list which sends out emails when a new version is released. You should subscribe to those lists and make it a priority to read the changelog and update your sites accordingly. Sometimes it’s only a matter of hours before we start seeing exploits from outdated software once a release is pushed.
Permissions and protocols –
Having your password stolen (or worst, your personal details) is an equally scary and frustrating experience. How did this happen? Is my computer infected? Did someone sniff my traffic? Is my website compromised? These are the most common questions we’ll see from customers immediately after they realize something isn’t right with their account. It’s important that when you’re using your account with us, or the Internet in general, you always use secure protocols. For starters, anytime you access your account with us you should be using SSL. Here’s a quick list of the proper URLs/ports for common services with us:
http://yourdomain.com/cpanel – This URL will always redirect to the secure version of cPanel. You can verify this by making sure your URL includes ‘https’ and the port ‘2083’ before logging in. For example, https://cougar.hawkhost.com:2083 would be secure whereas http://cougar.hawkhost.com:2082 is not.
http://yourdomain.com/webmail – This URL will always redirect to the secure version of webmail. You can verify this by making sure your URL include ‘https’ and the port ‘2096’ before logging in. For example, https://cougar.hawkhost.com:2096 would be secure whereas http://cougar.hawkhost.com:2095 is not.
Client Area and Helpdesk:
These should always be accessed via https://my.hawkhost.com/ and https://support.hawkhost.com respectively.
Email through Outlook/Thunderbird/etc:
These should be configured to use the server hostname and SSL. As each server is different, please contact our support team for help setting this up if you’re not sure how.
FTP should always be accessed using SFTP (SecureFTP). All FTP clients support this protocol. If you’re unable to connect using SFTP, we may need to enable SSH on your account.
It should be noted that we use valid SSL certificates for all of our cPanel/WHM logins, as well as our email servers. If you ever receive an invalid certificate warning accessing your cPanel account or email, *do not* attempt to accept the certificate and provide your login information. Instead, contact our support department immediately and let us know. Additionally, all of our websites (client area, helpdesk, VPS panel, etc), use extended validation certificates. What this means is you should always see a green bar in your browser when accessing those sites. Just like our hosting servers, if you ever receive an invalid certificate warning from our websites *do not* attempt to accept the cert and login. Instead contact us immediately letting us know about the warning!
In addition to using secure protocols, it’s also important to run the right permissions on your website. A lot of software installers/configuration programs tell you to chmod a directory to 777. This is simply terrible advice and should never be followed, as those permissions will allow anyone on the server to read, write, and modify that directory. There’s no quicker way to guarantee a compromise than to run 777 on anything. Proper permissions for your account are:
Directories under public_html (/home/yourusername/public_html/directory/): 755
All files under public_html: 644
That said, with our recent deployment of CageFS you should be protected against some of the more common exploits due to incorrect permissions. Still, it is important to make sure your permissions aren’t leaving your account vulnerable for no reason.
There are almost no circumstances in which these should be changed. If you feel they should be different, or your software says to change them, you should consult either us or your webmaster first.
Password policy – Using strong and unique passwords is one of the most important steps you can take to keep your website and account safe. While it may seem simple in theory, there is a tremendous difference between an 8 character password that is a variation of your childrens names compared to a 16 character password that looks like a military keycode. As a general rule, each website you use should have a unique password. You should also get in the habit of rotating your passwords at least once every 3 months, if not sooner. While this may seem difficult to keep track of, there are a number of utilities/tools you can use to maintain and manage your logins:
LastPass: Found at https://lastpass.com/, this is a browser plugin (with a desktop utility) that keeps all of your login credentials safe in one place. You only need to remember one master password to login, and the rest of your passwords are stored securely and encrypted for you. LastPass also supports two-factor authentication with Yubikeys and Google Authenticator to add another layer of security.
KeePass: Found at http://keepass.info/, KeePass is an encrypted database stored on your local computer with the same general behavior as LastPass.
Password Generation: While both LastPass and KeePass have built-in utilities to generate passwords, websites like GRC will help you generate various secure passwords.
Proactive scanning and monitoring:
There are a number of websites out there that offer proactive monitoring/scanning of your files, and also attempt to remove any malware they find. For those of you who like to take the extra step in securing your site using third party services, you may wish to consider signing up with one of these companies:
StopTheHacker: One of the most well known (and trusted) third party services we can recommend is StopTheHacker, a website security service that proactively monitors, scans, and attempts to fix your website if it finds any malware or trojans. In addition to the scanning services, StopTheHacker also provides a plethora of other security services, a full list can be seen on their features page.
SiteLock: Similar to StopTheHacker, SiteLock is a proactive monitoring and security service to help keep your site secure and malware free. An entire feature set can be found here but they offer reputation management, vulnerability scanning, expert support from security experts, and more.
CloudFlare: CloudFlare is one of (if not the) most well known website security and protection utilities available today. We’ve been an official partner with CloudFlare for almost two years now, and as a result we’ve been able to offer one-click activation through cPanel for any hosting account with us. We have a whole writeup on CloudFlare and how it can benefit you on our CloudFlare FAQ Page but you should also check out CloudFlares own website for a full rundown on how they can make sure your site both faster and more secure.
Incapsula: Incapsula is the closest competitor to CloudFlare we know of, offering a free website security + optimization service. Taking advantage of a global network which is constantly detecting (and learning) about the most common threats, putting your site behind their services will protect you from the most common bots, attacks, and malicious traffic. You can take a tour of their feature set here, which includes proactive traffic monitoring, simple PCI compliance, and in depth website analytics.
A Final Word
Every day this industry feels more and more like the Wild West of old (the Buffalo Bill Cody days). There is a constant struggle between the good guys (you and us) vs. the bad guys (the hackers) to see who can prevail and keep control of your websites. While what we covered above is again by no means an all-inclusive list or a sure-fire way to stay safe, employing best practices at all times can at least keep you safe from some of the most common exploits and “skiddies”. Keep in mind, security is a mentality, not just a checklist one should run through every 2 weeks to make sure they’re ‘safe’. Stay diligent, stay smart, and you’ll be one of the lucky ones who never has to go through the trouble of seeing their website hacked.