11

10 Web Hosting Security Best Practices to Follow

Threats follow trends and thanks to the digital explosion that has spread the world over, hosting a website today has gotten increasingly dangerous. This is even worse considering that most people who own websites try to monetize them, meaning there is the potential for significant impact.

Even as Google last year warned of an enhanced focus on mobile readiness for websites, 2018 also saw mobile malware attacks doubling. While this specifically may be only loosely related, the general trend of cybersecurity threats following the crowd can be seen.

Web hosting security can be a challenge, especially for smaller websites with limited resources. After all, if even financial institutions with multi-billion-dollar cybersecurity budgets can get breached, what hope is there for the rest of us right?

Not entirely correct.

Giving up and ignoring cyber threats just because you think you don’t have the resources to overcome them is a mistake. Cyberattacks spend considerably more time and resources to penetrate high-value targets because there is the potential for a large payday.

However, for smaller sites, keeping things in perspective and following standard web hosting security best practices should be enough to mitigate most problems. Well, unless you happen to have made someone very upset with you, for some reason.

Today I’m going to share with you some web hosting security best practices as well as offer actionable tips which you can try out to beef up your defenses.

1. Stick with a Reputable Web Hosting Provider

Your web hosting provider plays a much larger role in your website security than you might think. From the physical space your website sits on the traffic that goes in and out form your website, your web hosting provider plays a very intimate role where your security is concerned.

For example, it is often the web host which takes care of standard line-items such as anti-virus and anti-malware. Some web hosting providers also offer anti-spam, automated backup and recovery systems and if you’re lucky, even make use of a Content Distribution Network (CDN).

Tip: Make security your primary consideration factors when choosing a web host. If you’ve been hosting a site for some time now and it has grown to the point where you can justify moving to a VPS hosting account, I recommend you do so as soon as you can. VPS hosting offer much better security features than standard shared hosting accounts.

2. Use a CDN

Traditional web delivery model  (left) versus through a CDN (right) – Source: Wikipedia

As I mentioned just above, some web hosts work with CDN but if they don’t you can do this for yourself as well. CDNs help serve up your web pages more quickly to visitors by hosting caches of your site at servers around the world. When access to your site is requested, the CDN will first serve cached data from the location closest to where it was requested.

However, aside from the speed advantage, CDNs also make use of the massive server networks to offer what is called load-balancing. This means that by using a CDN, you are partially working off their server resources and you can manage a larger number of visitors.

That is related to the best part of using a CDN, the prevention of Distributed Denial of Service (DDoS) attacks. DDoS attacks try to overwhelm and shut down websites by flooding them with requests until the server shuts down. CDNs however are designed to strengthen the security by offsetting this through their server network.

Tip: Try using Cloudflare as your CDN. There are free accounts available with basic features and you can scale up with them as your needs change.

3. Always Use SSL Certificates

Browsers will indicate to users if the website they are visiting is secure or not

Secure Sockets Layer (SSL) certificates help ensure your visitors that any information they share on your site is encrypted and will be safe. Today, SSL is becoming so important that major Internet browsers will warn users if a site is not using an SSL.

There are a few types of SSL certificates and the prices for each vary. Rest assured that if you’re running a personal site or even one for a small business you can easily use a free SSL certificate. They are easy to obtain and install; in fact, you can do it in a few clicks in either Plesk or cPanel.

Tip: You can get a free SSL certificate from Let’s Encrypt either directly from them, but it is better if your web host offers this service. May web hosts today will enable easy installation of Let’s Encrypt free SSL.

4. Always Keep Backups

automatic backup

Automatic Backup and Restore with WPX Hosting

Although there are web hosts around which offer backup and restore features, some still do not. Irrespective of this you should always do your own backups and keep a set of files offline, just in case. This may sound a little tedious to you, but you have no idea how your host has set up its backup system or what might happen in a disaster. Keeping an offline backup (of both your files and database!) can be a life-saver.

Tip: Automating the offline backup process is easier than you might think, especially if you’re using WordPress. Use the UpdraftPlus backup plugin and you can remotely backup at any frequency to a destination of your choice. You may also want to check out these backup services for WordPress

5. Strengthen Passwords

Password security factors example (source: Cheatography)

You’ve heard about it, seen it happen in the movies and may be guilty of doing it yourself, but using easy to remember passwords is a recipe for disaster. Hackers today are sophisticated enough that they have entire files called dictionaries full of commonly used passwords that they will test against a site’s defenses.

To put things into perspective, a botnet can brute force a six-character password in approximately four hours. Remember that this is all automated, so while you and cyberattackers are sleeping, the bots move on trying to break into websites.

Tips: Use longer, more complex password which preferable consist of a mix of uppercase and lowercase characters, digits and special characters.

6. Encrypt Your Own Connection

Since you are the owner of your website, your connection to your web hosting account should be kept more secure than one from your visitors. I recommend that you either transfer files using Secure File Transfer Protocol (SFTP) or via a Virtual Private Network (VPN) connection.

Either method will help prevent anyone from trying to intercept and steal data which you are sending to your web server. Personally, I recommend using a VPN, although the cost is usually higher than using a SFTP client. VPNs work by encrypting everything that is being sent out from your computer so covers all scenarios!

Tip: If a VPN isn’t your cup of tea there are a ton of free SFTP clients available to use. I recommend FileZilla which is extremely powerful and its open source.

7. Keep Things Updated

One way which attackers try to gain access to websites is by exploiting known weaknesses in software. Almost all software has bugs or loopholes of some kind and many are being continually updated to block these gaps as the developers find them.

Make sure that you keep all the software you use for your website up to date where possible. If you’re using WordPress, make sure that not just your WordPress installation is kept up to date but also each plugin or theme you have installed.

Tip: Some web hosts offer one-click updates for WordPress sites that will enable you quickly update not just one site, but all your sites hosted under your account.

8. Make Use of Server Configuration Files

The type of server configuration files you need to deal with depending on what web hosting platform you’re on. For example, Apache uses .htaccess while Microsoft uses web.config files. These configuration files are extremely powerful and can be used to enhance your site security.

By adding the right rules to your server configuration files, you can prevent directory browsing, stop others from hotlinking to images on your site and even protect specific files.

Tip: If you aren’t sure what web server you’re on you can check that very quickly here.

9. Pay attention to File Permissions

Files have several properties which define what users can do to them and by whom. Basically, there are three roles which can interact with files; owners, groups and public. The things they can do with files are to read, write or execute them.

To really secure your site, learn what the important files are and check the permissions that each of them are set with. An incorrectly defined file permission can end up allowing anyone with access to it to add in malicious code which may harm your site.

Tip: File permission 666 allows anyone to write anything to your file – be extremely wary of using this setting!

10. Use Two-Factor Authentication

Related to item #5, no matter how long or complex a password is, it still has the potential to get cracked. If this is really a phobia of yours, I would highly recommend you look for a 2 Factor Authentication (2FA) system.

Using a 2FA means that aside from your password the system you are trying to gain access to must check your identity through another means. The quickest and common 2FA method is to authenticate via a mobile code.

Once your password is verified, the system will send a code to your mobile device and display an authentication code to you. You must enter that code into the system before gaining access. This increases the security of your system immensely.

Tip: There are many 2FA systems available in the market. If you’re using WordPress there are even a few free ones you can try out like the Google Authenticator.

Conclusion: Speak Softly and Carry a Big Stick

Although here I’ve provided 10 examples of web hosting security best practices, there are a lot more and some may involve more than one item which you can do or pay attention to enhance. Because of that, it can be difficult for website owners to keep track of everything – especially if that isn’t your core business.

I recommend that you draw up a checklist where you list down everything that needs to be monitored and separate it by frequency. For example, what items you need to check daily, weekly or monthly. This will help you keep up to speed.

Remember that you don’t have to have perfect website security – it would be impossible. What you really need to do is to make things as difficult for any attacker as possible so that they lose interest in your site and move on to easier pickings.

As Teddy Roosevelt said, “speak softly and carry a big stick” Your security defenses are your big stick, so to speak.

Web Hosting Siteground Wins the race. Make no mistakes about it !

Siteground has been voted the best WordPress and Website Hosting of 2019 by top WordPress bloggers and Webmasters. See details of survey or visit Siteground here

Click Here to Leave a Comment Below 11 comments
Philip Verghese Ariel

Hi Enstine, It’s really good to see Jerry here with a timely post! Indeed this is an alert post to all bloggers. Out of the 10 examples of web hosting security best practices I follow some of them but few I never thought of. Thanks, Jerry for sharing this informative piece.
Keep sharing.
Best Regard
~ Philip

Reply
    Jerry Low

    Hey Philip – Good to see you here too. We all missed (there are so many to take care of in blogging!) things but security is definitely not something we want to take light on. Cheers!

    Reply
Oskaaay

Helpful guide indeed.

Additionally, it recommended for wp users to redirect their default wp login page to a custom one. It naturally safes your wp website/blog from brutes force hacking attacks.

Thanks for the info

Reply
    Jerry Low

    Agreed – that’s one of the most efficient ways to avoid brute force attack. It’s not 100% hosting-related though hence I have not included it in my list.

    Reply
Momoh Ibrahim

This is a great article as web hosting is like renting a shop where one can sell goods to make money. One needs to protect his/shop. Very useful information. Though new in this, with your article i have learnt a lot. Thank so much.

Reply
Nikola Roza

Great tips Jerry,
especially the weak password one. I’ve been guilty of having weakling passwords in the past, but nowadays I spit them out like a pro. It’s impossible for me to remember my passwords:)

Reply
    Jerry Low

    C*H*E*E*R*S*!*

    (Read between the lines / stars)

    Reply
Kyra Rodriguez

Good read! Yes, I’ve been trying to change my password into strong ones. Thanks for sharing this informative blog.

Reply
Kufre Ekpo

Nice post. Thanks for sharing this post. A post like this has opened my eyes. Last month, my weblog was hacked and was taken down as well. Thanks to people like Enstine who also immensely helped in the course of recovery my website.
My qustion is what kind of security plugin somebody can use to protect his website from being hacked because these hackers are on rampage. The rate at which websites are hacked nowadays is quite alarming.

Reply
WPX Hosting

Hey Enstine,

Thank you for mentioning us and our automatic backups.

Your website is safe with us and whenever you need assistance out tech support is ready to help.

Thanks again,

WPX Team

Reply
Joy Healey

Hi Enstine and Jerry,

When I first went online several years ago I innocently imagined no hacker would be interested in “my little blog”. How wrong could I be?

In fact even from within the WP dashboard I couldn’t tell my blog had been hacked, but when I had to do something with FTP it became apparent that some foreign site was being hosted right there in the middle of my blog!! And it hadn’t been picked up by some of the scanners available.

I think this happened to me on shared hosting with a very well-known company, although they denied it was possible (I had very strong passwords). I moved to another hosting company who did at least detect that my site was hacked, but couldn’t fix it.

Finally I moved to my current hosting company who said they had never seen such a badly hacked site, but nevertheless fixed it for me as part of the migration process and it’s been fine since then.

Oh – and that’s forgetting one of my very first hosting experiences where I trusted the company that said they were taking backups. Yeah…. their last one was 6 months earlier, so I completely scrapped that blog and started again with a new company.

All these experiences were hard-learned as a complete beginner online, so anyone starting out would do well to save themselves mega-pain and implement Jerry’s tips from the outset, not – like I did – after I had almost been hacked into extinction.

Thanks for a great article.

Joy Healey – Blogging After Dark

Reply

Leave a Reply: