10 Web Hosting Security Best Practices to Follow
Threats follow trends and thanks to the digital explosion that has spread the world over, hosting a website today has gotten increasingly dangerous. This is even worse considering that most people who own websites try to monetize them, meaning there is the potential for significant impact.
Even as Google last year warned of an enhanced focus on mobile readiness for websites, 2018 also saw mobile malware attacks doubling. While this specifically may be only loosely related, the general trend of cybersecurity threats following the crowd can be seen.
Web hosting security can be a challenge, especially for smaller websites with limited resources. After all, if even financial institutions with multi-billion-dollar cybersecurity budgets can get breached, what hope is there for the rest of us right?
Not entirely correct.
Giving up and ignoring cyber threats just because you think you don’t have the resources to overcome them is a mistake. Cyberattacks spend considerably more time and resources to penetrate high-value targets because there is the potential for a large payday.
However, for smaller sites, keeping things in perspective and following standard web hosting security best practices should be enough to mitigate most problems. Well, unless you happen to have made someone very upset with you, for some reason.
Today I’m going to share with you some web hosting security best practices as well as offer actionable tips which you can try out to beef up your defenses.
1. Stick with a Reputable Web Hosting Provider
Your web hosting provider plays a much larger role in your website security than you might think. From the physical space your website sits on the traffic that goes in and out form your website, your web hosting provider plays a very intimate role where your security is concerned.
For example, it is often the web host which takes care of standard line-items such as anti-virus and anti-malware. Some web hosting providers also offer anti-spam, automated backup and recovery systems and if you’re lucky, even make use of a Content Distribution Network (CDN).
Tip: Make security your primary consideration factors when choosing a web host. If you’ve been hosting a site for some time now and it has grown to the point where you can justify moving to a VPS hosting account, I recommend you do so as soon as you can. VPS hosting offer much better security features than standard shared hosting accounts.
2. Use a CDN
As I mentioned just above, some web hosts work with CDN but if they don’t you can do this for yourself as well. CDNs help serve up your web pages more quickly to visitors by hosting caches of your site at servers around the world. When access to your site is requested, the CDN will first serve cached data from the location closest to where it was requested.
However, aside from the speed advantage, CDNs also make use of the massive server networks to offer what is called load-balancing. This means that by using a CDN, you are partially working off their server resources and you can manage a larger number of visitors.
That is related to the best part of using a CDN, the prevention of Distributed Denial of Service (DDoS) attacks. DDoS attacks try to overwhelm and shut down websites by flooding them with requests until the server shuts down. CDNs however are designed to strengthen the security by offsetting this through their server network.
Tip: Try using Cloudflare as your CDN. There are free accounts available with basic features and you can scale up with them as your needs change.
3. Always Use SSL Certificates
Secure Sockets Layer (SSL) certificates help ensure your visitors that any information they share on your site is encrypted and will be safe. Today, SSL is becoming so important that major Internet browsers will warn users if a site is not using an SSL.
There are a few types of SSL certificates and the prices for each vary. Rest assured that if you’re running a personal site or even one for a small business you can easily use a free SSL certificate. They are easy to obtain and install; in fact, you can do it in a few clicks in either Plesk or cPanel.
Tip: You can get a free SSL certificate from Let’s Encrypt either directly from them, but it is better if your web host offers this service. May web hosts today will enable easy installation of Let’s Encrypt free SSL.
4. Always Keep Backups
Automatic Backup and Restore with WPX Hosting
Although there are web hosts around which offer backup and restore features, some still do not. Irrespective of this you should always do your own backups and keep a set of files offline, just in case. This may sound a little tedious to you, but you have no idea how your host has set up its backup system or what might happen in a disaster. Keeping an offline backup (of both your files and database!) can be a life-saver.
Tip: Automating the offline backup process is easier than you might think, especially if you’re using WordPress. Use the UpdraftPlus backup plugin and you can remotely backup at any frequency to a destination of your choice. You may also want to check out these backup services for WordPress
5. Strengthen Passwords
You’ve heard about it, seen it happen in the movies and may be guilty of doing it yourself, but using easy to remember passwords is a recipe for disaster. Hackers today are sophisticated enough that they have entire files called dictionaries full of commonly used passwords that they will test against a site’s defenses.
To put things into perspective, a botnet can brute force a six-character password in approximately four hours. Remember that this is all automated, so while you and cyberattackers are sleeping, the bots move on trying to break into websites.
Tips: Use longer, more complex password which preferable consist of a mix of uppercase and lowercase characters, digits and special characters.
6. Encrypt Your Own Connection
Since you are the owner of your website, your connection to your web hosting account should be kept more secure than one from your visitors. I recommend that you either transfer files using Secure File Transfer Protocol (SFTP) or via a Virtual Private Network (VPN) connection.
Either method will help prevent anyone from trying to intercept and steal data which you are sending to your web server. Personally, I recommend using a VPN, although the cost is usually higher than using a SFTP client. VPNs work by encrypting everything that is being sent out from your computer so covers all scenarios!
Tip: If a VPN isn’t your cup of tea there are a ton of free SFTP clients available to use. I recommend FileZilla which is extremely powerful and its open source.
7. Keep Things Updated
One way which attackers try to gain access to websites is by exploiting known weaknesses in software. Almost all software has bugs or loopholes of some kind and many are being continually updated to block these gaps as the developers find them.
Make sure that you keep all the software you use for your website up to date where possible. If you’re using WordPress, make sure that not just your WordPress installation is kept up to date but also each plugin or theme you have installed.
Tip: Some web hosts offer one-click updates for WordPress sites that will enable you quickly update not just one site, but all your sites hosted under your account.
8. Make Use of Server Configuration Files
The type of server configuration files you need to deal with depending on what web hosting platform you’re on. For example, Apache uses .htaccess while Microsoft uses web.config files. These configuration files are extremely powerful and can be used to enhance your site security.
By adding the right rules to your server configuration files, you can prevent directory browsing, stop others from hotlinking to images on your site and even protect specific files.
Tip: If you aren’t sure what web server you’re on you can check that very quickly here.
9. Pay attention to File Permissions
Files have several properties which define what users can do to them and by whom. Basically, there are three roles which can interact with files; owners, groups and public. The things they can do with files are to read, write or execute them.
To really secure your site, learn what the important files are and check the permissions that each of them are set with. An incorrectly defined file permission can end up allowing anyone with access to it to add in malicious code which may harm your site.
Tip: File permission 666 allows anyone to write anything to your file – be extremely wary of using this setting!
10. Use Two-Factor Authentication
Related to item #5, no matter how long or complex a password is, it still has the potential to get cracked. If this is really a phobia of yours, I would highly recommend you look for a 2 Factor Authentication (2FA) system.
Using a 2FA means that aside from your password the system you are trying to gain access to must check your identity through another means. The quickest and common 2FA method is to authenticate via a mobile code.
Once your password is verified, the system will send a code to your mobile device and display an authentication code to you. You must enter that code into the system before gaining access. This increases the security of your system immensely.
Tip: There are many 2FA systems available in the market. If you’re using WordPress there are even a few free ones you can try out like the Google Authenticator.
Conclusion: Speak Softly and Carry a Big Stick
Although here I’ve provided 10 examples of web hosting security best practices, there are a lot more and some may involve more than one item which you can do or pay attention to enhance. Because of that, it can be difficult for website owners to keep track of everything – especially if that isn’t your core business.
I recommend that you draw up a checklist where you list down everything that needs to be monitored and separate it by frequency. For example, what items you need to check daily, weekly or monthly. This will help you keep up to speed.
Remember that you don’t have to have perfect website security – it would be impossible. What you really need to do is to make things as difficult for any attacker as possible so that they lose interest in your site and move on to easier pickings.
As Teddy Roosevelt said, “speak softly and carry a big stick” Your security defenses are your big stick, so to speak.