Threats follow trends and thanks to the digital explosion that has swept across the world, hosting a website today has become increasingly dangerous.
This is even worse when you consider that the majority of the people who own websites are trying to monetize them, which means there is the potential for significant impact.
Even as Google warned last year of an increased focus on mobile website readiness, 2018 also saw mobile malware attacks double. While this specifically may be loosely related, you can see the general trend of cyber security threats following the crowd.
The security of web hosting can be challenging, especially for smaller sites with limited resources. After all, if even financial institutions with multi-million dollar cyber security budgets can be breached, what hope is there for the rest of us, right?
Not quite correct.
Giving up and ignoring cyber threats just because you think you don't have the resources to overcome them is wrong. Cyber attacks spend considerably more time and resources to penetrate high-value targets because there is the potential for a great payday.
However, for smaller sites, keeping issues in mind and following the best practices of standard web hosting protection should be sufficient to minimize most of the problems. Well, unless you've made someone really mad at you, for some reason.
Today I'm going to share with you some of the best web hosting security practices, as well as offer practical tips that you can try to bolster your defenses.
Top Ten Topics for Web Hosting Security Best Practices to Follow...
1. Stick with a Reputable Web Hosting Provider:
Your web hosting provider plays a much bigger role in your website security than you might think. From the physical space of your website to the traffic coming in and out of your website, your web hosting provider plays a very intimate role when it comes to your security.
For example, it is often the web server that takes care of the standard line items, such as antivirus and antimalware. Some web hosting providers also offer automated and anti-spam backup and recovery systems, and if you're lucky you can even use a Content Delivery Network (CDN).
Shared hosting sometimes carries some risk depending on the web host. If you have many websites under the same account, and they can be accessed from the same FTP account, then all you need is for one of them to get infected with malware to compromise the other sites as well.
If you have been a victim of this malware attack, we recommend that you refer to this guide on how to clean your website from malware.
Tip: Make security your top consideration when choosing a web host. If you've been hosting a site for some time and it's grown to the point where you can justify switching to a VPS hosting account, I highly recommend doing so as soon as possible. VPS hosting offers much better security features than standard shared hosting accounts.
2. Use a CDN:
As I mentioned earlier, some web servers work with CDN, but if they don't, you can do it yourself too. CDNs help serve your web pages faster to visitors by hosting your site caches on servers around the world. When accessing your site is requested, the CDN will first provide cached data from the location closest to where it was requested.
However, in addition to the speed advantage, CDNs also make use of massive server networks to offer what is called load balancing. This means that by using a CDN, you are partially working with your server resources and can handle a larger number of visitors.
That's tied to the best part of using a CDN, the prevention of distributed denial of service (DDoS) attacks. DDoS attacks attempt to overwhelm and shut down websites by flooding them with requests until the server shuts down. However, CDNs are designed to strengthen security by compensating for this across your server network.
Tip: try using Cloudflare as your CDN. Free accounts are available with basic features, and you can expand them as your needs change.
3. Always Use SSL Certificates:
Secure Sockets Layer (SSL) certificates help ensure your visitors that all the information they share on your site is encrypted and secure. Today, SSL is becoming so important that major Internet browsers will warn users if a site does not use SSL.
There are a few types of SSL certificates and the prices for each vary. Rest assured, if you have a personal site or even one for a small business, you can easily use a free SSL certificate. They are easy to obtain and install; in fact, you can do it with a few clicks in Plesk or cPanel.
Tip: You can get a free Let's Encrypt SSL certificate directly from them, but it's best if your web host offers this service. Today's May web servers will allow easy installation of Let's Encrypt free SSL.
4. Always Keep Backups:
Although there are web servers that offer backup and restore functions, some do not yet. Regardless of this, you should always make your own backups and keep a set of files offline, just in case. This may sound a bit tedious to you, but you have no idea how your host has set up its backup system or what could happen in a disaster. Maintaining an offline backup (of both your files and your database) can save your life.
Tip: Automating the offline backup process is easier than you think, especially if you are using WordPress. Use the UpdraftPlus backup plug-in and you can remotely backup any frequency to the destination of your choice. You may also want to check out these WordPress backup services
5. Strengthen Passwords:
You've heard of it, you've seen it in the movies, and you may be guilty of doing it yourself, but using easy-to-remember passwords is a recipe for disaster. Today's hackers are sophisticated enough to have entire files called dictionaries full of commonly used passwords that they will test against a site's defenses.
To put things in perspective, a botnet can force a six-character password in about four hours. Remember that this is all automated, so while you and the cyber attackers are sleeping, the bots keep trying to get into the websites.
Tips: Use a longer and more complex password, preferably consisting of a combination of uppercase and lowercase characters, digits, and special characters.
6. Encrypt Your Own Connection:
Since you are the owner of your website, your connection to your web hosting account must be kept more secure than that of your visitors. I recommend that you transfer files using Secure File Transfer Protocol (SFTP) or through a virtual private network (VPN) connection.
Either method will help prevent someone from trying to intercept and steal the data that you send to your web server. Personally, I recommend using a VPN, although the cost is usually higher than using an SFTP client. VPNs work by encrypting everything that is sent from your computer, so it covers all scenarios.
Tip: If a VPN isn't your thing, there are a ton of free SFTP clients available to use. I recommend FileZilla, which is extremely powerful and open source.
7. Keep Things Updated:
One way that attackers try to gain access to websites is by exploiting known weaknesses in the software. Almost all software has bugs or gaps of some kind and many are continually updated to block these gaps as developers find them.
Make sure to keep all the software you use for your website up to date whenever possible. If you are using WordPress, make sure that not only your WordPress installation is kept up to date, but also every plugin or theme that you have installed.
Tip: Some web servers offer one-click updates for WordPress sites that will allow you to quickly update not just one site, but all the sites hosted on your account.
8. Make Use of Server Configuration Files:
The type of server configuration files you have to deal with depending on the web hosting platform you are on. For example, Apache uses .htaccess while Microsoft uses web.config files. These configuration files are extremely powerful and can be used to improve the security of your site.
By adding the correct rules to your server's configuration files, you can prevent directory browsing, prevent others from accessing images on your site, and even protect specific files.
Tip: If you're not sure which web server you're on, check back soon...
9. Pay attention to File Permissions:
Files have several properties that define what users can do with them and by whom. There are basically three roles that can interact with files; owners, groups and public. The things they can do with files are read, write, or run them.
To really secure your site, learn what the important files are and check the permissions that each one is set to. An incorrectly defined file permission can end up allowing anyone with access to add malicious code that can damage your site.
Tip: file permission 666 allows anyone to write anything to your file; Be very careful when using this setting!
10. Use Two-Factor Authentication:
In relation to element n. 5, no matter how long or complex a password is, it still has the potential to be cracked. If this is really a phobia of yours, I recommend that you look for a 2-factor authentication (2FA) system.
Using 2FA means that in addition to your password, the system you are trying to access must verify your identity through other means. The fastest and most common 2FA method is to authenticate using a mobile code.
Once your password is verified, the system will send a code to your mobile device and show you an authentication code. You must enter this code into the system before gaining access. This greatly increases the security of your system.
Tip: There are many 2FA systems available on the market. If you are using WordPress, there are a few free ones you can try, like Google Authenticator.
Conclusion: Speak Softly and Carry a Big Stick:
Although I've provided 10 examples of web hosting security best practices here, there are many more and some may involve more than one item that you can do or pay attention to to improve. This is why it can be difficult for website owners to keep track of everything, especially if that is not their main business.
I recommend that you make a checklist in which you write down everything that needs to be monitored and separate it by frequency. For example, what items you need to check daily, weekly, or monthly. This will help you keep up to date.
Remember that it is not necessary to have perfect web security, it would be impossible. What you really need to do is make things as difficult as possible for any attacker to lose interest in your site and move on to easier choices.
As Teddy Roosevelt said, "Speak softly and carry a big club." Your security defenses are your great club, so to speak.