If you run a website built on a Content Management System, cms, there is some likelihood you would have received a notification from our web host reporting an inordinate use of server resources or a violation of the terms of service and this will come with a threat of suspension or restriction of access to your website. This is not to say that only CMSs have issues that can lead to a penalty. Every website can be penalized for one reason or the other. The key reason is that the website owner has violated the terms of service provided by the hosting company.
Based on our data, we have identified some of the common reasons your web host could deactivate, suspend or terminate your website. We will discuss them and suggest ways to address them when these problems arise.
What is a Website Restriction?
Website restrictions can take various forms ranging from:
IP restriction/Access limitation
If you find the message “This account has been suspended, please contact your hosting provider” then your website has been suspended. This suspension is generally due to a violation of the terms of service listed by the web host.
The common reasons for site suspension will include but are not limited to spamming/mass mailing, phishing, failing to pay for services when overdue, and cybercrimes. But basically, in this post, we are concerned with a violation that excludes payment for services.
Once your website is suspended, it tells Google you are not playing by the rules, you cannot be trusted and so you do not deserve a place at the top of its search engine. No matter how much you work, failing to avoid situations that get your website suspended will rob you of every benefit of your work which could have helped your search engine ranks.
If you engage in unacceptable practices especially spammy emails, you could get a warning from spam monitors like Spamhaus going directly to your web host. Consequently, Your server IP will be restricted to disable your ability to continue to send mass emails and you will be expected to address the situation before normal services are restored.
This affects all websites hosted on that server if the affected account was running on a shared IP. This will prompt your web host to take disciplinary actions against you which could include an immediate suspension or termination without notice.
Outright termination occurs when your web hosting account is deleted from the server. You lose your files and there is no way to reverse it except you purchase a new hosting service and uploaded fresh files or a healthy backup.
This will have little to do with your web host except that both your hosting and domain registration services are provided by the same company. Usually, if your domain name is marked by your registrar as engaged in cybercrime and added to the list of domains engaged in cybercrime, then it will get deactivated and the only option you could have is to change your domain name.
Google has in fact said that it will punish a group of domains that are owned by one person if just one of the domains in the group engages in unacceptable behavior. So you also need to be careful about the domains you verify in your Google webmaster account and ensure that your verified domains are within your control.
So Why Will Your Web Host Punish You With any of the Above
Spamming is sending unsolicited emails. But sending a single unsolicited mail in a day does not cause you trouble. What gets you trouble is mass mailing. If you must send mass emails, you should create a mailing list using software like phplist. phplist is available in QuickInstall under the software section of your website cpanel.
Sometimes, spamming is a result of exploitation on your website. For instance, automated user registrations have been found to occur in some cases creating a problem for websites.
The recommended approach to deal with user registration is to update your software to its latest version, disable user registration from your website admin dashboard, or simply disable the user registration module or plugin.
Generally, spamming can be addressed by ensuring that emails to which you send emails are verified. If you send emails and receive bounces, check them very well to be sure of the reason for the bounces and address them. The best way to go is to use emailing software like phplist.
Phishing websites are created just for cybercrimes. They are designed to look like an original website and so users get confused not knowing they are dealing with a fraudster. They input the login details, usually financial in nature, and unknowingly reveal their critical information such as e-banking login details to criminals.
On Todhost, a phishing website will be terminated without asking questions. Once we conclude investigations and confirm it is a phishing website, we will terminate the account immediately.
3. High Load Issues
This is a common cause of website suspension. High load occurs when a website is targeted with heavy traffic. Most times, it is an attack and causes a high load which could crash the server. High loads are usually exploited when the website is not well-optimized.
The best way to mitigate this kind of attack is to run on the most recent version of the software with all plugins, modules, and extensions updated. There are also some htaccess rules that help secure websites against attacks such as SQL injections and prolonged attacks.
4. Direct Attacks
Direct attacks occur when clients use weak login credentials especially weak passwords. Some clients use very weak passwords like theirdomains@1 and similar passwords which are easy to memorize. The consequence is that they are also easy to break with a brute-force attack.
The following security practices are recommended to prevent this kind of intrusion or attack.
Follow basic security practices.
Use robust login credentials with uncommon passwords to make it difficult for hackers to gain access to your site. If possible, incorporate two-factor or multi-factor authentication to improve security posture further.
Here is a guide to password protection.
Adopt Long Passphrases
For years, businesses and individuals have adopted the practice of combining numbers and symbols to create stronger passwords. However, it didn’t take long for cyber criminals to catch on to the practice of substituting some letters in the word with certain numbers or symbols, like ‘e’ with ‘3’ and ‘s’ with ‘$’. There are many automated tools out there that will easily crack simple substitutions like that.
To mix things up even more than substituting special characters, the US National Institute of Standards and Technology (NIST) recommends creating long passphrases that are easy to remember but difficult to crack. According to Special Publication 800-63 Digital Identity Guidelines, a best practice is to create passwords of up to 64 characters including spaces. The popular web comic XKCD compared the strength of a complex password—”Tr0ub4dor&3”—and a long passphrase—“correct horse battery staple”. They found that it took only 3 days to guess the password created in with special character substitutions, while the passphrase would take 550 years to crack.
Avoid Periodic Changes
A popular password security practice over the years has been to force users to change passwords periodically. However, more recent guidance from NIST advises not to use a mandatory policy of password changes. One reason is that users tend to transform their old passwords or just repeat the ones they had used before. You can implement policies to prevent password re-use, but users will still find creative ways around it. The other consequence of frequent password changes is that users are more likely to write the passwords down to keep track of them. While they comply with company policy, their passwords are still easy to guess or crack. Thus, a best practice from NIST is to ask employees for password changes only in case of potential threat or compromise.
Create Password Blacklist
Hackers usually start their attacks with attempts to guess a password by using a database of the most popular passwords, dictionary words, or passwords that have already been cracked. NIST encourages enterprises to also arm themselves with these sources of common passwords in order to create their own blacklist. Comparing new passwords to this list, enterprises can prevent the usage of weak passwords by employees. Moreover, it is quite effective to add a limit on the number of failed login attempts in order to detect and reject brute force or dictionary attacks.
Implement Two-Factor Authentication
Two-factor authentication has already become a de facto standard for managing access to corporate servers. In addition to traditional credentials like username and password, users have to confirm their identity with a one-time code sent to their mobile device or using a personalized USB token. The idea is that with two-factor (or multi-factor if you want to add additional factors) authentication, guessing, or cracking the password alone is not enough for an attacker to gain access. This type of authentication is effective for enhancing identity validation when employees try to access critical endpoints, sensitive data, or confirm transactions and other critical actions. For these purposes, you can use user monitoring solutions like Ekran System with in-built two-factor authentication options. Such solutions will also keep you updated about users’ activity on your business network.
Add Advanced Authentication Methods
While passwords are still widely used for authorization, there is an increasing tendency to shift to non-password-based, advanced methods. Instead of passwords, users can be authenticated through the use of biometric verification—like logging in to an iPhone using a thumbprint with Touch ID or authenticating on a Windows 10 PC just by looking at it with Windows Hello facial recognition. This method allows the system to identify employees by recognizing their faces, fingerprints, voices, irises, or heartbeats. Moreover, there is also behavioral biometrics that creates a unique profile of each user by analyzing their interactions with the system (typically used applications, unique keystrokes,s, and mouse dynamics).
Apply Password Encryption
Encryption provides additional protection for passwords even if they are stolen by cybercriminals. There is a popular tendency to use reversible encryption or apply only one-way encryption. However, these methods are ineffective—if an attacker obtains the password database they can easily crack and compromise the passwords it contains. Instead, the best practice is to consider end-to-end encryption that is non-reversible. In this way, you can protect passwords in transit over the network. Moreover, it’s dangerous to store password files in plain text. There are many cases where hackers have compromised an enterprise’s password database and walked away with unencrypted passwords.
Protect Accounts of Privileged Users
Accounts of privileged users require additional protection as they provide access to sensitive data and other privileged actions. The best practice is to provide these users with a different login URL and allow only a single sign-on attempt. In case of a failed login attempt, you can lock out a privileged account in order to prevent unauthorized access.
Ensure Secure Connection
Nowadays, there is a wide range of devices and places that can provide access to your corporate networks. However, hackers can easily steal passwords if employees use unsecured Wi-Fi connections or devices that don’t belong to them. For securing your Wi-Fi network, you can use a Wi-Fi Protected Access (WPA) 2 that applies stronger wireless encryption methods than its predecessor.
If you have remote workers, you can consider providing a secure VPN connection. After authentication to which, users can securely connect to corporate servers, as all the traffic is protected through a VPN tunnel.