Website Security: A Guide For Shared Web Hosting Accounts

This post presumes your website is hosted on a shared web hosting plan. A shared hosting service allows the web hosting company to setup multiple websites on one server, usually using a common IP address. We have recently had some complaints on forums about web hosts placing some restrictions on hosting accounts due mainly to complaints about websites creating load issues, spamming and malware issues.

Also read:

Email Marketing and the Trouble With Auto-Responders

How to Prevent Spam on Your Joomla Website

Best Rated Anti-Spam Plugins for WordPress Websites

These three had been the cardinal issues affecting all websites, irrespective of the hosting plan - shared, reseller, VPS, or dedicated servers. But some website account holders tend to blame their web hosts and will raise issues of website security when their websites are suspended either for running a malware or running high load or is being exploited and automatically is sending out spam mails.

There are ways to deal with all these. But let us first consider who should take the blame for website security. Generally speaking, website security should be the responsibility of the website owner. It will however be a major responsibility for both the server manager to protect against attacks like a Distributed Denial of Service (DDOS) attack and other server security issue. In any case, website owners should tae responsibility to protect their sites. On a general note, most server managers also have an in-house DDOS security team and other security experts in-house and the most complaints we have received are related to a particular websites and not a general problem affecting every server user.

What should you do to protect your website?

1. Maintain a regular and functional backup

This is an advice that will continue to be repeated everyday and every time. Backups are the last resorts for everyone when all attempts to fix a website problems have failed. Most web hosts including Todhost provide an automated backup tool in cPanel. Such backups are stored in the home directory of the websites. We will advice that a copy of your backups be maintained on a local computer or an external saving device as a security measure. Make sure that the backup had been properly done and that the website is in a functional state before the backup commences.

2. Keep up with latest updates

The best way to avoid any breaches and exploitation on your website is to keep up with the latest website updates. It is good that most popularly used web design scripts like WordPress. Joomla Magento and many others do notify their users about latest updates. By updating, you can be sure that you are keeping up with latest security advice and addressing the bug issues which could have been spotted in your current website version.

For more reading on Joomla update, check our post on A Guide on How to update a Joomla website manually.

Also read:

A Checklist of Bad SEO Practices to Avoid

How to Prevent an Exploitation of Your Website by An Attacker

3. Address load related issues

Generally, a shortcut to address load issues is to enable the cache system on your website. The other thing will be to ensure that there is not exploration of any plugin to generate rogue traffic, unnatural traffic which places heavy load on your website hosting server. Because every script used in website design is unique in some way, it is advisable to check up necessary documentation on how to enable the cache system and the best way to go about it. In Joomla for instance, we advice against the use of the progressive caching method on your website.

4. Guard against malware

Malware issues attract heavy penalty and most web hosts will terminate an account found to be running malware. It may occur without your notice especially in cases of phishing websites and plugin vulnerabilities. This underscores the need to maintain regular updates to keep up with bug fixes by the script developers. There are third party scripts which can help detect malware infections and provide a guide to fixing them. We recommend Sucuri.

5. Avoid Spamming

Spamming is any form of sending unsolicited emails, usually of business nature. We have found that some clients who are new to web hosting rely on this kind of massive mail sending to drive traffic and business. They will generate a mailing list from contact emails and use that to send mails about new services and promotional offers. These are no longer acceptable practices today. If you want to maintain a mailing list, you will have to do that from a double opt-in system like phplist. All emails will have to be verified by their owners for you to confirm their existence before they can receive your mails.

Sometimes, spamming is the result of exploitation. When this is reported, you can carefully detect a plugin or extension that could have been exploited on your website and remove it through an un-install process or by deleting it manually through the file manager in your website control panel.

Also read:

Recommended Tips to Keep in Mind When Using WordPress Plugins

WordPress Maintenance Tasks You Need to Perform Regularly


6. Maintain a safe password policy

This is an issue that is taken lightly by most website owners. It is agreed that passwords are quite difficult to guess, even in their most simple form and guessing a password correctly is mostly possible when there is a clue. However, with Brute Force Attacks, passwords like jonny@123 and 08037774560portharcourt are no longer safe and considered as secured password. Passwords today should be at least 0 digits and combining capital and small letters as well as numbers and special characters.

This safe password policy should equally be applied to your client area access password. Your client area will be the place where you can easily manage your website including gaining direct access to your website files, emails, databases without having to remember any passwords.

It also important to use different passwords for your emails, client area and cPanel control panel. Using a uniform password on all access points is not a good and safe practice.

7. Protect your emails

Any website is as safe as the email attached to it. Usually, a password reset request will be sent through your email. It follows that if your email password is not safe, then a reset request can allow easy access to your website control panel. This will be a dangerous one as it will allow unhindered access to your account. So, maintain a strong password on your email just as you would maintain a strong password on your cPanel control panel.

8. Remember to change your passwords regularly

You need to review your passwords regularly and check to se your current practice conforms with recommended length and complexity standards. As the attackers are getting better, you have to get smarter and step up the security standards as well.

9. Understand Your Website Script and setting

Every web development script is unique and requires some tweaks to operate optimally. For instance, the methods used to secure a WordPress website will not be the same methods used to secure a Ghost blogging platform or a Joomla website. The script you run will determine you will implement your security guidelines. It is a worthwhile practice to carefully available documentation on your website script so be properly guided on what to do to secure your website. Sometimes, experience teaches better and some users provide a better guide. Looking up independent posts outside official documentation will be a good idea to understand how others are approaching the security of websites.

It is not good to implement every recommendation. Always double check and be sure it is a safe and worthwhile practice before you implement on your website.

Website Security Guide for Most Popular Content Management Systems

  •  Website Security: A Guide to Protect Your Joomla Content Management System

Security risks in Joomla releases had been a major concern for website developers and managers. Quite often, you are required to implement security update patches on your website to keep it safe from attackers. It was recently announced that there has been a major security risk in previous versions of Joomla!, and a new version was released. While it is easy to upgrade to the latest version if your website is running on 3 or later, it does require a little more work if you are running a previous version, such as 2.5 or 1.5.

Upgrading your website from Joomla 2.5 or 1.5 to a recent 3x version can be technical and if ot carefully implemented can also break down your website causing a huge problem. But you can carefully follow these guide to safely implement an upgrade for your Joomla website:

How to upgrade your Joomla! version 3 installation:

    Back up the current version of your site
    Log into Joomla!
    Go to Components
    Go to Joomla! Update
    Click on the Install the Update

Once it's complete, refresh your browser to see the changes'

To upgrade your Joomla! version 2.5 or 1.5 installation:

    Back up the current version of your site
    Find the update file your need for your installation, that is the Joomla update file
    Download and extract the file
    Open up the /libraries/joomla/session until you see session.php
    Log into your website using FTP or the File Manager in your cPanel Control Panel
    Browse to the /libraries/joomla/session folder in your site
    Replace session.php with the version you have just downloaded

Once it's complete, refresh your browser to see the changes::

While this only affects Joomla! users, this is a problem that is regularly seen with all Content Management Systems, CMS, – including WordPress, Drupal, and others. An exploit is found, website owners don't update their software until when their site is hacked.

There are steps you can take to prevent this from happening. They might seem obvious, but many people forget, and end up with major problems down the line.

Never Forget to Take The Following Steps:

Update your software regularly

This is one of the most obvious thing you must always do. When WordPress, Joomla!, or any other piece of software tells you there is a new version available, update it. If your software doesn't inform you there's a new version out, make an effort to regularly check the software's website, and see if new versions are released. With Joomla and most popular CMSs, you will always get a notification on the dashboard.

Software companies don't release new versions to make minor cosmetic changes - if they've released an update, it's fixing something that's wrong, and the more things patched, the safer your system is.

Update your plug-ins

While you might remember to update the main software, you need to make sure you update your plug-ins as well. Plugin incompatibility can be a real problem and is a source of CMS hacks as revealed by Sucuri in its recent report on content management systems.

WordPress is great for telling you what needs to be updated, from the main software to your smallest plug-ins to even the translations, but you still need to actively click that Update button. And if you have a bespoke plug-in, check with the developer regularly to make certain that you're using the latest version and that any potential security holes have been patched.

Secure Your Website With the .htaccess file

The htaccess file is a powerful file that can be used to manipulate the behavior of your website including its security. You can use this file to prevent exploitation and access to vulnerable folders and that will help prevent exploitation on your site.

If it costs money, don't go hunting for a free version

You find an excellent theme or plug-in, but you don't want to pay for it. You might think that you can just search for a free version, download, and install it, but many so-called free versions will have malicious code embedded right into the theme or plug-in. Install it, and it doesn't matter how careful you are with your site's security - you're already taken.

If the designer or developer has created a free version, they will always have it with the paid version. Only trust the software developer or the theme designer - any other websites offering you a download are suspect.

Always back up your site

Again, an obvious thing to say, but so important. If your site is hacked, a clean backup makes it infinitely easier to check where things went wrong and fix them, rather than trying to restore your site while fixing it at the same time.

Close up of a Home key on a white keyboard

If your site is infected and causing problems on our servers, we may disable your site. Obviously, we don't want to do that, and we want to work with you to prevent problems, but follow this advice, and, hopefully, you''ll never have a problem.

 WordPress Security: More Than The Use of Plugins

WordPress powers more than a quarter of all websites the world today. For a lot us involved with the WordPress community, this was a fantastic piece of news. Despite the efforts of the large WordPress community, security issues with WordPress websites still remain a major concern and cannot be deemed an issue that has been completely overcome.

WordPress is easy to setup and use. A step by step guide to setup WordPress manually or using an automated script will be completed without knowledge of how to code.

Starting a WordPress blog is now something anyone can do especially using the automated scripts which are available freely with nearly all web hosting packages.

WordPress has come under attacks severely and has a huge target from the growing number of cyber attackers. One security report stated that 78% of successful attacks were against WordPress websites. Another stated that 76% of WordPress users don't use a backup plugin at all.

The large number of articles on the issue which are actually not an indept analysis on the issue is not helping and also worsens the situation as they do not deeply guide readers on what to do to stay safe.

The general rule and recommended best approach is to stay up to date. Sure, it's great to keep everything up to date. It's also great to use something other than admin for your username. But those are not the fundamental things to do which keeps you secure. They help, anyway, to keep the attackers at bay.

The Truth About WordPress Security

There is actually no such thing as a perfectly secure website. The loopholes go beyond your control so the efforts you make are not enough to keep you safe. You simply have to prepare and be ready for anything.

You can be the biggest WordPress security expert in the world, it won't matter one bit if your hosting company gets compromised. With the Heartbleed bug, that affected the whole Internet for THREE YEARS before someone noticed it, you can understand that the risks are far beyond your control sometimes. However, never get discouraged WordPress is still the most attractive CMS around and you just need to do your best to stay safe.

So, if you can't be 100% safe, what can you do?

Take Responsibility for your WordPress Security

Be proactive with security issues. You don't start thinking about security when you've been hacked. By then it's too late. You think about it before you start your website. You vet the plugin and theme authors. You keep an eye on your websites. If you're out of your depth, you hire an expert. Being prepared makes all the difference.

Don't think that there be any plugin service that will provide all the needed security. Plugins do help and will do most of the things you needed to do, monitor your website for you and take away from you, a lot of load. You still need to remember that the responsibility for the security of your website falls on you. Despite the tools available for you, you will ultimately have to take responsibility for your website. And if your attitude is careless, whatever, I don't have time for this, you're setting yourself up for failure.

Always Maintain a Healthy Backup

As earlier mentioned, a report have pointed out that 76% of WordPress users don't use backups. The same survey found out that over 67% of WordPress users would pay $100+ to get their website back online. This is the kind of situation we need fight on every turn.

There are lots of backup solutions available for WordPress. You will need to review anyone you choose in relation to your needs and take a decision. I you choose to use a backup plugin, carefully read through user reviews to take a final decision.

Be Vigilant

Some attacks are easy to notice: your website goes down, or it's defaced. The ones you don't know about are much more dangerous: someone could inject malicious code into your website and abuse it for weeks, without you even noticing it. By that time your SEO score is crap, you've been blacklisted, and the damage has been done.

Monitor is great for detecting when your website goes down or is defaced. You'll immediately get an email and/or an SMS with more details, and you'll be able to spring into action before anyone else notices.

Security Check inspects your website for known vulnerabilities, malware, checks the blacklist status, and a number of other things. In the near future we also plan to automate the checks, so you can let the system run daily checks and notify you if it notices something's wrong.

Performance Check is perfect for the sneakiest of the sneakiest attacks. Sometimes the Security Check will not detect the intrusion because it's a new type of malware that's not in the vulnerability database, or maybe it's not malware at all. Your website server resources are still being misused, and it's slowing your website down. Performance Check grades your website performance and stores the result. Each time you run a new Check, you can compare it to the previous grades and notice when it drops. Now you know something's wrong, and you'll be able to fix it before there's any permanent damage. Performance Check is also planned for an upgrade that will give you the option of automating checks and pushing a notification if the performance drops significantly.

Managing WordPress Security Plugin Vulnerabilities - A Simple Guide to Website Protection

Keep These in Mind

There's no easy fix for WordPress security. You need to act responsibly
Check your website security regularly
Always have a fresh and functional backup ready in case of emergency

An Effective Way to Secure a Website

For every website owner, it can be very frustrating to wake up to find that yor website has been exploited. An exploitation could take the form of, but not limited to, spamming, malware injection and an outright hack. Sometimes, security breaches can destroy years of hard work and reputation. It can simply force a website owner to terminate the content that has earned the traffic and start building from scratch. That means you must take the security of your website seriously.

Like we noted earlier, website security is very important for every one and remains a key problem to tackle as far as the internet keep evolving throwing up newer and even more complex challenges.

Developers continue to come up more and quite effective ways to tackle web security issues. Notwithstanding, the problem is unending as newer challenges come up. In this post, we attempt to come up with what we consider the best approach to protect a website. Our recommendations are strictly based on our experience with content management systems like WordPress, Joomla, Magento and Drupal.

The recommendations we have provided here are not necessarily the only ways to secure websites, However, we found that it resolved nearly all security problems we had with websites hosted on our network. Now let's get started,

Basic Security Guide for Every Website

1. Be password-savvy: This is an issue that has been re-emphasized over and over again. If your password is still “Password@123,” it's time to get serious. Create unique codes for each of your accounts, and make sure they're at least 8 characters long (with a few special ones thrown in). I suggest you use the cpanel password generator if you have access to your website control panel.

2. The security of your email is as important as that of your website. This is because every website is always linked to an email address. This is one key area that has been neglected but it's as important as the other items. However, it should also be mentioned that most website hacks have not been linked to weak email passwords. I will still recommend you take your email security important to be protected all round from those who will go all out.

3. Encrypt emails and valuable information. If a hacker does breach your system, encryption makes it that much harder to get away with critical data. Voltage, DataMotion, and Proofpoint are industry leaders worth checking out

4. Back up your data: Copying your key company data onto a cloud-based system, such as Dropbox or OneDrive, or a USB hard drive takes minutes, and will save you time and anxiety if your system is ever compromised.

5. Maintain updates: This is an aspect that had been neglected by many. It is important that you check for updates daily on your most critical websites to be able to take action as quickly as possible once there be need for an update. Always ensure that your keep your website up-to-date especially if you run a content management system. Keeping your system updated with the most recent software updates will help you overcome exploitation associated with discovered vulnerabilities.

6. Finally, you will need to check up specific security suggestions associated with your website design tools so that you can implement relevant security advises. The popular website design tools are WordPress, Drupal, Joomla, Magento, OsCommerce, (not in order of popularity). Check specific security guides for these applications to stay safe.

The Best Security Recommendation

For every website build with content management system, if you have carefully implemented the recommendations outlined above, you will simply need to lock your website and secure every point that could lead to an eploitation

All you need to do is to create a .htaccess file and for all vulnerable folders like the template folder, the plugins, components, modules, and any other sensitive folder which could be exploited. Edit the .htaccess file and restrict access to these folders to an IP address or a set of IP address.

Below is a sample code you could place in the .htaccess to secure it from unpermitted access:

order deny,allow
allow from 28.206.;
allow from 20.74.121.102
allow from 308.74.121.106
allow from 108.74.120.227
allow from 180.229.24.78
allow from 19.211.
deny from all

This way you will be able to secure the content of these folders and restrict access to the permitted IP address.

If you run a content management system like Joomla, then you will need to take additional measures including:

1. Change the admin username. It is a weak security practice to continue to use the default username which is admin. When you first install our CMS, the default admin username will be admin. That needs to be changed to something customized name. So first, change the default admin username and also take steps to strengthen the admin password to something bruteforce will not be able to capture.

2. Ensure that you have installed the latest versions of both the CMS core itself and any third-party extensions.

3. Ensure you are running the very latest version of your CMS and any extensions. Outdated versions of any extension may contain a very serious security vulnerability that allows a hacker to upload files to your website.

4. Disable New User Registration.

5. Rename htaccess.txt to .htaccess- because it include some rewrite rules to block out some common exploits. For example you can add this code to your .htaccess file, paste it just after RewriteEngine On

    RewriteCond %{REQUEST_URI}  ^/images/  [NC,OR]    RewriteCond %{REQUEST_URI}  ^/media/  [NC,OR]    RewriteCond %{REQUEST_URI}  ^/logs/  [NC,OR]    RewriteCond %{REQUEST_URI}  ^/tmp/
    RewriteRule .*\.(phps?|sh|pl|cgi|py)$ - [F]

This code will block all attempts to run scripts outside the CMS control.

Never leave permissions for a file or directory set to 777: this allows everybody to write data (including exploits) to it. A wrong CHMOD may also give easy access to the hackers.

Be careful with extensions. Only install extensions that have a good reputation.

Always have a backup ready to restore your Joomla! site to its most current healthy state

Password protect your administrator folder. Use a password to protect the /administrator folder as this can add an extra layer of security to your server,

10. If you have old templates, components, plugins that you're not using anymore - uninstall them, especially if they haven't been updated.

What's your idea? Do let us know in the comments

Share this post

Comments (0)

Leave a comment


Powered by Simple Blog