Article by Jerry Low
Geek dad, SEO data junkie, investor, and founder of Web Hosting Secret Revealed. Jerry has been building Internet assets and making money online since 2004. He loves mindless doodling and trying new food.
When your website functions as part of a shared hosting platform, there are only a few basic steps that you can take to protect the website from hackers and other users on the server that don’t act responsibly. For the most part, your website will be managed by the hosting service. However, your best interests aren’t always what they are looking out for. Hosting companies may be forced to make decisions that influence your hosting environment in order to protect the hundreds to thousands of users on the same server.
Your web hosting company tells you that it makes regular backups, but you should never rely on these services to protect the information on your website. Use the web hosting companies backup as a fail-safe measure, but make sure to create and maintain your own backups off-site. Using a simple file manager (or better still, use cron) you can download all of your website files to your computer. Make sure you download any databases that your website needs to function as well.
If you aren’t using an email account, remove it from your server. Email accounts, FTP accounts and other unused applications should be removed if they aren’t being used. Look for any unneeded files and remove those as well. Extra files make backups take longer and the less files on a website the better the chances of finding something that doesn’t belong there.
Most importantly, if a script is not being used on your website, remove it as soon as possible. Hackers love to take advantage of out-dated scripts that the website owner has forgotten about.
If you are using SSH or multiple FTP accounts, use a different password for each account. Hackers that gain access to one of your passwords can quickly damage your website if all of your MySQL databases, FTP Accounts, CMS installations and anything else that uses a password all use the same password. Once you have changed your passwords, change them regularly and always update passwords with a strong password that consists of letters, numbers and symbols.
Avoid using common phrases or words as those passwords in many cases can be cracked quickly. If you are using a CMS such as Joomla, Drupal or even an LMS such as Moodle, password protect the web address for the administrator login. This adds another level of protection and makes it more difficult for hackers to identify which application is running on your server.
There are several private areas on a site that should never be accessible to the public. Make sure your permissions for read-only files are set appropriately. Setting all files to 7-7-7 is an invitation to hackers to access your website and change or delete required files. When changing permissions you have to be careful. Often content management systems require specific permissions to operate effectively. Before changing any permissions, take note of the current permissions. This can be done easily with a screenshot. If the website stops functioning, you probably changed a permission you shouldn’t have. Consult the documentation for any application you have running on your website.
Regardless of what applications or software you are using on the website, subscribe to security releases and updates relating to your application. When a new CMS update comes out, don’t wait for Fantastico or other auto-install scripts to update with the latest upgrade. Learn how to perform upgrades on your own and make sure to keep everything up-to-date. Updates protect your website from known security vulnerabilities and will greatly improve your ability to keep hackers from taking advantage of older out-of-date software.
While it may seem convenient to allow opportunities for users to share your website with friends, this is an open invitation for hackers to use your website to send unsolicited email to thousands of users. Make sure that any script you use is updated regularly and protected against hackers. One way to accomplish this is to keep email forms off the public area of the website. Use password protected logins to make sure that only registered users can access certain, more vulnerable areas of the website.
If you have forums on your website, disable the option for people to inject code, use Java applets or use HTML on your public forum posts. You can always ban users that have to register on your website if you find one of them is using malicious code. However, for public forums, you have to take additional security precautions to ensure that hackers can’t inject code on your website.
Java offers incredible flexibility and makes it possible for website developers to create custom applications.
It also provides information about users computers and can be accessed by knowledgeable hackers to exploit users to your website. Reduce this possibility by providing access to special features only to users that have registered on your website. It won’t eliminate the possibility of injectable code being utilized on your website, but it will provide more security for your shared server.
Your FTP program may be compromised simply by using an unprotected computer. There are malware and viruses that are designed to exploit FTP programs and gain access to your websites files. Protecting your computer from viruses, spyware, malware and hackers is essential. Make sure you install a reputable antivirus program that has the ability to track intruders on your machine. If you aren’t using the Internet, disconnect to prevent hackers from accessing your system.
Don’t store your passwords and other sensitive information on any computer that has access to the Internet. Hackers can get into your computer often without you ever knowing. If they access your passwords, then any password they obtain can be used to access private files, banking information or anything else that you store online.
Content Management Systems such as Joomla, WordPress, and Drupal are commonly used for their simple and easy to use interfaces.
However, if a hacker knows what version you are using they can exploit vulnerabilities to gain access to your website. When possible, hide your plugins and make it difficult for browsers to identify what CMS you are using. There are often extensions that can be installed that automatically remove this information from files on your website.
PHP scripts exist that allow users to access information on a shared hosting environment. Ensuring that your PHP settings are correct and prevent the ability for non-authorized users to execute scripts provides a level of protection. To do this, make sure “Safe-Mode” is turned on. If you don’t know how to do this, a simple ticket to your web hosting companies tech support should resolve this issue. Without “Safe-Mode” it is possible for users to run a script that lists all of your passwords, files, directory and other sensitive website information.
Don’t store sensitive information in a file on your website. Use a database to store and protect your sensitive user information from hackers. With most applications, the database is used automatically. However, some applications offer the option to use the server hard drive or the database to store session information. Whenever possible, use the database option to provide an additional layer of security on your website.
Linux websites have an option for website users to set privacy preferences in a .htaccess file. There are several code snippets that you can insert into the file to make your website more secure. Prevent access your htaccess file and set the permissions to 644 so that users visiting your website can’t access the file. Additional measures include restricting access to certain file types, prevent unauthorized browsing of the site directory, change the default index page to make your website more secure, disguising script extensions and securing directories to the local area network or a specific IP adress so that only you have access to files.
One of the best ways to secure your website is to choose a website hosting company dedicated to preserving your information. Not all website hosting companies offer the same level of security – this is why you need reliable hosting reviews like mine ;). Ensure that your host has the knowledge and staff to monitor website activity and stop hackers before they have a chance to access your website and files by using scanners and other industry-grade protection.
Shared hosting provides an unsecured environment that makes it possible for hackers to potentially access and steal data from your website. There are only so many options you can use to protect your website from hackers on a shared server. Consider purchasing a dedicated, semi-dedicated or VPS if you are storing important user information. Never collect credit cards or personal information if you don’t have an SSL certificate installed. If a hacker gains access to your users credit card information, you could be held personally responsible. For any issues that you don’t feel comfortable correcting on your own, consider hiring a IT professional or enlisting the help of your hosting server to secure your website.