Best practices for the user to secure his hosting account
Access to cPanel or
Access to Funio Hub
Some basic security behaviors sometimes require repetition and practice, but they are essential to a secure computer and internet experience. This article provides you with a list of behaviors and tips on maintaining a secure attitude over the internet and on your hosting account.
Regardless of the type of website and content, you may have, some people still want to get into your account. Why? Because by getting into your account, they can do harm to you, or to other people. Things like:
Inserting a phishing site on your hosting space
Start or relay attacks from your hosting account
Get information on your customer database, etc.
We do a lot when it comes to customer account security. We have set up our own protocols on server management, but also use different applications to help us, such as ModSecurity, CageFS, CFS/LFD, CloudLinux configurations, etc. Funio does a lot when it comes to protecting itself and its customers, but we cannot do everything. That is where you, the user and owner of a shared hosting plan, need to take certain habits and secure your site.
Your best protection is often common sense.
General Security Behaviors
Here is a list of behaviors, in a nutshell, that you should take that covers your basic security over the Web, which also means that you are minimizing your hosting risks at the same time.
Use a strong password for everything, and change it frequently
If you have been using the same password on your computer for the past year, it's about time to change it. If you are scared of forgetting it, find something that you can increment or something within the same paradigm. If your password contains a number (and, in fact, it should, and even maybe special characters), increment that number by one. For example, my password is D4rthV4der!; I could change it to D5rthV5der@. Or stay in the same line of thought: Skyw4lKer().
A good password consists of:
Minimum of 8 characters
Letters (lower and upper case mixed)
Try not to use the same password for your banking account, your computer, your email, your other email, and the post-it under your keyboard. In fact, burn the post-it, or lock it in a vault!
Software and OS updates
Whenever software or your OS releases a new update, you should get it. These updates often contain parameters that will improve the software's security.
Only download from trusted sources
Even if you really really want that file, program, etc., but you cannot validate that the source is trustworthy, let it go and find another source. The same thing applies to emails. If you have a doubt, even for a microsecond, that the email you received from your best friend sounds off and has a link or an attached file in it, don't follow the link or download the attachment.
Always use antivirus software and a firewall
There are several free antivirus software out there that work wonders. Make sure you get one that its name is trusted. Don't turn them off because you think it makes your computer run slowly. Leave them on and stay protected. Upgrade your device if you think the antivirus program slows it down and check the settings.
Firewalls are also a great way to prevent malicious software to connect to your computer. A firewall's function is to block off communication ports, which means that you are warned when something tries to contact your computer through a certain port.
Common Hosting Security Issues & Resolution
Here is a list of common problems that lead to security breaches, and some hints on how to avoid and/or resolve them.
3rd Party Software & CMS
UPDATE THEM! We cannot stress this enough. 3rd party software is often installed on hosting accounts, and why shouldn't you use them? They are more often than not free, they work wonders and give you an online presence within minutes! Common applications like WordPress, Joomla, Drupal, Magento, etc. are used by thousands of sites out there. That means that everyone has access to these applications, making available the code behind them.
Updating these applications as the updates come out is an essential part of using them. Why? Because as soon as a vulnerability has been diagnosed, the provider will quickly find a solution to the problem and make the fix available.
Softaculous, found on your cPanel interface, enables you to install in a single click many popular applications. It also allows for easy and sometimes automated updates.
A note on add-on applications. Taking WordPress as an example, there are many additional applications you can attach to your blog called plugins. Anybody can create these applications and make them available. This also applies to themes. However, these plugins and themes are not always coded perfectly and can be the source of a vulnerability. You have to make sure you use add-on applications with care and use the most trusted ones, such as those listed on the site of the main application you are using, and those that are updated regularly.
Certain plugins can help with website security! Some CMS plugins will deal with comment spamming or with brute force attacks. Just make a quick plugin search on your CMS's site, and you will find plenty of them!
Specific security. Here are some documents we found that might help you with certain CMS:
Unrestricted File Uploads
This is the most common method we have noticed hackers use to compromise a website. If there is a file upload option on your website because you wish that your visitors upload a type of file (music, picture, text, etc.) you should restrict the file type that can be uploaded.
Hackers will try to upload a PHP file, for example, which will enable them to execute it on your site by going to the uploaded file's URL (e.g.: http://yourdomain.tld/uploads/files/hackerfile.php). Once that script is there, the hacker has complete and unrestricted access to your site and files because they can execute a script on your site that contains their own code, but runs under your site's user.
To prevent this, your file upload function should restrict the types of files that can be uploaded. If you want your visitors to only upload images, for example, you would restrict files to JPG, GIF, PNG, etc. Whatever you do, make sure no one can upload executable scripts through there. Here is an example of code for a file upload script that also contains information on restrictions.
This code injection technique requires that you make sure your scripts that use a database are well programmed to avoid entries that could exploit an SQL query. The basics behind this are that if you have a form on your site that logs data or looks up data in a database (like a login form), SQL escape characters could be used to inject the malicious script's content and gain access to your site, files, and data.
Because this can become very technical, we recommend you make some lookups on SQL injections and how to protect yourself from them. You can start here on the PHP site.
Files and Folders Permissions
This is sometimes a big problem with certain hosting providers. Fortunately, Funio has set up CageFS to help you. This module makes sure that your account is isolated and cannot be targeted through file permissions. However, keeping good file and folder permissions is a very good practice.
All files and folders have permissions. These permissions are separated into 3:
Each type of authority over can Read, Write, or Execute the file or folder. Obviously, the Owner should have all permissions over folders and files.
Certain applications or pre-made sites have set all permissions to 777, meaning that all authorities have full access to the files and folders. This is usually set up to make sure that the application is not restricted in its execution and that you can manage the data freely. However, once uploaded on the server, this involves a great security threat since anyone can do whatever they want to your files. In fact, we have set a security measure on our servers that prevent 777 files/folders to be displayed which would result in a blank page.
To edit file and folder permissions, you can connect via FTP or use the File Manager in your cPanel interface. You just need to identify the file/folder you need to change permissions for, and right-click it, and find the file permissions option. Note that there is an option to affect all subfiles/folders with the permissions you are setting when selecting a folder. To make this easy, enter these ideal permissions:
Folder Permissions: 755
File Permissions: 644
When you have an online form that submits important data like credit card information, you must be able to encrypt the data being submitted to your site. Encrypting your data will immediately discourage any hacker from sniffing the data being transmitted. For example, if you have an online shopping cart that takes in payments, you absolutely need to install an SSL Certificate that has been validated by a Certificate Authority. Fortunately for you, Funio offers SSL certificates.
You can always create your own self-signed certificate if you are not dealing with the external public or public information.
Use Secure Links/Ports when Available
You should always use a secure link (HTTPS://) instead of one that isn't when you have the choice. For example, we automatically redirect you to the secure version of your Funio interfaces when you enter your domain/cPanel or domain/Webmail.
Mail Client Configurations
Secure POP3: port 995
Secure IMAP: port 993
Secure SMTP: 465