1. Ask Your Web Host to Perform Regular Updates
Check if your web host has properly updated their software at network and server levels. This includes updates for web hosting packages such as PHP, MySQL and Apache as well as kernel update for the Linux OS. Reliable web hosts usually have a server administrator that regularly check for latest updates and apply them to the servers and network. There are numerous advanced security procedures that can only be performed by server administrators, so it’s essential for your web host to do their part in achieving highly-secure Linux hosting.
Many experts have advised repeatedly that you should update third-party software and scripts you install, but it bears repeating that you always need to keep 3rd party scripts completely updated. When asked what they consider to be the worst security risk in web hosting, many system administrators tell us “outdated scripts”. If you’ve been working in this industry for more than a few years, you know that outdated scripts are the number one reason hosting accounts get hacked.
Developers of third-party software and scripts release updates reactively to seal off reported security holes, which only a few hackers knew previously. In the patch notes, they often release bugs and security holes new patches meant to fix, effectively highlighting vulnerabilities of the older versions. Hackers regularly gather documentation of new patches and search for servers with outdated software and scripts. This simple method gives malicious people a wealth of information to break into many exposed hosting accounts and hopefully, yours is not one of them.
2. Use File Integrity Checkers
File integrity checkers, like Advanced Intrusion Detection Environment (AIDE), notify you automatically of any attempt to modify files stored in your hosting account. Most hackers try to break into your account by trying to make only subtle changes to your files to cover their tracks. Your files may have the same name and size, but slight changes in them can make your account much more vulnerable to subsequent intrusions. Without reliable file integrity checkers, changes in your files could go unnoticed for weeks, months or even years, if they are ever noticed at all.
3. Use SFTP or SCP
FTP is an old file transfer technology and it has been manipulated regularly by hackers. Primary FTP accounts with full access to your server look like open data highways for any hacker. Standard FTP protocol is unencrypted; which means username, password and other critical information are transmitted in plain text across the web. Common packet sniffers, like Wireshark can monitor your connection to intercept and capture important login information. If you use FTP regularly, hackers can immediately gain full access to your server. SFTP and SCP use encrypted file transfer protocol and they work like FTP. All data transmitted is encrypted using public key encryption, so it would be nearly impossible for hackers to capture important login information.
4. Review Logs Regularly
File integrity log, traffic logs and access logs should be reviewed regularly; it is useless to have file checker set up if you don’t review the log regularly. Server logs are located in the /var/log folder. Look for anything suspicious, such as a lot of hits from certain IP addresses and files that use up a lot of bandwidth, as this could indicate attempted intrusions or the presence of scripts with modified code. Your web host may use layer-7 firewall like mod_security and if so, you should ask for entries in the modsec_audit.log specific for your domain. It will help you monitor most hacking attempts and take steps to effectively block hackers before they sneak in.
5. Use Separate Domains or a Reseller Plan
It may be convenient to host multiple domain names under a single hosting account. This allows you to use the same username and password, to manage more than one domain. However, this works the other way as well; hackers can gain critical information and conveniently break into all your domains. Aside from that, putting multiple domain names through a single account can really complicate the cleaning up process after an intrusion is detected. Additionally, you need to check all domains for modified files and malware. One essential step is to identify which domain that acted as a gateway for hacker and find out whether other domains have similar vulnerability. If you insist on hosting multiple domains through one web hosting, look for a reseller plan; which allows you to own separate accounts for an affordable yearly rate. This allows you to properly organize multiple domains without compromising your security level.
6. Perform Regular Cleaning Tasks
If you haven’t checked and cleaned out your hosting account in a few months, then you are probable overdue from regular account maintenance. It is always a good idea to make your account squeaky clean each month by deleting FTP accounts, email addresses, mail boxes, database entries, scripts, plugins and webpages you no longer use. Unmanaged webpages, scripts and FTP accounts are possible entry points for hackers. Suffice to say, it is necessary to rid your account of any unused files to achieve high security standard.
7. Change Passwords Regularly
There are many articles online on how to have good password practices and you should at least follow some basic guidelines that are both effective and easy to follow. Even if you think your passwords are unbreakable, the longer you use them the bigger the chance that hackers can capture them. Ideally you should changes passwords for control panel, software admin, FTP/SSH and email accounts each month. Even changing your password each year is much better than never changing them at all. Another thing to avoid is using the same password for multiple accounts, just for the sake convenience. If hackers get their hands on your master password, your entire accounts could be badly compromised.
Many web browsers allow you to save username and passwords; and this could be another security risk. Some malware can silently infiltrate your computer and upload browser cache to malicious individuals, which allow them to get server access with relative ease. Also, writing your password on a piece of paper is never good idea, but you can still write something that can help you (only you!) remember the password.
8. Use Access Control List for Non-Public Areas
Your CMS or website software usually has some sections that regular users can’t access. For example, if you use WordPress, your FTP directory is inaccessible to the general public. In a Linux web hosting that uses Apache web server configuration, ACL (Access Control List) can be particularly useful. ACL allows you to block IP addresses you specify or allows you to specify which IP addresses that can access certain areas in your website. So, even if your passwords fall into the wrong hand, hackers that use disallowed IP addresses can’t sneak into sections you protect with the ACL.
9. Use File Permissions Properly
Many owners of web hosting accounts unknowingly use wrong file permissions, including 777 that allows anyone to freely read, write and execute a file. It is generally a good practice to set permission of all public files to 444 (all read), unless specific programs or scripts require them to have different permission level. Whatever you do, avoid using very open permission settings such as 664, 666, 555, 755 or 777, as they can give outside users a lot of access rights. If you have a Linux-based hosting account and are using cPanel, changing file permission should be very easy, but in rare cases you may need to ask you web host for help in changing permission of specific files.