How do I keep my website hosting secure?
Keeping a website secure can be difficult. There are many factors that can lead to a website compromise, not all of which are related to the server itself or the hosting company the website is with. Here we will cover some of the things that you can do to mitigate the risk as much as possible.
Keep software up to date
Using outdated, vulnerable versions of website software is the single biggest reason for a website becoming compromised.
New security issues with software are discovered on a daily basis, and the software your website is using is no exception. Whenever a security flaw is discovered, updates are released to remove the vulnerability - however if your CMS is not updated, it is still vulnerable. As an example of how often this happens, we have included some links to external resources detailing known vulnerabilities in Wordpress and PHP.
List of Security Vulnerabilities in PHP
List of Security Vulnerabilities in Wordpress
List of Wordpress Plugin Vulnerabilities
List of Wordpress Theme Vulnerabilities
If you are using any form of website software that required you to install or configure it, then you will need to keep it updated. This also applies to any plugins or themes your website is using. Refer to the documentation for the software being used on how to update it. In addition to keeping software updated, it is also important to try to avoid software that has gained a reputation for security issues.
Use well reviewed security plugins
If you are using website software that can be extended with plugins, you could install a security plugin. Recommend ones might be referenced in official documentation and include the following.
Make use of official security guides
The software your website is using might contain a security guide or checklist (also known as a hardening guide). If it does you should follow this, as it contains best practises on how to secure that particular application. Here are links to some of the guides for a handful of popular software.
Use secure passwords
There are a few basic guidelines on how to make a secure password, such as having a minimum length of 15 characters, using a mix of character types and including random characters. We recommend using a generator such as strongpasswordgenerator.com to ensure your password is meeting the minimum best practice.
Use unique passwords
Once you have a secure password you should never reuse it for another account, which will protect you if the password itself is compromised either through the contents of a database becoming public knowledge or through guessing of the password itself. You may wish to use a Password Manager to assist you with remembering these unique passwords.
If you even suspect that your password(s) have become compromised, then it is highly recommended to change them. This goes hand in hand with not reusing your password, as you will only need to change it in one location.
Use SSL for pages accessed by password
If you are not using an SSL Certificate on pages that will contain sensitive data or be accessed using a password, then this data is at risk of becoming compromised. An SSL ensures that any data transmitted between a client computer and the server is encrypted. This prevents anyone from being able to read the data while it is in transit.
If you are on Shared or Reseller hosting then the security of the server is managed by us. We take steps to ensure that the server is as secure as possible. We keep the server software up to date, use CloudLinux to completely separate clients' websites and each server has a firewall that will actively block brute force attacks. We also make it easy to set sites up with CloudFlare, which can assist with mitigating some attack vectors.
If you have a VPS or Dedicated Server then the security of the server is largely reliant on you. We are able to administer security updates to the operating system and perform basic security optimisations on request as part of Server Management. This may not be enough to prevent a persistent attacker from compromising the server, depending on what is installed.
If you have any queries on the security of your site, please let us know via support ticket and we'd be happy to assist in any way we can.