I like to play, and make jokes, and say silly things in an attempt to keep this blog relatively light. But, I think for this post, we need to buckle down and get serious for a second. Don’t run off! I’m not going to bore you, I just think we need to take a second and talk about site security.
Working at a hosting company, we deal with hacked accounts on a daily basis. Hackers are sophisticated individuals with expert knowledge in the internet and computers, something not all site owners have. Hacks and Denial of Service Attacks happen all over the world, every day, taking down sites, servers, even entire networks with shocking efficiency. In headlines this month, we see huge websites like the New York Times, Twitter, The Washington Post, and The Financial Times becoming victims of hackers.
So, how do you protect your site? Like any security measure, there is no absolute guaranteed way to keep your website safe, but I have a few suggestions that will tighten up the security on your hosting account. It is important to understand that the security of your website and hosting account is in your hands. Like any hosting provider, we offer a high level of security on the network and server, but in regards to your account, you have the most power to prevent unwanted access.
1. Keep everything on your server up to date.
It doesn’t matter if you aren’t using that software or theme currently, if you have it on your server, you need to keep it updated because even inactive subscriptions could open up vulnerabilities to your account. The most common reason for updates is to install security patches to current versions of software, so take advantage of that.
If you aren’t using something, uninstall it. This will prevent the risk of someone accessing your account through something you don’t actively monitor. The bonus to this is that you will be able to reduce your overall resource needs by ridding your account of extraneous software. If you are using it, or plan on using it in the future, be sure to update it regularly.
2. Use and rotate complex passwords.
Remembering passwords can be annoying, but it is necessary. For the security of your account, you need to use complex and unique passwords and rotate them regularly.
To make your password memorable, but complex, try using a phrase you can easily recall. For example, I will use, “It is a far, far better thing that I do, than I have ever done…” because I can always remember the last line of A Tale of Two Cities by Charles Dickens, but you can use whatever phrase you like. Take that phrase, and abbreviate it with the first letter of each word:
Then capitalize some letters in a way that you will remember:
Now, add some numbers and symbols:
BOOM. Secure password with a pneumatic built in.
If you can’t remember your passwords, do not store them in an unprotected document on your computer. If someone hacks your computer, they will find your passwords. If you want to store your passwords so you don’t have to remember them, try an application like KeePass (http://keepass.info/) which will store all your passwords in an encrypted file. The only password you will have to remember will be the master password. Just make sure you aren’t using a simple password as your master password!
Also, don’t use the same password for everything. Keep a variety of passwords. That’s where tools like KeePass will be really helpful in keeping you organized.
3. Consider an upgrade.
Please don’t take that to mean that shared hosting is not secure, because all servers at InMotion Hosting are secured to the same high standards. However, VPS or Dedicated hosting packages will offer you more separation from other accounts and more control over the server itself.
That can be a double edged sword, because it means that your access level could compromise the site, so if you are not confident, or are not working with an experienced developer, make sure you don’t make too many changes to anything server-side.
4. Check your code.
Checking your code means more than just updating your HTML for site changes. It also means testing any changes you make prior to making them live. You want to ensure that there are no holes written into any custom coding.
While you are reviewing new code, take the time to review old code as well. If you see any unfamiliar code, it is possible someone has hacked your account and is using it without your permission. By keeping up with your website’s code you can ensure that you know when changes are being made to your files.
In addition to the coding, check your access logs to ensure that the only IP address attempting to log into your server is your own. If you notice something askew, update your passwords and block that IP address.
5. Check your file permissions.
When you create a file, it will at times open the access to the world. Yep, the entire world. Ok, that’s a bit of an exaggeration, but if your permissions are set to 777, that means that anyone can access and change your file permissions.
This is just enough of a crack to let a hacker through, so make sure that you have everything set properly. Ideally, you want your permissions set to 755 (or 644 depending on the purpose of the file) which means that you can access and change the file, but others can just see and use it.
If you’d like some more details on file permissions, our Support Center has a basic explanation of them as well as some details on changing them.
The above suggestions are just to get you started in securing your site. There is a lot of information out there, and diligence is required to keep your hosting account secure.
While you may not have the resources to have someone monitoring your account 24/7 like our Systems Team monitors our servers and network, it’s not a bad idea to get in the habit of checking in on your account daily, even when you aren’t updating any of its information.