The biggest changes in upgrading from Shared to VPS Hosting are root access and WebHost Manager (WHM). These two capabilities grant you more responsibility to harden VPS hosting for your content management systems (CMSs), websites, and email solutions.
With a VPS you can request root access which is the highest level user on your server. Once logged in, you have unlimited permission to modify all aspects of your server via a command-line interface or WHM.
Shared hosting includes a cPanel which makes website management easy, but with a VPS you have higher-level access to the WHM where you can manage accounts as well as the server. For example, you can install additional security software or create multiple cPanel accounts and set their permissions. Also, when you login to WHM with the root user it will open up even more features that were not available before.
Below are ways to use that power to harden your VPS security stance.
Features to Harden VPS Security
ClamAV Scanner is an open source anti-virus scanner accessible in cPanel and configurable in WHM. After installing ClamAV in WHM as root, cPanel users can use the Virus Scanner to check files and mail. The scanner will list any potentially infected files after the scan.
Want to try something different? Check out ImunifyAV for easy automatic scans.
Recommended: Run at least monthly.
cPHulk Brute Force Protection
cPHulk protects cPanel accounts against brute force login attempts. Enabling cPHulk allows you to configure failed login lockouts, whitelist/blacklist IP addresses and countries, and log login attempts to harden VPS Hosting accounts automatically.
Recommended: Enable username and IP-based protection. Enable notifications. Blacklist non-applicable countries. Check History Reports at least monthly.
This is what the cPHulk interface looks like:
ConfigServer Security & Firewall (CSF)
ConfigServer Security & Firewall (CSF) is a versatile server-level firewall with the ability to detect and prevent brute-force login attempts, port scans, and other network-based attacks.
Account owners with Advanced Policy Firewall (APF) should upgrade to CSF for improved security.
Recommended: Block unneeded ports. Schedule Checks for IPs in RBLs. Enable port flood protection, port scan tracking, port knocking settings.
Enable domain privacy to protect your WhoIs information. Remove old DNS records that are no longer needed. Ask your registrar how to enable DNS security extensions (DNSSEC).
Recommended: Enable DNS security extensions (DNSSEC) when possible via your domain registrar and server or within proxy servers such as Cloudflare.
Email is a popular attack vector for cyber-attacks. Always look for signs of malicious emails. But enlist your server to assist you. Use all available server security software and spam filters within your server and email software.
Recommended: Follow our guide to strengthen email authentication. Learn about phishing, spear-phishing, and whaling.
ModSecurity is generally left alone unless it blocks an important task. If that’s the case, enable ModSec once you’re done. Contact Live Support for assistance troubleshooting the block, and/or consider another method to complete the task to maintain security.
Recommended: Keep ModSecurity enabled.
The newest PHP version is PHP 7.3 while 7.2 is the most commonly supported. All older PHP versions should be avoided and removed if not required to run important software.
Recommended: Use the highest PHP version possible. Remove older PHP versions in WHM.
The cPanel Security Advisor in WHM offers configuration recommendations for passwords, cPHulk, MySQL/MariaDB, SSH, SMTP, and more.
Recommended: Run the Security Advisor periodically and follow its recommendations.
Softaculous Instant Installer takes the pain out of installing new software. However, there are many included installable CMSs that aren’t actively maintained or require an outdated PHP version. If you remove those older PHP versions, those installation scripts will have unmet requirements. Abandoned CMSs are more vulnerable to cyber-attacks. It’s an easy way to harden VPS Hosting.
Recommended: Only use CMSs and frameworks in active development. Remove outdated Softaculous scripts.
A Secure Socket Layer (SSL) certificate encrypts communication between the user and the website. There are three validation levels for SSLs – domain (DV), organization (OV), and extended (EV). We offer a free and paid DV Comodo SSL. We recommend paid SSLs for major organizations and e-commerce stores. AutoSSL, the free SSL that’s auto-enabled forever, will be more than enough for most other websites.
After installing an SSL, HTTPS will work with your website – e.g. https://www.inmotionhosting.com. But you’ll need to force your website to redirect from HTTP to HTTPS to ensure it protects website visitors. The type of website, CMS, or other software you use will determine how you implement this.
Some business owners use HTTP Strict Transport Security (HSTS) which forces HTTPS at the browser level. Websites with HSTS enabled will not display if the SSL expires.
Recommended: Install a free or paid SSL certificate and force HTTPS via .htaccess or website plugin. Consider HSTS.
cPanel updates keep server-level software up to date. Check WHM, as user root, for updates in the upper-right corner.
Recommended: Check WHM for updates monthly.
The unfortunate truth: you can do everything above and still suffer from a malware infection. Part of working to harden VPS hosting is preparing for the possibility that it still doesn’t stop a cyber intrusion. Up-to-date cPanel backups, stored externally from the server, are your primary disaster recovery solution. Get an external drive if you don’t have one. AMP snapshots are another backup option, but its a single backup for your entire container. It’s used to restore your entire VPS to a last known best configuration.
Recommended: Schedule cPanel backups in WHM and snapshots in AMP.
It’s important to train cPanel users, website administrators, and email account holders on everything above. Like customer service, security is everyone’s job. Everyone shares the role to harden VPS security. Share security news related to installed CMSs, cPanel, phishing, and InMotion infrastructure regularly.
Recommended: Email cPanel users from WHM often and recommend training courses for further learning. You can start with our free ebooks.
24/7 Live Support is always available via phone, live chat, email, and Skype. You’ll need account verification information for account assistance. If we can’t resolve the issue with you, we’ll provide recommendations including other support options below.
Advanced Product Support (APS) is dedicated to supporting VPS 6GB RAM plans and above. APS is also available 24/7.
Managed Hosting specializes in custom server-level configurations and optimizations. Ask Live Support about Launch Assist to help you get started and your allotted Managed Hosting time.
Community Support Center is the place to engage the community for support, alternatives, and additional assistance. Feel free to ask questions about additional ways to harden VPS hosting. Remember, the forum is not a live chat support medium and InMotion administrators do not have access to your hosting account. For immediate assistance with support and billing, contact our 24/7 Live Support.
Want to add external protection to harden VPS Hosting security? Ask about the Sucuri web application firewall today.
Learn more about server management from our Managed VPS Hosting Product Guide.