We are in the process of emailing all our customers with a general reminder on keeping their web hosting services secure with VentraIP, and thought it worthwhile to highlight some key points to help you keep your web site secure.
In the past few weeks, we have been made aware of a security issue that has already affected a number of web hosts around the world, where attackers have been able to deface or destroy thousands of web sites that use common applications such as WordPress, Joomla and Drupal. At this stage no VentraIP customers are known to have been affected.
Whilst we’ve been proactive to known threats and implement security measures to help prevent attacks of this nature, there is no guarantee that they will completely protect customers from any updated attack vector. Aside from that, there are some simple steps that you can take to keep your web site secure – which is something that should be down as best practice.
Take a local backup of your web site and database files
Whilst we do maintain a backup archive for disaster recovery purposes, you should be proactive in taking your own local backup of your web site (including database files). If your web site is subject to a security vulnerability or you accidently delete a file that should not have been deleted, it’s important to always maintain a local copy of your web site files and databases. You can do this by downloading copies of your files through your preferred FTP client, or by using the cPanel Backup generator and downloading the file it generates.
Remove any unused files or applications
One of the most overlooked things when customers are looking to improve security on their web site is forgetting to remove unused files or applications. Many customers make the mistake of using their web hosting service as a testing ground and leaving older versions of files or applications stored on the service. By removing old files and applications, you’re helping to keep your web site secure and ensure that there is one less port of entry for any security breach.
Remove any unused themes or plug-ins from your applications
Another common mistake is leaving unused themes or plug-ins installed in your applications. A large number of security vulnerabilities are introduced by themes and plug-ins for common applications such as WordPress, Joomla and Drupal, that are either purposely infected with malicious code or unknowingly contain security flaws that are later patched and the end user has not updated their version.
You should only ever install themes or plug-ins from known sources, use Google to check for any known security issues with the theme or plug-in you wish to install, and always make sure that once you are actively using a theme or plug-in that you keep it up to date.
There is a known vulnerability for WordPress users with any outdated version of “TimThumb” that comes with many themes. We suggest you check through your theme files and ensure that you have patched the vulnerability to prevent any potential breach.
Check the permission on your configuration files
If you are running WordPress, Joomla, Drupal or any other common application where the path to the configuration file is known or could be easily guessed, a great way to improve web site security is to update the permissions on the configuration file to 600. There are also many other security improvements that can be made by renaming your administration folder to a unique, different and non-standard name. Please consult your software vendor for whether this is possible and further instructions.
Ensure your cPanel password is secure
Having a weak cPanel password is the same as closing the back door at night and not having a lock or deadbolt. Attackers will use applications to guess common password combinations that are based on dictionary words or numbers, or in cases of targeted attacks the attacker may know or have obtained personal information about you that many people use in their passwords (such as your Date of Birth, Maiden name, Pet’s name, etc).
There are also many customers who do not change their cPanel from the initial password that we send to them in their welcome email. It is important to change the cPanel password as an attacker could compromise your email account or may have compromised your local PC and have access to your emails, which gives them direct access to your web site.
We suggest choosing a password that is unique, contains more than 8 characters and is made up of mixed case letters, numbers and a special character (such as ! or @).
Other steps that can be taken
A great place to start looking for further steps that can be taken is Google. Doing a quick Google search for terms such as ‘Hardening WordPress‘ or ‘Securing Joomla‘ yields pages and pages of results with simple techniques that can be taken to vastly improve the security of your web site and your web applications.