Having your web hosting account attacked and hacked can be a very painful experience and nightmarish. Sometimes, it can be very difficult to recover from a hacked experience especially when the hacker is able to inject some backdoors into your website files. That is why preventing a hack is very important for every web hosting account.
Fortunately, there is a lot you can do to both prevent common and simple hacking attempts, as well as to make it easy to recover from hacking if it does happen.
There are also 3rd party services like SiteLock which provides a comprehensive solution for both preventing hacking from happening and recovering from it when it does happen.
You can proceed to subscribe to the services of SiteLock
In this article we focus on things that you can do to prevent malicious users from taking advantage of your products and services.
You will also want to read:
Common Causes of Website Suspension and Deactivation
Frequently Asked Questions About Phishing Websites
Glossary of Web Hosting Terms
How can i check the speed of my website?
How to Address Excessive Resource Usage on a Web Hosting Account
General Prevention Measures
- General Prevention
- Websites & Software
- Email Accounts
There are many common methods of website attack that hackers may use to compromise your services. By using the following recommendations, not only will your hosting be more secure, but many other secure services you work with will be as well.
To help prevent your services from being compromised:
Ensure that you Do Not Connect to Your Services from Computers that are Not Secure: By logging into your services using computers that may be compromised, it is possible to capture your password as it is used, circumventing the need to guess it or crack it. Software that logs your keystrokes, or reports information that you've sent can be used as a powerful tool against you. Never use a secure service on a computer that you are not familiar with and which has not been scanned with an antivirus program.
Phishing attacks are a common way to steal login passwords. Please do not login to any account via an unknown link. On Todhost, phishing can lead to an account termination. We do not compromise any cases of phishing. Be sure to type in the name of the secure service you wish to access in the address bar of your browser to help prevent getting your login password stolen.
Keep Your Password Secret: Any time a password is compromised it may be added to large databases of common passwords. That becomes a guide for further attempt to crack your password or brute force attacks. Even if you use a strong password, with many random characters, if it becomes compromised it will be tested by competent hackers trying to brute force your passwords.
Also read:
How to Avoid a Website Suspension
A General guide to Safe Website Updating
On-Page and Off-Page Search Engine Optimization - Keys to SEO Success
Web Hosting Options to start your online business
Note: If you NEED to provide access to another person, it is suggested that you generate a temporary password to provide to them, rather than providing the password you use regularly and restore your previous password when they no longer need access. Do not supply them with your regular password with the hope of changing it later.
Do Not Write Passwords Down: Alternatively, use a service which may allow you to securely store all of your passwords, generate random passwords, and even provide reminders when a password needs to be updated. Writing passwords can create a problem because it could expose your password to someone else.
Use Strong Passwords: The following article will assist you with generating strong passwords:
How Can I Make a Stronger Password?
Do Not Use Unsecured Connections on Open or Public WiFi: Always be careful to only use SSL encrypted connections whenever possible, as unsecure connections on public networks can reveal your passwords to malicious users who are monitoring network traffic.
Note: This includes accounts that you log into through web browsers, email programs such as Outlook or Thunderbird, and even instant messenger clients and games. Any method you use to log into your services should be secured or limited to use on private networks.
Websites & Software Related Issues
In addition to actions you can take when selecting and using passwords to log into your services, there are actions you can take with your websites to prevent malicious access:
Update Your Software: Always upgrade to the latest version of your blog, forum, shopping cart, etc. New versions of software like WordPress and other scripts and tools that are used on your server include security updates to prevent known and easily exploited vulnerabilities. Always upgrade to the latest version available. The safest way to run without issues is to keep up with the latest software updates.
Do not have writable file permissions. The correct permissions are normally 755 or 644, and you can check these in your File Manager. Most users know to avoid 777 permissions, but you really want to avoid any permission settings which allow Group and World writing. (That's anything ending in 7, 6, 3, or 2. The first number can be one of these, but not either of the last two numbers.)
Never leave scripts on your account that are not being used. These tend to be forgotten, and since they are no longer maintained, they are often out of date and can pose a very serious security threat on your account. If you no longer need the script, it is best to download your backups and remove it from the server.
Avoid Software that Does Not Receive Updates: If your site relies on software that no longer receives regular development and security updates, it may be vulnerable to compromise. It is highly recommended, if you use software that no longer receives security updates, that you look for options to a new software solution.
Email Accounts
Many users log into their email more frequently than any of their other services, making it the most vulnerable. The following suggestions should be followed with extra care:
Vulnerable operating systems and applications can be exploited and used to steal passwords. Please be sure that any application(s) used to connect to the email account are updated to the latest versions including the operating system and application(s) on the device/computer.
Be sure that your device/computer is free of malware/key loggers that use the email account. Do not login to public computers as they may be infected and may steal your account information and password. There are many excellent free antivirus scanners, and regularly scanning your computer with updated definitions will ensure that your information is safe.
Passwords can be compromised by sharing/guessing passwords and brute force attack. The most important thing to do is keep your passwords a secret. It is best not to share your email account with anyone else. If you must give a password to someone, don't share it with too many people and be sure to change it when they are done using it to access your account.
Don't write down your passwords or save them in a plain text file. Do not reuse old passwords as they may be compromised and do not use the same passwords with other accounts. It is highly recommend you periodically change your passwords. Please note that this applies to your cPanel/WHM passwords as well as these can be used to access the email account or change the email password.
Network traffic can be sniffed to capture your passwords or other sensitive information. This is usually done on public wifi networks. To help prevent your email password from being compromised, we recommend you use SSL authentication when sending and receiving emails on all your personal devices/computers. Most modern email clients will attempt to setup your email account with SSL, but not all of them do this.
Phishing attacks are becoming a common way to steal login passwords. Please do not login to your email account via an unknown link. Be sure to type in the name of the webmail site in the address bar of your browser to help prevent getting your login password stolen.
When checking your email do not open suspicious attachments and be very careful of emails pretending to be from services you use that have URLs that you do not recognize asking you to log in. Malicious emails can be used to either infect your computer directly or maliciously direct you to a phishing site where you may give your password away directly to your attackers.
If you are already the victim of a compromised Todhost service, please contact customer support for help on how to recover. The following articles will also be useful to help you with recovery from a hacker attack.
Update Software/Plugins: If you are running a CMS, such as Joomla, Wordpress, or Drupal, I recommend checking to make sure it and any plugins/Addons are fully updated as security exploits may have been fixed by the developers.. You can update most programs from Softaculous, but plugins/themes will differ in how they are updated, I recommend following the developer's instructions.
Change any passwords for your account. This is always the recommended first step. In case your passwords were compromised, change your cPanel password, any FTP account passwords, and if you use WordPress or a CMS change that password as well.
Update Programs running on your hosting account. If you use third party software to build your site, such as WordPress or Joomla, make sure you are using the most up to date version as security exploits may have been fixed by the developers.
Update Programs running on your computer. Some programs, such as Adobe's Flash, include vulnerabilities that allow hackers to access data on your computer. They can then sniff around and find data, such as FTP usernames and passwords that are saved in some programs. Be sure that you keep all of your software up to date as most developers often release security patches.