There are many common methods for attack that hackers may use to compromise your services.
By using the following recommendations, not only will your hosting be more secure, but many other secure services you work with will be as well.
To help prevent your services from being compromised:
-
Do Not Connect to Your Services from Computers that are Not Secure: By logging into your services using computers that may be compromised, it is possible to capture your password as it is used, circumventing the need to guess it or crack it. Software that logs your keystrokes, or reports information that you've sent can be used as a powerful tool against you. Never use a secure service on a computer that you are not familiar with and which has not been scanned with an antivirus program.
-
Phishing attacks are becoming a common way to steal login passwords. Please do not login to any account via an unknown link. Be sure to type in the name of the secure service you wish to access in the address bar of your browser to help prevent getting your login password stolen.
-
Keep Your Password Secret: Any time a password is compromised it may be added to large databases of common passwords. Even if you use a strong password, with many random characters, if it becomes compromised it will be tested by competent hackers trying to brute force your passwords.
Note: If you NEED to provide access to another person, generate a temporary password to provide to them, rather than providing the password you use regularly and restore your previous password when they no longer need access. -
Do Not Write Passwords Down: Alternatively, use a service which may allow you to securely store all of your passwords, generate random passwords, and even provide reminders when a password needs to be updated.
- Use Strong Passwords:
- Do Not Use Unsecured Connections on Open or Public WiFi: Always be careful to only use SSL encrypted connections whenever possible, as unsecure connections on public networks can reveal your passwords to malicious users who are monitoring network traffic.
Note: This includes accounts that you log into through web browsers, email programs such as Outlook or Thunderbird, and even instant messenger clients and games. Any method you use to log into your services should be secured or limited to use on private networks.
Websites & Software
In addition to actions you can take when selecting and using passwords to log into your services, there are actions you can take with your websites to prevent malicious access:
-
Update Your Software: Always upgrade to the latest version of your blog, forum, shopping cart, etc. New versions of software like WordPress and other scripts and tools that are used on your server include security updates to prevent known and easily exploited vulnerabilities. Always upgrade to the latest version available.
-
Do not have writable file permissions. The correct permissions are normally 755 or 644, and you can check these in your File Manager. Most users know to avoid 777 permissions, but you really want to avoid any permission settings which allow Group and World writing. (That's anything ending in 7, 6, 3, or 2. The first number can be one of these, but not either of the last two numbers.)
-
Never leave scripts on your account that are not being used. These tend to be forgotten, and since they are no longer maintained, they are often out of date and can pose a very serious security threat on your account. If you no longer need the script, it is best to download your backups and remove it from the server.
-
Avoid Software that Does Not Receive Updates: If your site relies on software that no longer receives regular development and security updates, it may be vulnerable to compromise. It is highly recommended, if you use software that no longer receives security updates, that you look for options to a new software solution.
Email Accounts
Many users log into their email more frequently than any of their other services, making it the most vulnerable. The following suggestions should be followed with extra care:
-
Vulnerable operating systems and applications can be exploited and used to steal passwords. Please be sure that any application(s) used to connect to the email account are updated to the latest versions including the operating system and application(s) on the device/computer.
-
Be sure that your device/computer is free of malware/key loggers that use the email account. Do not login to public computers as they may be infected and may steal your account information and password. There are many excellent free antivirus scanners, and regularly scanning your computer with updated definitions will ensure that your information is safe.
-
Passwords can be compromised by sharing/guessing passwords and brute force attack. The most important thing to do is keep your passwords a secret. It is best not to share your email account with anyone else. If you must give a password to someone, don't share it with too many people and be sure to change it when they are done using it to access your account.
Don't write down your passwords or save them in a plain text file. Do not reuse old passwords as they may be compromised and do not use the same passwords with other accounts. It is highly recommend you periodically change your passwords. Please note that this applies to your cPanel/WHM passwords as well as these can be used to access the email account or change the email password.
-
Network traffic can be sniffed to capture your passwords or other sensitive information. This is usually done on public wifi networks. To help prevent your email password from being compromised, we recommend you use SSL authentication when sending and receiving emails on all your personal devices/computers. Most modern email clients will attempt to setup your email account with SSL, but not all of them do this.
-
Phishing attacks are becoming a common way to steal login passwords. Please do not login to your email account via an unknown link. Be sure to type in the name of the webmail site in the address bar of your browser to help prevent getting your login password stolen.
-
When checking your email do not open suspicious attachments and be very careful of emails pretending to be from services you use that have URLs that you do not recognize asking you to log in. Malicious emails can be used to either infect your computer directly or maliciously direct you to a phishing site where you may give your password away directly to your attackers.