{"id":308,"date":"2020-01-01T07:07:54","date_gmt":"2020-01-01T15:07:54","guid":{"rendered":"https:\/\/www.inetxsys.com\/articles\/index.php\/2019\/04\/26\/bs-how-can-i-get-my-business-to-show-up-on-local-search\/"},"modified":"2020-01-14T00:15:01","modified_gmt":"2020-01-14T08:15:01","slug":"web-hosting-security-best-practices-2020","status":"publish","type":"post","link":"https:\/\/www.inetxsys.com\/articles\/web-hosting-security-best-practices-2020\/","title":{"rendered":"Web Hosting Security Best Practices (2020)"},"content":{"rendered":"

When we think about website security, the\u00a0highly publicized breaches of major companies\u00a0come to mind. Multimillion-dollar security leaks involving exposed credit card information, login credentials, and other valuable data are covered extensively by the media, leaving one to believe only large-scale businesses are susceptible to online security risks<\/p>\n

Don\u2019t be fooled. Security standards are vital to the well-being of any website, large or small. That\u2019s why site owners are often bombarded by warnings of security risks in tandem with the sales pitches of many hosting providers. How do you separate the sales hype from the real risks?<\/p>\n

Education is the first step to protecting your online brand. Here, I\u2019ll cover some best practices to follow in your website management operations, as well as some key security features to look for in a prospective web hosting company.<\/p>\n

1. Backups and Restore Points<\/h3>\n

People often overlook\u00a0backups as an element of security. Backups both provide and require security. Backups must be kept in a secure location away from the main server, following the other security steps we will outline. A secure backup provides a trusted repository for the latest copies of the system and data that can be deployed to restore a known, clean system to operation.<\/p>\n

\"\"<\/p>\n\t

\n\t\t<\/span>\n\t\t
\n\t\t\t

I wouldn\u2019t worry about going ahead and disavowing links even if you don\u2019t have a message in your Webmaster console.<\/p>\n\t\t<\/div>\n\t\t\t\t\t

\n\t\t\t\t\t\t\t\t\t\n\t\t\t\t\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\tMatt Cutts\t\t\t\t\t\t\t\t\t\t<\/span>\t\t\t\t\n\t\t\t\t\t\t\t\t\tAmerican Software Engineer<\/span>\n\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/blockquote>\n\n

It is important to ask about a hosting company\u2019s backup schedule and restore policies. For example,\u00a0how frequently are backups conducted<\/a>\u00a0\u2014 weekly, monthly, or daily? Will the support reps help you restore your site from backup files, or are the backups intended for their use only? Will the team find and restore lost or corrupted files or will they only do a complete replacement from a recent backup? Will the hosting service only use the most recent backup or can you request restores from further back in time, and if that\u2019s the case, how far back in time can you go?<\/p>\n

<\/h3>\n

2. Network Monitoring<\/h3>\n

Does the hosting provider monitor the internal network for intrusions and unusual activity<\/a>? Diligent monitoring can stop the server-to-server spread of malware before it gets to the server hosting your site. Ask for some details on how the support team monitors the network, whether the staff is dedicated to this function, and what the engineers look for. SolarWinds\u2019s guide to network monitoring best practices<\/a>\u00a0details several procedures and policies that any good network management team should follow.<\/p>\n

3. SSL, Firewalls, and DDoS Prevention<\/h3>\n

Distributed-Denial-of-Service (DDoS) attacks happen<\/a>\u00a0when an overwhelming amount of traffic is sent to your site, rendering it useless to visitors. Prevention starts at the edge of the network with a good firewall. However, there are\u00a0limits to how well a firewall stops DDoS attacks<\/a>.<\/p>\n

Can your provider give you some sense of what intrusions the company\u2019s firewalls are likely to stop and what other measures the security team employs? If you have a plan in which you manage your own server, you will need to know how to augment what the hosting service provides. At what stage will the network monitoring folks inform plan owners of potential problems that might affect their site?<\/p>\n

Does the provider make SSL certificates available? It will be your responsibility to implement SSL, but you can\u2019t if it is not available.<\/p>\n

4. Antivirus and Malware Scanning and\/or Removal<\/h3>\n

You should understand which protective actions your hosting provider will perform and what you must do on your own to protect your website. Does the support team run scans on the files in your account, and can you see the reports? If your account becomes infected, does the support plan include help in identifying and removing the malware? The server security steps we describe starting with step 6 will take you a long way toward keeping malware off your website.<\/p>\n

5. High Availability and Disaster Recovery<\/h3>\n

Look for a hosting company that will\u00a0keep your site running with 99.9% uptime or better. This goes beyond file-level backups. Is a bare-metal image available for your server? This is a complete copy of a clean, functioning server operating system for a speedy recovery from system failures.<\/p>\n

The host\u2019s network should have redundant hardware to guard against downtime caused by hardware failures. Firewalls can be configured to run in pairs, with each one ready to take over the full load in case the other one fails. The same concept extends to servers.\u00a0Hardware failover<\/a>\u00a0is an important component of high-availability networks.<\/p>\n

\"\"<\/p>\n

Load balancing is another high-availability feature<\/a>. In this case, multiple servers are ready to handle server traffic. They all work with the same copy of your website data stored on a network shared drive and hand off traffic to each other so that no one server becomes overburdened.<\/p>\n

\n

Server Security Best Practices<\/h2>\n
<\/div>\n<\/div>\n

If you have a plan that provides a server without management support, you may have to do some or all of this on your own. If your plan does include some degree of hardware and\/or software management support, the following will give you an idea of which questions to ask or what the support people are talking about.<\/p>\n

6. Access and User Permissions<\/h3>\n

At the host level, access means physical access to the machines, as well as the ability to log into the server. Physical access should be limited to trained technicians with security clearance.<\/p>\n

You and your host company should use Secure Socket Shell (SSH), or equivalent, to log into the server to maintain the operating system (OS) or the website. For extra security, use RSA keys protected by a passphrase.\u00a0Digital Ocean<\/a>\u00a0and\u00a0Rackspace<\/a>\u00a0both have tutorials on how to do this.<\/p>\n

Another good security step is to whitelist IPs that are allowed to access the server for maintenance. This can be done and modified through the hosting company\u2019s control panel provided for your account. You should also disable logins from the user root. Malicious players will commonly attempt to exploit this access point because the root user has full administrative privileges. You can always give equivalent permission to authorized admin logins.<\/p>\n

Files are protected by file permissions. Incorrect permissions cause time-consuming errors, and it is tempting to fix these errors by granting full permissions to all files. Don\u2019t do this. It gives any criminal hacker full control of your system if they get in.\u00a0Sucuri\u2019s guide to website security<\/a>\u00a0includes a primer on correct file permissions.<\/p>\n

7. File Management<\/h3>\n

All access to your server is remote. No one will go to the server to add, remove, or move website content files. You should use secure FTP (SFTP) with a secure and robust password for all file transfer and maintenance while also following other\u00a0FTP and SFTP best practices<\/a>.<\/p>\n

8. Applications and Logins<\/h3>\n

The hosting company should have a strict password policy for employees with mandatory password changes at regular intervals as well as when equipment or personnel changes. You should have similar policies for your server access passwords. Establish and enforce policies for strong passwords. Those who want to can exploit weak passwords within hours.<\/p>\n

Remove any unused, unmaintained apps on the server so no one can exploit unpatched vulnerabilities. Install \u2014 and maintain \u2014 utilities that monitor the server CPU, disk use, memory use, and application uptime.<\/p>\n

The databases on your server are potentially vulnerable targets for online criminals. UC Berkeley provides a\u00a0guide to hardening databases<\/a>\u00a0against attacks.<\/p>\n

\n

Coding and Website Security Best Practices<\/h2>\n
<\/div>\n<\/div>\n

The security of your website software and data files is your responsibility, even with a managed hosting plan. As a webmaster, you are responsible for managing your content and your site\u2019s functionality. The hosting company does not know what you want on the site or how you want it to function for your site visitors.<\/p>\n

9. Passwords and User Access<\/h3>\n

At the website level, you will have passwords for people who administer the site, guest authors, and potentially website visitors, depending on the nature of the site. Establish and enforce\u00a0password strength policies<\/a>\u00a0for everyone who has backend access.<\/p>\n

\"\"<\/p>\n

Admin staff and guest authors will need a stronger password because their accounts have a potentially greater impact on your site. Enforce changes after any suspected hacking attempt or when updating the content management system (CMS) or other software. The info@yourdomain.com address\/username is commonly attacked and should not be used. Use secure password managers<\/a>\u00a0to generate unique complex passwords.<\/p>\n

Each account holder should have the fewest privileges needed to do their job. For example, never give admin privileges to a guest author. Your CMS should have a level of privileges that allows them to upload and edit their post and nothing more. Each person should have his or her own login so they are held responsible for all changes made by that account. High-level admins can monitor the activity of all accounts.<\/p>\n

Never allow unrestricted file uploads. Limit uploads to the types of files your users will really need to upload and exclude scripts or other executable code. An uploaded executable file coupled with poor file access settings will give an intruder instant control of your website.<\/p>\n

Your server config files include settings that restrict access to your files, such as browsing directories and protect folders containing sensitive information.<\/p>\n

10. Plugins, Software Updates, and Backups<\/h3>\n

Always\u00a0keep your CMS and software updated<\/a>. Latest versions are patched to fix all known security holes. Change any default settings, such as the admin login name, that individuals can find and use to break in.<\/p>\n

When installing plugins and other software, consider the code\u2019s age or the date of its last update<\/a>, as well as the number of installs. These metrics give you an idea of the safety and reliability of the product. If it is inactive, it probably has not been vetted for security holes. Be wary of the source of the download for this software. Third-party sites may have added malware to the package.<\/p>\n

Your website content is not secure until you have automatic, frequent, and redundant backups conducted. The\u00a0backups should be stored apart from your main server<\/a>. The idea is to protect your content against said server\u2019s potential failure. A backup that is on the server will often fail along with the server, depending on the nature of the disaster. The backups should happen frequently enough to capture changing and new content, and they should happen without needing someone to remember to start them each time. Test the backups to be sure that the system is working. Check these\u00a0critical website best practices<\/a>\u00a0for more ways to develop a sound backup strategy.<\/p>\n

If you have custom themes, plugins, or similar software, it is a good idea to keep fresh copies of the install files. If they have malfunctioned or been compromised, that problem will be saved on the backup. The install files ensure you can get back to a pristine working copy.<\/p>\n

Keep in mind that a backup gets your site back in a hurry, but it does not fix the underlying problem that crashed it. For example, if someone used an exploit to penetrate your site, that vulnerability still exists in the backup copy and needs to be fixed right away.<\/p>\n

11. Code Reviews<\/h3>\n

A code review is\u00a0an in-depth check of an application after development is complete<\/a> and it is ready to be released. This is best done with a mix of automated tools and human inspection. The review is conducted in the full context of using the app \u2014 from login and authentication to data processing, encryption, and storage.<\/p>\n

\"\"<\/p>\n

Be wary of\u00a0SQL (Structured Query Language) deviously inserted into your website files<\/a>\u00a0by a third party. SQL injection is a method in which an attacker responds to an input request, such as username, with a valid SQL command. These commands can access data or delete it. Microsoft\u2019s\u00a0guide to SQL injection describes the attacks in detail<\/a>\u00a0and suggests ways to mitigate the risk such as with the use of session variables.<\/p>\n

12. Encryption, Firewalls, and DDoS Protection<\/h3>\n

A\u00a0web application firewall<\/a>\u00a0(WAF) monitors HTTP traffic to and from specific web applications. This provides more specific security than a network firewall, which does monitor HTTP, but does not understand the specific requirements of a web application. A WAF can be configured to prevent SQL injections as well as other techniques such as cross-site scripting and probing for vulnerabilities.<\/p>\n

Although DDoS prevention should be enacted at the network level, attackers may use one or a combination of several methods to flood your servers, and site owners must respond and protect themselves accordingly. Several noteworthy security leaders, including Cloudflare and Incapsula, offer\u00a0advanced mitigation and prevention tools and services<\/a>\u00a0that can be employed to help keep sites safe.<\/p>\n

Finally, SSL (secure sockets layer) technology is required when sensitive data is transferred to and from the server. An SSL certificate does not secure your server from attacks or malware, but rather encrypts and secures communication between your server and the person using your site. By using SSL, you are securing your customer\u2019s information and\u00a0keeping their trust in your site<\/a>.<\/p>\n

\n

Operating System Security Best Practices<\/h2>\n
<\/div>\n<\/div>\n

Some of the measures that you take will depend on the operating system of your server. Web servers run either on Linux\/Unix or on Windows. You usually choose this when you choose the hosting plan.<\/p>\n

Linux Machines<\/a>\u00a0|\u00a0Windows Machines<\/a><\/p>\n

13. Linux and Unix-Based OS<\/h3>\n

The server config file on Linux servers is called .htaccess. You can set rules in this file that prevent directory browsing and other activities that could expose sensitive information or open the server to other vulnerabilities.<\/p>\n

Although the PHP (hypertext preprocessor) language is more available and convenient, there are risks to using it on these servers. These OSes have a permission called executable, which means the file can execute code. It is important to limit executable commands when using PHP. This is where a code review is beneficial.<\/p>\n

\"\"<\/p>\n

14. Windows OS<\/h3>\n

Windows servers have user privileges, such as executable, limited by default, and admins must enter passwords to gain high-level permissions. Security measures are guided by the Security Compliance Manager function on these servers. The config file where access restrictions are set is web.config. Microsoft provides\u00a0a guide to security best practices<\/a>. Although there are more known security holes with the Windows OS, trained Microsoft programmers patch flaws and release updates and are available to respond to incidents.<\/p>\n","protected":false},"excerpt":{"rendered":"

When his site was unexpectedly hit by a recent core Google algorithm update, one SEO was determined to find out why. Follow along with all the steps taken to see just what went wrong and how to determine the right fix.<\/p>\n","protected":false},"author":1,"featured_media":371,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22,1],"tags":[],"class_list":["post-308","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bs-seo-basics","category-speed-security"],"_links":{"self":[{"href":"https:\/\/www.inetxsys.com\/articles\/wp-json\/wp\/v2\/posts\/308","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inetxsys.com\/articles\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inetxsys.com\/articles\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inetxsys.com\/articles\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inetxsys.com\/articles\/wp-json\/wp\/v2\/comments?post=308"}],"version-history":[{"count":0,"href":"https:\/\/www.inetxsys.com\/articles\/wp-json\/wp\/v2\/posts\/308\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.inetxsys.com\/articles\/wp-json\/wp\/v2\/media\/371"}],"wp:attachment":[{"href":"https:\/\/www.inetxsys.com\/articles\/wp-json\/wp\/v2\/media?parent=308"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inetxsys.com\/articles\/wp-json\/wp\/v2\/categories?post=308"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inetxsys.com\/articles\/wp-json\/wp\/v2\/tags?post=308"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}