Security Best Practices
General Security Practices
Password Protection
Every password with internal access should have a strong yet memorable password. The easiest way for a hacker to gain entrance to a domain or database is through the front door, so keeping that door locked and locked tight is your first line of defense.
The best passwords use a capital letter, a lowercase letter, a number, and a symbol. To test your passwords for strength, try this link.
Software Version Management
Most people use some type of software to manage their domains. Whether it's WordPress. Joomla!, Drupal, or any of the other types of content management software (CMS), they all need to be kept up-to-date to prevent a possible attack.
Encrypt FTP Traffic
There are two best practices to encrypt and protect FTP traffic. First is to cut off any unwanted IPs from use. By default, WCP allow all IP traffic through the domains as an ease of access for new clients, however, it's beneficial to limit the IPs to just those that need access.
To do this in WCP:
- Click FTP Accounts
- Click Default Access
- Change the drop down menu to Blocked
- Click on IP List
- Click Add
- Add your IP (You can find it here.)
The second best option is to encrypt the FTP traffic using TLS. By default, FTP users are forced to use TLS on cPanel servers, but not for WCP servers. To enable TLS follow this wiki.
Read Your Access Logs
Both WCP and cPanel utilize server logs to keep track of who visits the domain and what they do while there. For the most part, this is a "set it and forget it" file, but if you get breached this can tell you what was accessed and when. In both the WCP and cPanel, the logs folders are above the domain root folder. (wwwroot for WCP and public_html for cPanel).
Block Unwanted Traffic
Much like keeping the traffic limited to who needs to be on FTP, keeping unwanted IPs from accessing your server at all is an important tool. For most users, this will want to be used as little as possible so as to not disturb your regular visitors, but if you get breached and recover an IP address in the process it's vital to keep those attackers at bay.
To do this in WCP:
- Click Manage IPs in the bottom right menu
- Click Add under the IP List
- Add the IP address
- Select whether to block or allow this IP
- (optional) Type a reason
To do this in cPanel:
- Click IP Address Deny Manager
- Type an IP address or Domain
- Click Add
Install Software to Mitigate Attacks
For those that use CMS to manage their domains, it's preferred to download a plugin to help mitigate an attack. Below are some well known plugins for various CMS applications.
WordPress - iThemes Joomla! - kSecure Magento - MageFirewall
Reseller Security Practices
Encrypt Client Data
For those that use a central domain to handle client transactions, it's best to make sure you keep whatever software used encrypted. The best practice for doing this is getting an SSL installed wherever you have your software. You may also want to make sure that IP access to the software is limited to only those that directly need it.
To order an SSL click here.
VPS Security Practices
Lock Down Unused Ports
By default, all major VPS ports are open for initial ease of access, but it's highly recommended to close off the major prots to either have no traffic or limited traffic. You can go about doing this in one of two ways, manually or by our admin level IPS filtering.
Manually
To manually lock down the ports in a Windows server:
- Go to the VPS Manager in WCP
- Click the Firewall Manager tool
- Click the pencil icon next to the major port
- Either restrict or close the port. If restricting the port, it will automatically add your local IP, but you will need to add any further IPs.
From Support IPS
To block major ports in IPS:
- Contact Support at support@hostek.com
- Give them your security qeustion and answer, billing password, or last 4 of your Credit Card
- Request to be placed in the PCI Compliance zone of the IPS (Note: This can be removed at any time with another ticket)
Install Anti Virus
By default, AVG and ClamAV are installed on Windows and cPanel servers respectively, but it's recommended to upgrade to a beefier version of anti virus. We allow the installation of almost all major anti virus softwares, and can help with the installation if required.
Encrypt Outgoing Traffic
Like encrypting FTP and HTTP traffic, encrypting other forms of traffic such as SMTP is recommended, and can usually be handled by an SSL certificate.
To order an SSL click here.
Set Up Automated Updates
Most installed softwares on a server also have an automatic update feature, or at least a way to easily update it. Set a scheduled task for Windows or a cron in cPanel to automatically update all browsers, anti virus, and other essentials. Non web related software are just as vulnerable to attack as CMS applications.