Often as customers who use a web hosting service, we accuse hosting companies of providing a low level of server security. Am I not mistaken? I have often done this in the past as well.
Not only that, I had always thought that 100% of the duties and responsibilities related to the security of my website on a paid web hosting service is a worry only for the hosting provider. This point of view is of course extremely convenient, even comfortable. However, when hackers got in to my hosting account, which was very well secured – it gave me a lot to think about.
In fact, only a small group of owners of this type of service are fully aware of the threats arising from the wider web network, and even less know how to effectively protect websites from said threats. Due to the complexity of the issue I will try to focus on only a few basic elements below.
In the case of a problem with the web site, especially when it has been hacked, can we honestly say 100% of the fault lies with the hosting company?
Well, NO! And we see that well over 90% of the fault lies with the website owner, which may seem quite a shocking statement. Of course, exempting the hosting service provider from any liability would be too far-reaching. However, assigning them total responsibility for the situation without objective and reliable analysis of the specific case would typically result in blaming others, this is as convenient as the earlier carefree existence of the attacked web site.
Why was my website hacked? What do I need to do now?
The website is hacked due to not updating your WordPress, using unofficial plugins, using simple or basic passwords…
There is no zero risk! However, you can limit them. You can take some measures to fix the problem after it occurs and / or avoid this problem reappearing (regular updates: WordPress versions, plugins and changing passwords regularly…these are very easy and basic steps)
- Seemingly nothing extraordinary, all you must do is think of a string of letters, numbers and symbols – remember it and that is it. ‘Who will want to guess my password…’
- Try to create difficult passwords by adding special symbols, uppercase and lowercase letters and numbers. Simple passwords are normally broken by the Brute-force method.
- Usually, we log into numerous websites with a general login and password. Two Factor Authentication (2FA) is great as it creates another barrier that an attacker must overcome to get to the site. The idea of two-factor authorization is simple – in addition to login information, a user must provide additional information or perform an additional operation to authorize. It can be an SMS, code from the application or clicking the link sent to the email address associated with the account. The point is, that you need to have access to data to log in, that a potential attacker may not have (phone, other account, etc.).
Take care of who has an access to your website
- When creating and developing a website, we often use the external services or companies to perform certain tasks – we provide access for developers, SEO teams or editors. Not only direct access to our website, but for hosting server or other services as well. Unfortunately, after some time, we forget to delete the accounts of people who no longer work with us.
- When finishing cooperation with an individual or company, remember to change passwords or remove their access. Very often these types of activities are simply forgotten.
Encrypted connection – SSL
- Often this type of transmission is associated with banks, because in a natural way such places must be well protected. A reliable hosting provider should ensure secure communication on every protocol. It is important that they use the relevant certificates (preferably authorized):
- Protect access to the administrative panel of the hosting service
- Ensure the possibility of secure communication using an FTP channel (e.g. SFTP, FTP + TLS, etc …)
- Ensure the possibility of secure communication with the mail server
- Provide the ability to run your own SSL certificates on the hosting service, e.g. encrypting data exchange in your online store
- It is also worth to check what types of security is provided by your hosting service provider. If you see, by navigating the Management Panel that in the browser’s address bar the site address begins with http:// you already know that your data during the work with the panel you pass on the web in open text, making it very easy to “eavesdrop”. In this situation, ask your hosting provider if you can use SSL connections. The URL should start with https:// This one small letter ‘s’ makes a huge difference 🙂
WordPress, its plugins and themes
- There is a widespread belief that if you install something that is used by many, it is probably good, safe and great over all, and that you do not need to do anything 🙂 This is a dream situation unfortunately, completely detached from reality and having nothing to do with it.
- Caring for WordPress is primarily to update its elements (core, plug-ins and themes). The most important thing is performing security updates. We do not have to hurry when a new version of the plugin which adds corrections to the Hebrew translation (unless we use this language) comes out. These updates should be approached pragmatically.
- On the 12th of March this year, WordPress found critical vulnerability and they fixed it and gave a recommendation to auto updating by all hosting providers (even WP administrators who have auto-updates off) and ordered users to check all plugins and third party addons.
- One of the factors why WordPress is so popular is the number of plugins and themes we can add to it. The greater world wide web has plenty of sites offering free themes and plugins. At first glance, it is difficult for us to determine whether what we download and install in WordPress is safe. We often lack the knowledge to review the theme and plugin code.
- If you decide to add a theme or plugin, it is worth referring to the official WordPress repository. There are only those that go through the verification process in terms of, among others malicious code.
- Keep WordPress clean by removing unnecessary or unused plugins and themes. Clean and clean again. Many hacks that occur in WordPress itself go through old, outdated or simply unused themes and plugins. It is not enough to turn them off from the panel, because they are still on the server and can be used to attack the site.
Securing WordPress (Hardening) is quiet often a complicated process. It requires time and understanding of some elements. We are never 100% sure that we have achieved protection against everything (e.g. 0-day vulnerabilities), but by following these or other steps we are certainly minimizing the level of danger.
These are only 4, basic elements related to the security of your data on your hosting account. There are of course many more and the topic can be drilled in many ways, but I wanted to show how much depends on you and on how many factors related to the security of your website that you, the user has a real impact, often decisive.
The role of the hosting service provider itself is also considerable, because in addition to ensuring the highest possible standards, one of the important elements of its mission should be to educate clients and inform them about how to avoid threats and how to minimise them.