Basic security guidelines for the shared hosting server
- Make sure your local computer is safe. For this purpose use reliable updated antivirus software such as:
- Norton Internet Security, offering Antivirus, Antispyware, Two-way firewall, Antiphishing, etc.
or - Bitdefender Antivirus Plus, which is the Bitdefender’s entry-level antivirus software offering, making it ideal for home users without technical skills and anyone who wants basic defense against threats. Because viruses aren’t the only cybersecurity risks, Antivirus Plus offers an array of security-first features, including ransomware prevention, monitoring online purchases and web-based transactions, and password management that lets users create unique passwords for everything, all managed through an easy-to-use dashboard.
- Norton Internet Security, offering Antivirus, Antispyware, Two-way firewall, Antiphishing, etc.
- Check whether all of your web applications are up-to-date. This includes any modules, components you have added and/or integrated;
- Make sure to use plugins downloaded from official sources. Files that are downloaded from unofficial sources are often edited to include additional code that includes backdoors for attackers to use and infect a website.
- Pick up strong passwords for the main account, MySQL, FTP, and mail users. Never use the same passwords for different users. For example, a MySQL user should not have the same password as your FTP user;
- Avoid having directories with permissions above 755. If your applications require such directories, try to put them outside your webroot (public_html) or place a .htaccess file in them containing “deny from all” to restrict public access to these files.
- Tweak your local PHP settings for better security. This can be done by disabling unnecessary functions and options. Here are some sample recommended directives:
allow_url_fopen=off
disable_functions = proc_open , popen, disk_free_space, set_time_limit, leak, tmpfile, exec, system, shell_exec, passthru
Note that the above directives can cripple your code’s functionality. They have to be pasted in a php.ini file in each directory you’d like to have them applied.
- Deny perl and other bots from accessing your site. This can be easily done with the following rules in your .htaccess:
SetEnvIfNoCase User-Agent libwww-perl bad_bots
order deny,allow
deny from env=bad_bots
- If you are not using Perl scripts, add a bogus handler for these files. In your home directory create a .htaccess file with the following content:
##Deny access to all CGI, Perl, Python and text files
<FilesMatch ".(cgi|pl|py|txt)$">
Deny from all
</FilesMatch>
##If you are using a robots.txt file, please remove the
# sign from the following 3 lines to allow access only to the robots.txt file:
#<FilesMatch robots.txt>
#Allow from all
#</FilesMatch>
The above will prevent Perl scripts from being executed. Many exploits/backdoors are written in Perl and the above will prevent them from running. This directive will apply to all your subdirectories.
IMPORTANT: Once your account has been compromised, it is very likely that the intruder will leave a backdoor to easily gain access later. That’s why only fixing your vulnerable code might not be enough. Finding the backdoors will be time-consuming and expensive (requiring a professional developer). That’s why you might prefer to start from scratch your site.