Hosting Security Best Practices

Hosting Security Best Practices

Securing your hosting account is crucial to protect your websites, data, and visitors from attacks. Follow these best practices to maintain a strong security posture.

1. Use Strong, Unique Passwords

• Use passwords with 12+ characters including uppercase, lowercase, numbers, and symbols.
• Never reuse passwords across different accounts.
• Use a password manager (Bitwarden, 1Password, LastPass) to generate and store passwords.
• Change passwords regularly, especially after team member departures.

2. Enable Two-Factor Authentication (2FA)

• Enable 2FA on cPanel via Preferences > Two-Factor Authentication.
• Enable 2FA on your hosting account login.
• Use authenticator apps (Google Authenticator, Authy) rather than SMS-based 2FA.

3. Keep Software Updated

• Update your CMS (WordPress, Joomla, etc.) as soon as security patches are released.
• Update all plugins and themes — outdated extensions are the #1 attack vector.
• Remove unused plugins and themes — they can still be exploited even when deactivated.
• Use the latest PHP version that your application supports.

4. Install and Configure SSL

• Install an SSL certificate for all domains and subdomains.
• Force HTTPS via .htaccess to ensure all traffic is encrypted.
• Use HSTS (HTTP Strict Transport Security) for additional protection:

  Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
  

5. Secure File Permissions

• Set directories to 755 and files to 644.
• Set sensitive configuration files (like wp-config.php) to 640 or 600.
• Never use 777 permissions — this is a major vulnerability.

6. Protect Admin Areas

• Password protect administrative directories (e.g., wp-admin) using cPanel Directory Privacy.
• Limit login attempts to prevent brute-force attacks.
• Change default admin URLs when possible (e.g., using a WordPress security plugin to rename wp-login.php).
• Restrict admin access by IP if you have a static IP:

  <Files wp-login.php>
      Require ip YOUR_IP_ADDRESS
  </Files>
  

7. Configure Firewalls and Access Controls

• Use cPanel’s IP Blocker to block known malicious IPs.
• Disable directory listing in .htaccess:

  Options -Indexes
  

• Block access to sensitive files:

  <FilesMatch "\.(env|log|ini|sql|bak)$">
      Require all denied
  </FilesMatch>
  

• Consider using ModSecurity (Web Application Firewall) if available on your hosting.

8. Regular Backups

• Set up automated daily backups.
• Store backups off-server (cloud storage or local drive).
• Test restoring from backup periodically.
• Keep at least 3 recent copies of backups.

9. Monitor and Audit

• Check error logs regularly for unusual activity.
• Monitor access logs for suspicious patterns (repeated login attempts, unusual URLs).
• Use security plugins (Wordfence, Sucuri) that provide activity auditing.
• Set up uptime monitoring to be alerted of outages.

10. Secure Email

• Configure SPF, DKIM, and DMARC records to prevent email spoofing.
• Use strong passwords for all email accounts.
• Be alert to phishing attempts targeting your hosting or CMS login.
• Never send passwords via email — use secure sharing tools.

11. Use SFTP Instead of FTP

• FTP transmits credentials in plaintext. Always use SFTP (port 22) for file transfers.
• Delete FTP accounts that are no longer in use.
• Restrict FTP access to specific directories.

12. Database Security

• Use strong, unique passwords for database users.
• Limit database user privileges to only what’s needed.
• Change the default table prefix (e.g., from wp_ to something unique).
• Disable remote MySQL access unless specifically needed.

Incident Response

If your site is compromised:

1. Change all passwords immediately (cPanel, FTP, database, CMS admin).
2. Scan for malware using security tools or cPanel’s virus scanner.
3. Restore from a clean backup if available.
4. Update all software to the latest versions.
5. Contact 10Corp support for assistance with cleanup and investigation.

For security assistance, contact 10Corp support.