Basic Security for VPS and Dedicated Servers

Keeping your account safe starts with keeping your local computer safe. We recommend two antivirus programs in particular to customers. Norton Internet security and Kaspersky Internet security both offer excellent protection. Their protection includes more than just antivirus protection, extending to things such as personal firewalls, anti-spam filters and more.

You need to make certain that your antivirus software is always up to date. Your web applications that connect to your web hosting account have to be kept up to date, as well.

cPanel, MySQL, FTP and mail accounts are all dependent upon good password security to be adequately protected. Do not use the same password on different services. Your password should always have at least one capital letter, one number and one symbol in it. You should never store the password to your web hosting server or any of your server's features anywhere on the web hosting server itself.

Keep your directory permissions below 755. In some cases, you may find that a particular application needs higher levels of permissions than this. In these cases, put them outside your root of your web hosting account folder. You can also use an .htaccess file to restrict public access to these files.

Never log into your cPanel web hosting account on anything but a secure connection, ideally not in a public place.

Make sure that you are using PHP 5.2 by adding the following line to your .htaccess file:

AddHandler application/x-httpd-php52 .php .php3 .php4 .php5 .phtml

Make sure that you are not running any unnecessary services on your web hosting server. On your PHP settings, you can turn off unnecessary functions. Below, are some recommendations:

allow_url_fopen=off

disable_functions = proc_open , popen, disk_free_space, set_time_limit, leak, tmpfile, exec, system, shell_exec, passthru

To apply these codes, copy and paste them into the php.ini file to whichever directory you are wanting the security protocols applied.

Another thing you might want to consider is disabling perl and other bots from access to your site. You can add the following rules to your htaccess file to accomplish this:

SetEnvIfNoCase User-Agent libwww-perl bad_bots
order deny,allow
deny from env=bad_bots

If you want to completely disable perl files, input the following content to your .htaccess file:

##Deny access to all CGI, Perl, Python and text files
<FilesMatch "\.(cgi|pl|py|txt)">
Deny from all
</FilesMatch>

##If you are using a robots.txt file, please remove the
# sign from the following 3 lines to allow access only to the robots.txt file:
#<FilesMatch robots.txt>
#Allow from all
#</FilesMatch>

Our servers support Apache mod_security. This is an application firewall that is integrated into Apache.

If your account is compromised, there is a good chance that whoever hacked it will leave the back door open so that they can get into your account again. This is one of the rare occasions when it might be easier for you to simply have your entireĀ web hosting account re-created to ensure that any backdoors that the hacker created are completely eliminated from your files.