How to secure your website – InfoSec tips for newbie website owners

And Again About Hosting Security!

Today, there are still many people who think that the Internet is as a comprehensive encyclopedia of the world. However, their number is decreasing. There are more and more people who rightfully consider the Internet as a means of earning money. It can attract a large number of new customers to your business, notify everyone and everything about what you are and what valuable services you provide for a mere penny.

The Internet can help you earn money even when you do not have any business offline. All you need is to have your own website (or sometimes even a social media profile). Of course, you cannot have a website without purchasing a hosting plan. Selecting the best hosting service is a difficult and thorny path. To stay away from mistakes, you need to learn a lot and read plenty of useful articles.

Suppose you have already found a suitable hosting provider and launched your website. Now the moment has come when you want to see the benefits of your work and earn money. And then, like a bolt from the blue, one day you discover that your site has been attacked. And what is worst, your entire business is irretrievably lost.

Why has it happened to you? Because when choosing a hosting service, you missed such an important and crucial parameter as ensuring hosting security. And so, your hosting service, to whom you naively entrusted everything that you had, could not protect you.

First of all, you are the one who is responsible for your website security – how you store passwords, from which computers you log in, etc. Hosting providers can do nothing if you neglect basic security measures.

Mind that by purchasing a hosting plan with a weak data protection system, you get a luxury apartment with a large iron door, which does not have a lock. Well, if you still do not close that door at all, then expect to see some guests…

Life story

This summer I have helped my friend to solve a security problem of one of his customers. He is working for one of the top-rated Australian hosting services and in early June he received a negative review:

Awful hosting, all my sites were infected with a virus. Your tech support always says the same like – update all plugins, change passwords, update software versions. I have already updated everything two times, changed all passwords. I downloaded backups and checked for viruses. Later, I even completely cleaned the server and put clean freshly downloaded CMS. And then it happened again. Tech support reps again say the same thing. I do not advise anyone to use this hosting service. I use two other hosting services and no other site gets infected.

When I and my friend took a closer look, virus infection manifested itself right away. If you navigate from the home page to any other page, a redirect to a completely different site occurred. And the redirect was blocked by this Australian hosting provider. Of course, the result for the owner of the infected resource is deplorable – traffic from search engines dropped substantially and earnings also dropped to almost zero.

I asked the owner to send me the WordPress theme archive and the .htaccess file. This is a special file that is responsible for the configuration of the webserver and allows you to deny or allow access to a specific folder and make redirects.

There in the .htaccess file, I found the automatic redirect to the hacker’s site. It worked under the following conditions: if the hacked site was accessed from Google, Yahoo, Bing, etc then it should redirect the user to the malicious site.

This story ended well, we cleaned everything and changed the passwords. From further correspondence with the client, we found that hackers penetrated through one of the sites based on Joomla, hackers used its eXtplorer.

Attack methods

There are many ways to attack your website. I will not go into all the details. Let’s identify the main ones.

  • Stealing passwords

An attacker infects your computer with malware and it copies passwords from a browser or FTP client or from your keystrokes and sends it to the hacker’s email box. Losing passwords, you can lose not only your websites but also a good part of your information stored on the Internet and become a victim of identity theft.

  • DDoS attacks

Such attacks make the server completely unavailable. The essence of such an attack is that a huge number of access requests are sent to your server in a short period of time. If you protect your computer badly, you can become a DDoS attack tool – bot yourself. DDoS attacks do not last long but are very effective. And if you have a big business, even several hours of your server downtime can greatly affect your profits.

  • Malware and malicious links

Rogue programs and hidden links lead to disastrous consequences. Namely, your website can be blocked by the hosting provider for breaking the rules. You can be kicked out of all search engines, get negative reviews on various forums and sites. And you may not even know. After some time, you may notice lower attendance, fewer transactions are made on the site, or you are completely denied hosting services. A similar thing happened to the hero of my article.


  • XSS

Cross-site scripting is carried out by intruders silently and gets unnoticed by the site owner. XSS does not bring any visible problems. This is all just at first glance. But in fact, with the help of a special script, the pest penetrates your site. It can even get access to user accounts. By changing the page code of your site, a hacker can redirect your visitors to his own site.

  • SQL injections

Using this attack method, an attacker gains the ability to read or write data, as well as execute commands on the server. The attack works by embedding arbitrary code into the SQL query. It is a very dangerous and sometimes fatal attack, during which you can lose all your data.

In fact, there are many other types of cyberattacks and you do not need to know all of them. It is more important for you to know how to avoid most of them.

Your website weak points

  • Password

So many novice webmasters do not pay much attention to this factor. All hackers have lists and statistics on frequently used passwords. They successfully use this data. Please do not consider yourself too original if you enter your date of birth or similar data into the password. In order not to fool yourself and each time come up with an original and complex password, just use the blessings of civilization – use a password manager. Do not use the same password twice.

  • Scripts

It is one more weak point of your site. A lot of scripts have loopholes that hackers use. With the help of these holes, hackers can access your site and take possession of important information.

  • User accounts

Some accounts get created for the purpose of testing something or for any other purposes. Often, they are simply forgotten, rather than deleted. And such accounts are low hanging fruits for hackers since you hardly managed to create a strong password for them.

  • Plugins and themes

Outdated plugins and themes may contain numerous security vulnerabilities. Hackers use them too. Actually, vulnerable plugins are one of the top cyber threats. Do update all your plugins and CMS themes regularly. Remove unused plugins.

How to protect your websites

  1. Use a solid password storage approach.
  2. Update software on your computer and server.
  3. Use only proven and secure scripts and engines.
  4. Regularly scan the site for vulnerabilities (special scanners will help you with this).
  5. Use the services of reliable and high-quality hosting providers.
  6. Regularly back up all files and the database.
  7. Put the .htaccess file in the administrative folder of your site, in which you can create access permissions based on IP.
  8. Regularly scan your computer for viruses and Trojans

What to look for when buying a hosting

In order to secure your website on the server-side, you must select a secure hosting service. If you, for your part, conduct all preventive measures in order to protect your site from hacking, then from the server-side you have to completely trust your hosting provider. Of course, all of them say it is completely safe to use their services. But we are practical people, so it is better to choose hosting services according to the following security principals:

1. Place your website only on a server with a sufficient amount of available memory, traffic, and storage resources. If the bandwidth of your server is limited, then perhaps it will not withstand DDoS attacks. It is better if you have an independent channel to access the server. So, basically, choose a service with the ability to provide unlimited traffic. Of course, it will be limited, but it means that it is still sufficient enough.

2. Choose a hosting provider that guarantees to make regular backups. The provider should back up all your data. It can be very useful in many ways.

3. Choose a hosting service that uses only the latest hardware and software, updated to the latest version.

4. The hosting provider must be able to work with the latest versions of scripts and applications.

5. Make sure that the hosting provider works only with well-known engines and scripts and does not allow all users to upload unknown programs to the server. Otherwise, due to the incompetence of one of the server users, the whole server may get out of the order.

6. It is important for the hosting provider to allow a secure connection to your account – SFTP or SSH, which will prevent your passwords from being stolen while transferring data through an FTP client.

What to do if your website is hacked?

  • Do not panic.
  • Check the index.php files (index.htm, index.html, defolt.html and the like) and .htaccess in a text editor. If you find a suspicious code there, then simply replace these files with default ones.
  • If the previous step did not help you, then clean just everything and deploy the backup.
  • Be sure to keep the last uninfected backup in a separate folder.
  • Update all plugins, modules, engines, etc.
  • Change all passwords.
  • Consider rejecting to use an FTP client. Use programs like WinSCP that do not save passwords and can create encrypted connections.
  • Update antivirus and OS.
  • If the problem recurs after a while, contact the professionals for help.
  • If a professional says that it’s about hosting, then feel free to change the hosting service.

Choosing a safe hosting service is akin to choosing a pet. You look at him, check for lice, learn a pedigree, and the like. And only after that, you make a decision. In order for your “union” with the hosting service to be durable, choose only big and trusted companies. Otherwise, everything may end very quickly.

Did you enjoy reading this article? Kindly do like our page on Facebook and follow us on Twitter.

Related Posts