There tends to be two groups of people running websites today. There are those that couldn’t care less about the security of their website and their server and those who consider online security to be a primary concern. Unfortunately there is not much in between. You either care or you don’t, it’s that simple. Unfortunately, there are people out there who want to be malicious who want be of detriment to yours and other peoples businesses and because of that there will always be a need for Web Server security if you’re running any kind of website.
Part of me thinks that those who don’t really care about web server security either don’t know the risks or don’t know how to address it. So they just bury their head in the sand until an issue arises and then they hope and pray their web hosting company resolves the issue for them. Let’s be honest most of the time they do just that but there are things you can do yourself to help with online security and even if you don’t it’s good knowledge to have then you don’t get ripped off having a professional handle such tasks if and when a situation arises.
Is It My Problem? Why Would Someone Hack Into My Site?
One thing I hear a lot when I talk about web server security is that people don’t really care about whether someone “breaks into” their site. They come back with answers like “I’ve nothing to hide” or “who cares if someone changes my site” etc. And for the most part, they’re probably right. Is someone breaking into your account really the end of the world? Well, for me it comes close. You need to think about what they can do. What if they were to upload a script that takes the whole server down via your account taking 5000 or so websites offline? All because you didn’t secure your scripts thinking it was only about your little website. And what if they steal your e-mail and reset your login passwords? The scope and level of damage someone could do by simply gaining access to the hosting account which is powering your little 5 page website is immense.
Basic Web Server Security Guidelines
This is by no means a complete list but here are a few things in bullet point format to consider with regards to website security.
Passwords – Strong passwords are a necessity these days. You need to use a password that contains uppercase, lowercase, numbers and if possible, symbols. You also need to make sure there is no weak link. For example there is no point having a strong WordPress password protecting your login area but having a weak cPanel password protecting the whole account.
Out of Date Software – Software which is no longer supported or developed are where most would be attackers find their way into your web server. Even if you’re not using the software, having it on your server is enough for a way in. Make sure you delete any third party applications or scripts which you’re not using.
Server Monitoring – There are lots of server monitoring applications out there which either run remotely or via your command line. If you have a high traffic website you really need to be able to see what is going on in real time.
Firewalls / Port Blocking – This is one for the server admins but consider server side tools such as Firewalld for preventing would be attacks and blocking ports that you don’t need. I found a great tutorial here for setting up and working with firewalld.
Keeping Your Web Server Updated
Another thing people need to be aware of is the importance of keeping your software updated. By software I mean everything right through to the applications powering your web server, through to your CMS such as WordPress right through to the apps you use on your desktop computer. Any of those could provide a point of entry for any would be attacker and with the right tools and knowledge that attacker could get all the way up the chain and do damage to every website on the server.
It’s not all doom and gloom. The steps you can take as documented above are obviously very easy to implement and can make a world of difference as far as your security and hack prevention measures go. It can also save you a huge headache and a huge headache for potentially hundreds of other third parties if you take the time and effort to secure your installations. The time and cost associated are absolutely minimal so you have to ask yourself, why not?