The second important thing that influences website security system as a whole is website hosting. The website hosting can be shared or dedicated.
In case of shared hosting, the responsibility for secure server settings rests with the administrator of a hosting services provider. While with the dedicated server (VDS/VPS/DDS), this responsibility falls on the server owner.
In both cases, either we are speaking about shared hosting or dedicated server, their configuration needs to be adjusted to limit the range of operations that could lower website working efficiency. In other words, website owners should be provided with access to essential functional options only and shouldn’t be allowed to perform other functionalities.
For instance, if a website does not have external connection, the external connection (allow_url_fopen/allow_url_include) option must be switched off. Or, if a website does not use system calls (system, shell_exec and others), this function should be deactivated as well.
Another important thing is file permissions and access control. Server must be configured to restrict unauthorized access to files and directories of website as much as possible. Each website must be isolated from others. A system administrator is the person who must see to all those aspects.
It is known, that there are hundreds of different websites hosted on the same shared hosting server, yet every website requires its specific functional options. That is why companies that provide hosting services are very lenient when it comes to server settings configuration. As a result, they allow their customers to set up a server almost without any restrictions. Obviously, in this scenario all the websites placed in the same hosting area face high risks. So, a website owner should choose a hosting provider very carefully. The best way is to choose a hosting provider that allows to set up web server and PHP individually for each account and thus avoid the use of default settings.
It goes without saying that the server needs to be set up by an experienced system administrator, who will professionally isolate website from other elements of the system, restrict most scripts and their visibility and arrange control mechanisms of the file system, data backup and logging systems.
Website Administrator Functions/Administrator awareness of the need for website security and his accuracy and precision in performing website administrative tasks
The main issue with website security is that generally website owners pay little attention to web protection and malicious activity prevention. They are confident in flawlessness of their software and in reliability and safety of their server settings. Still, this carelessness can be the main cause for website hacking and infection with viruses.
So, what must be done to reduce potential security risks and protect websites against security threats? Here below you will find a check-list for a website manager to follow:
- A website administrator’s local machine on which the administrator perform all the website operations should be protected by commercial antivirus software. The computer must be scanned regularly. If your website is managed by several specialists, the same rule applies to all of them.
- Change your FTP/SSH account passwords and admin panel (administrator page) passwords on a regular basis, at least once a month.
- Do not store your passwords in FTP client programs, browsers and email.
- Create strong and secure passwords like «Xhsdf3@4%4».
- Work safely using SFTP or SCP.
Great attention must be paid to website security. Only in this case you will be able to protect your website from viruses and attacks by hackers. Do not forget to update your software regularly, configurate all the hosting settings properly, and control website access points diligently. If only one of these points gets weak or ignored, your website is most likely to be hacked or infected with web based malware.