Website Security – Preventative Measures

Website security is a topic on a lot of users’ minds. If you search the web for How to hack a website, you will literally get millions of hits. Taking the necessary precautions now with your website will help prevent a big headache later on in the event anything does happen to your website.

This article includes links to sources online about website security, that pertain specifically to individual programs like WordPress and Microsoft Windows. While it is not possible for us to publish every security article for every program, a search on the web regarding security and updates for the software you run should return numerous results.

Note: If you suspect you have already been hacked, please see our article on recovering from a hack

Backing up your account

We’re starting this article on website security with an introduction to backups. Making regular backups of your website is very important, and is one of the best recommendations that we can provide. cPanel includes an easy backup utility that you can use to backup your entire website, including your databases, email, and files. For more information on backing up your website, please view our article on how to create cPanel backups.

There are numerous techniques that hackers can use to compromise a website, however the reasons these techniques are successful are usually because of:

  1. Vulnerabilities in the software you run on your hosting account
  2. Vulnerabilities in software that you run on your local computer

Vulnerabilities in the software you run on your hosting account

Most software that users run on their website is Open Source software. Open Source software is software that is freely available for anyone to download and use. For example, both Joomla and WordPress are very commonly used, and they are both Open Source. One of the drawbacks of Open Source software is that anyone can download and view the software’s code, which makes it easier for hackers to find ways to compromise a website. The authors of such Open Source Applications release updates and security patches on a regular basis. Please be sure that you are running the most current versions of any third party software on your website, as the most current version is usually the most secure version as well.

The following is a list of links, for WordPress and Joomla specifically, that point to the software’s own information about security:

WordPress

Joomla

The Joomla Security Center includes information about their latest security news, their latest security articles, and more information in general about the Joomla Security Strike Team.

Vulnerable plugins

Keeping any third party plugins / extensions on your website up to date is just as important as keeping the core software up to date as well. We’ve compiled a short list of links for more information about this topic as well.

Joomla

WordPress

Did you code and develop your website yourself?

If you coded your own website, knowing common techniques hackers use can help you take steps to make your own software more secure. The following is a list of links to articles on Wikipedia that provide more information on common hacking techniques:

Note: Although direct coding support is out of the realm of what our Support Department can assist with, a search on the web regarding the topics below will return many results that include how to update your code and take preventive measures.

Common ways websites are hacked

Vulnerabilities in software that you run on your local computer

Not only do Open Source applications like Joomla and WordPress release updates on a regular basis, but so do companies such as Microsoft and Adobe. The following is a list of links to major software titles and information about the security updates they have available:

Adobe

Microsoft

Microsoft provides Windows Update to help keep your copy of Windows and other Microsoft products up to date. Be sure that your version of Windows has installed the most up to date security patches available.

Apple

Apple is well known for the security and stability that their products come with, but even Apple has to releases security updates. Please see the link above for more information regarding Apple security updates.

The IT industry is changing every day, especially when it comes to the Internet and security. Keeping your software up to date, both on your hosting account and on your own computer is one of the best ways to secure your website. You should also regularly scan your computer for viruses and malware, maintain regular backups of your website, and be sure to contact the InMotion Hosting Support Department if you have any additional questions.

39 Comments

  • my website Account has been suspended.
    Contact your hosting provider for more information.
    whay or sol kese kare

  • My website was put on quarantine because of a hacked file

    /home/……5/public_html/wp-includes/css/americanexpress/securelogin/update/Logon.php

    What steps should i follow to put it back online..please..Thanks!

    • Hello – sorry for the problem with the hacked site. You should go through the recovery steps after being hacked and contact our live technical support team for immediate assistance. If your site has been suspended or quarantined due to the hack, then the technical support team will be the ones who can help you get it back to normal. Please use the information at the bottom of this page to contact the support team.

  • User accessing my website at https://www.byrneholics.com received this message.

    I have never received a report like this.

    What are my next steps?

    Thanks.

  • Dear InMotion: I’m building a family archive site limited to a dozen or so users who are normally reliable but not necessarily competent. I want them to upload image, pdf and text files. Does the server check uploads for malware or is that better done at the client end?

    • Hello,

      The does check for malware periodically however it will not scan a file as its uploaded. It would be best to scan that at the client end, You may also depend on the software you are using for the site be able to limit the file types and check them after they are uploaded as well.

      Best Regards,
      Kyle M

  • Hi there. I got this email referencing both of my websites:

    Hello administrator,

    A new user ‘jdebugger’, username ‘jdebugger’, has registered at https://nancysepe.com/.

    I logged in, and a new user had registered as admin! I deleted. But clearly my site was hacked somehow. Nothing seems to have gone wrong, my home page is still there etc. Maybe they just wanted to send emails from my address. Is there anything I should do?

    Thanks,

    Nancy

    • We recommend changing all your passwords. Then you may want to reach out to Support to have a shell scan ran to see if we find any known hacks. Also, run a malware scan on your local computer to ensure that wasn’t compromised as well.

  • Hellon Sir/ Madam,

     

    I experienced bad hacks on my previous accounts in Hostgator. It happened 3 times in 60 days. Once a website in my shared hosting package was hacked, all websites were suspended.

     

    Do you do the same? or It only disables the hacked one.

     

    Thank you

    • While it is not our intention to suspend a site, it depends on the specific nature of the hack. For example, we may quarantine the file or folder if there is an obvious hack or compromised software. But if your account keeps getting hacked and it is affecting the performance of a shared server, it can result in suspension. This is to ensure that other websites that are sharing resources with you can continue to function.

      To avoid getting hacked we recommend using strong passwords, and keeping your software up-to-date at all time.

      Thank you,
      John-Paul

  • Hi,

    My three websites are down!

    I received an email from your System Administration team who has discovered my website security was compromised and ‘hacks’ inserted into my account.

    What can I do?

    My backups are few months old 🙁

    Thank you.

    • Hello Cochise,

      Sorry for the hack. You can reply to the ticket and request a malware scan, but your best bet is to restore your websites using backups if you have them. Check out this tutorial for guidance after a hack.

      If you have any further questions, please let us know.

      Kindest regards,
      Arnel C.

  • I cannot access my WordPress admin page due to following error:

    Error 406 – Not Acceptable

    Generally a 406 error is caused because a request has been blocked by Mod Security. If you believe that your request has been blocked by mistake please contact the web site owner.

     

    How can I fix this please??

  • I’ve installed WordFence, including the Firewall. In you view, is WordFence a good choice – and would it be good to install other security plug-ins?

    • We cannot endorse one security plugin over another as they each have different features and functions that are relevant to different users. You may want to check the WordPress forums to see how others have reviewed based on day to day usage of the plugins.

  • When I bought my domain name here (actually the free one) I had an option to add security for more $ and denied it. can I still add it on? 

  • ERROR: This user account has been locked until April 20, 2016 2:52 pm due to too many failed login attempts. You can login again after the Lockout Time above has expired.

    I got a message, but no one opened my dashboard, only me. I know the password. How much time do I have to wait? What should I do? Thanks.

    • Hello Marija,

      The response you’re seeing is related to a brute force attempt to get into your admin. The security rules on the server have stopped the access, but in doing so they lock the account – they normally do this for about 20 minutes and then the account is unlocked.

      I hope that helps to answer your question! If you require further assistance, please let us know!

      Regards,
      Arnel C.

  • TJ, I just did my first manual backup in Cpanel

    Based on your reply above, it sounds like inmotion does an automated back up for last 36 hours for their client. Is this correct? Is this in print somewhere? I assume this 36 hours is what inmotion means by “FREE Data Backups (Others Charge!)” in the pricing table?

    Please describe some common hack problems and how you help customers keep their web site secure.

    Please confirm, thanks.  

    • Hello Mike,

      Typical hack issues include brute force attacks, file overwrites or spam scripts. We can only protect the accounts to an extent. We have mod security and firewalls that combine to help prevent brute force attacks that are used to access websites. There’s also active monitoring by our systems team to make sure that servers are kept at an optimum level. They will actively stop attacks or force password changes when issues are detected. Hacked sites that are part of a shared system may also be taken offline in order to prevent them from affecting other sites on a server. Besides the hardware and software options put into place to help provide security, the main thing we can do is to recommend/promote best practices such as strong passwords or secure code for websites that are loaded or created on our hosting service. This is done to allow for an open environment that does not impair a variety of different types of website development.

      I hope this helps to answer your question, please let us know if you require any further assistance.

      Regards,
      Arnel C.

  • Is there any way to get a back up that is even a week, month or even a year old?  My site got hacked and they say they have 24 to 36 hours of back up.  I called to get the backup but even the backup had bad files in them.  The funny thing is just less then 24 hours it was working because someone bought something from my site. 

    • Hello Mohammed,

      We do not keep backups longer than 36 hours and we only keep one backup per customer. I do apologize for the inconvenience.

      Best Regards,
      TJ Edens

  • How does InMotion help with hacking? For instance, if a site on a shared server is compromised, what will you do to protect the other sites? (Do you have a list of your security features?)

    • Hello Joe,

      We do not have a list of security features for public display for obvious reasons. If an account is hacked no things run on it can affect the other accounts as it is only run as that cPanel user. It is limited to that account.

      Kindest Regards,
      Scott M

  • Please put the website back online. We will check with the edm service provider what mistake has happened and would rectify it to avoid it to happen again.

    Websites: himarkmartintailors.com and englishbespoketailors.com

    Thank you and with best regards

     

    Richie

    • Hello Richie,

      I see that both of your websites are online at this time. If you were recently suspended please reply to the suspension email you would have received.

      Best Regards,
      TJ Edens

    • Your site was likely hacked due to an outdated WordPress installation or an outdated/insecure plugin. I recommend restoring from any backups you may have, as well as keeping all plugins up to date.

Was this article helpful? Let us know!