Our shared servers employ an extensive set of security modules to protect accounts from server-level (and, to a certain extent, known application-level) threats, including, but not limited to, CageFS via CloudLinux, ModSecurity, OSSEC, CSF (ConfigServer Security & Firewall), and several virus scanning modules.
The possibility of any account-level compromise having come from an attack that was preventable at the server-level is extremely low. While many customers who have experienced an account-level compromise question how this could have happened on our servers, the reality of the situation is that an overwhelming majority of compromises stem from outdated or otherwise insecure software in the customer's account.
We put a lot of effort into balancing the security of the servers with enough flexibility to allow customers to install a wide variety of software. Accordingly, it is the responsibility of the customer to maintain the security of the web applications within their account.
In addition to seeking out additional resources from experienced software developers, we highly recommend the following general tips:
- Use secure connections whenever possible, such as connecting to a site with SFTP rather than FTP, or using a secure "https" link (cPanel Servers / DirectAdmin Servers) or for any login forms that transmit password data.
- Take regular backups (cPanel Servers / DirectAdmin Servers) and store them off-server (not in the hosting account).
- Never store old, unused content in your hosting account, including things like abandoned development installations and zipped files.
- Be familiar with the documentation for your software, and how to find information on its functionality.
- Always apply software security updates to core software and any modules, themes, plugins, etc. as soon as possible after they're released.
- Keep up to date with information regarding current security best practices for the software you're using. Subscribing to the mailing list for the software or regularly reading web security blogs are a couple of ways to stay informed about new developments.
Additionally, here are some links to additional resources regarding web security practices:
Sucuri Blog Security Articles
Sucuri Blog - Security Education
Sucuri Blog - Website Hosting: Security Awareness Can Reduce Costs
Sucuri Blog - What is Cross-Site Contamination and How to Prevent it
Sucuri Blog - How To Create a Website Backup Strategy
Sucuri Blog - When Your Plugins Turn Against You
Sucuri Blog -- Why You Should Care about Website Security on Your Small Site
Sucuri Blog - Website Security: How Do Websites Get Hacked?
Sucuri Blog - The Impacts of a Hacked Website
Sucuri Blog - Why Websites Get Hacked
Sucuri Blog - Why Attackers Hack Small Sites
Sucuri Blog - Content Security Policy
Sucuri Blog - The Art of Website Malware Removal – The Basics
Sucuri Blog - Your Website’s Been Hacked But No Signs of Infection
Sucuri Blog - Website Malware Removal: Phishing
Sucuri Blog - Why Website Reinfections Happen
Sucuri Guides - What is a Google Blacklist?
Sucuri Guides - How to Remove Google Blacklist Warning
Sucuri Hacked Website Reports by Quarter
Sucuri Hacked Reports - 2016 Q3 [PDF]
Sucuri Hacked Reports - 2017 [PDF]
Sucuri Blog Software Specific Categories
Sucuri Blog - WordPress Security
Sucuri Blog - Joomla Security
Sucuri Blog - Magento Security
Sucuri Blog - Drupal Security
Please note that this information is provided as a courtesy for general guidance on application-level security; assistance with customer-installed software and/or web development, however, would be outside the scope of our support. If you’re not comfortable with website administration, we recommend locating an experienced web developer to assist.