General Web Security Resources

Our shared servers employ an extensive set of security modules to protect accounts from server-level (and, to a certain extent, known application-level) threats, including, but not limited to, CageFS via CloudLinux, ModSecurity, OSSEC, CSF (ConfigServer Security & Firewall), and several virus scanning modules.

The possibility of any account-level compromise having come from an attack that was preventable at the server-level is extremely low. While many customers who have experienced an account-level compromise question how this could have happened on our servers, the reality of the situation is that an overwhelming majority of compromises stem from outdated or otherwise insecure software in the customer's account.

We put a lot of effort into balancing the security of the servers with enough flexibility to allow customers to install a wide variety of software. Accordingly, it is the responsibility of the customer to maintain the security of the web applications within their account.

In addition to seeking out additional resources from experienced software developers, we highly recommend the following general tips:

  • Use secure connections whenever possible, such as connecting to a site with SFTP rather than FTP, or using a secure "https" link (cPanel Servers / DirectAdmin Servers) or for any login forms that transmit password data.
  • Never store old, unused content in your hosting account, including things like abandoned development installations and zipped files.
  • Be familiar with the documentation for your software, and how to find information on its functionality.
  • Always apply software security updates to core software and any modules, themes, plugins, etc. as soon as possible after they're released.
  • Keep up to date with information regarding current security best practices for the software you're using. Subscribing to the mailing list for the software or regularly reading web security blogs are a couple of ways to stay informed about new developments.


Additionally, here are some links to additional resources regarding web security practices:

Wordpress:

Compromised WordPress Cleanup


Tech and Security News

Krebs on Security - Blog
Schneier on Security - Blog
Ars Technica - Tech News
WIRED Security Category - Tech News


Sucuri Blog Security Articles

Sucuri Blog - Security Education
Sucuri Blog - Website Hosting: Security Awareness Can Reduce Costs
Sucuri Blog - What is Cross-Site Contamination and How to Prevent it
Sucuri Blog - How To Create a Website Backup Strategy
Sucuri Blog - When Your Plugins Turn Against You
Sucuri Blog -- Why You Should Care about Website Security on Your Small Site

Sucuri Blog - Website Security: How Do Websites Get Hacked?
Sucuri Blog - The Impacts of a Hacked Website
Sucuri Blog - Why Websites Get Hacked
Sucuri Blog - Why Attackers Hack Small Sites
Sucuri Blog - Content Security Policy


Sucuri Blog - The Art of Website Malware Removal – The Basics
Sucuri Blog - Your Website’s Been Hacked But No Signs of Infection
Sucuri Blog - Website Malware Removal: Phishing
Sucuri Blog - Why Website Reinfections Happen
Sucuri Guides - What is a Google Blacklist?
Sucuri Guides - How to Remove Google Blacklist Warning

Sucuri Hacked Website Reports by Quarter
Sucuri Hacked Reports - 2016 Q3 [PDF]
Sucuri Hacked Reports - 2017 [PDF]

Sucuri Blog Software Specific Categories

Sucuri Blog - WordPress Security
Sucuri Blog - Joomla Security
Sucuri Blog - Magento Security
Sucuri Blog - Drupal Security


Please note that this information is provided as a courtesy for general guidance on application-level security; assistance with customer-installed software and/or web development, however, would be outside the scope of our support. If you’re not comfortable with website administration, we recommend locating an experienced web developer to assist.

  • 1 Users Found This Useful
Was this answer helpful?

Related Articles

How do I verify my account?

To verify any changes to the account, the following will be accepted: The 5 digit support pin...

Can I change my main domain name?

If you would like to change the domain associated with the hosting package that is possible but...

Creating Secure Passwords

While we take security seriously here at HostRocket, and do everything in our power to prevent...

How to run a Traceroute on macOS

To run a traceroute from your macOS machine, please follow the instructions below.Navigate to Go...

How to run a Traceroute on Windows

To run a traceroute from your Windows machine, please follow the instructions below. Open the...