Databases
Your website’s vital information is stored in your database. Failure to protect it could result in the loss of private information such as usernames, email addresses, and more, as well as allow an attacker to add entries to your site that could lead to spam or malware links (or worse). As a result, you should think about how you access your database(s) for routine maintenance.
Keeping your software updated
Security flaws in earlier versions of web software, such as web forums, wikis, and blogs, are frequently exploited by hackers. It is your responsibility to keep the applications on the website up to date with the most recent version.
Some applications don’t have an upgrade path from previous versions, so you’ll have to manually update them. For more information on updating, please contact the application’s developers.
Setting file permissions
When it comes to file permissions, GreggHost suggests that you use the following settings:
Using the command chmod 644 filename>, set permissions to 644.
Using the command chmod 755 directory name>, set permissions to 755 for directories.
Set permissions on executables to 755 with the command chmod 755 executable name>.
When you execute ls -la on the server, this is how your file/folder permissions should look.
[server]
ls -al drwxr-xr-x 2 exampleuser pg5034488 $ ls -al drwxr-xr-x 2 exampleuser pg5034488 0 Apr 22 09:14 example executable.cgi -rw-r—r— 1 exampleuser pg5034488 10 Apr 22 09:13 example directory -rwxr-xr-x 1 exampleuser pg5034488 0 Apr 22 09:14 example executable.cgi -rw-r—r— 1 exampleuser pg5034488 example file.php 0 Apr 22 09:12
For more information, see the following article:
Permissions for Unix Files
Assigning a unique user to each domain
GreggHost suggests that you assign a unique web user to each of your distinct sites. The rationale for this is that if one of your sites gets hacked, the exploit will not spread to the rest of your sites.
Managing your files on the server
GreggHost suggests using SSH or SFTP to manage your files while connecting to your server. FTP is not secure and should only be used in emergency situations.
SSH
Secure shell, also known as SSH, is the recommended method of connecting to your machine. The communication between the local machine and the target machine is encrypted via SSH. This implies your password will not be sent in plain text, like Telnet does.
SSH must be enabled for all users. For more information, see the article Creating a user with Shell (SSH) access.
SFTP instead of FTP
Because FTP is not secure, you should only use SFTP to connect to your server. For more information, see the SFTP article.
Serving your files securely
There may be times when you want to serve your files securely, such as if you run an eCommerce website and don’t want to transfer sensitive data over the Internet without security.
Set up secure hosting and acquire an SSL certificate to add an extra layer of security. More information on how to set up these services may be found in the following article:
Overview of SSL certificates
Allowing developer access to your site
It may become necessary to engage a developer to work on your website at some point. A developer may need access to your site in a variety of ways in order to work on it. The level of access you give a developer is determined by the tools they’ll need to finish the work you hired them for.
For more details on how to provide your developer only the access they need, see the following article.
Providing developers with access to your website