How to prevent your hosting account from being hacked

Tips on how to prevent your account from being hacked

The menace of hacking is a very serious issue for the today’s World Wide Web. It is really important to pay a lot of attention to security of your cPanel account. It should be well-protected against manual attacks as well as against automatized means of getting access to your hosting account.

The security of our clients is of the highest priority for us. On our servers we have an effective firewall system along with a complex of other security measures.
However, some aspects of cPanel account protection depend not on Namecheap but on the owner of the account. In this article you will find several useful tips you can use to significantly improve your cPanel account’s security.

 

1. Use safe username and password

This is a quite obvious thing but having a secured password is definitely among the most important aspects of web security. Some people set a password which is easy to remember in order to avoid keeping it somewhere except for memory. It is strongly recommended to avoid using passwords which consist of dictionary words, names of your relatives, friends or pets, important dates, cities, etc. These passwords are not secure as it is really easy to find such information about you especially if you have an account in any of social networks. In Internet security there is even a special term «social engineering» which suggests that some person can get your personal data without any additional means such as special software using methods of psychological manipulation. For example, some important personal data can be gathered during several online conversations with you by means of e-mail, forum, chat or in social network. So in case your password is a date of your mother’s birth then do not be surprised if your account gets hacked.

Also, hackers have special tools for cryptanalytic attacks (also known as Brute-force attacks) which are intended to get your password. The main idea of such attacks is checking all possible words until the correct one is found. Such attacks can be successful if your password is a simple word from a dictionary.

It is strongly recommended to use passwords which consist of randomly mixed low and capital letters, special symbols and digits. Such password’s length should be not less than eight symbols. You can use any special program for passwords generation as well as in-built cPanel password generator. It can be found in cPanel -> Change Password:

Another important aspect is a cPanel username.

By default in a hosting welcome guide you receive a generated username which consist of a part of your main domain name in complex with several random letters. cPanel username can be changed only by our representatives per your request in chat or ticket. There are some restrictions triggered by cPanel functionality. Your username can consist only of alphanumeric characters (digits are also permitted, however they are not permitted as the first symbol in the username). Also cPanel username cannot be longer than eight symbols. It is not recommended to change it to your actual name or nickname as this information can be obtained easily by any other person.

2. Change your password regularly

It is strongly recommended to change your password from time to time. Also we advise changing the password right after receiving a hosting welcome guide e-mail. cPanel password can be changed in cPanel > Change Password. By the way, we recommend checking Allow MySQL password change as this option lets you synchronize the password with the password for phpMyAdmin:
security_03.jpg

Additionally, it makes sense to change passwords for your e-mail accounts as well. This can be done in cPanel > E-mail Accounts:

3. Keep your username and password in a safe place

For example, avoid keeping your hosting welcome guide in the inbox of an e-mail account in case you are not the only person who has access to it. Also, please, avoid storing your cPanel login details in a text file on your desktop especially if you are not the only user of this computer. You can use roboform, lastpass or any other similar password saving software in that case.

Needless to say it is not recommended to share your username and password with anyone.

4. Pay attention to security of your computer.

It is strongly recommended to have an effective firewall and antivirus software with the up-to-date databases on your personal computer. Please, perform a full scan of your computer from time to time. Some viruses are intended to steal your login details and transmit them to someone who needs them. Also there are special applications which are known as keyloggers. They gather a log of keyboard buttons pressed by you, make screenshots of your desktop and send this information to a hacker. Such software can be detected by a good antivirus program so do not forget to check your PC regularly.

5. Use a secured connection when it is possible

For example, with Namecheap you can connect by FTP in two ways. You can use a conventional port 21 or you can connect using a non-standard secured port 21098. If there are no network restrictions then it is recommended to use port 21098. Also, it is better to access your cPanel using non-standard port 2083 instead of standard port 80. A link which looks like http://cpanel.yourdomain.com uses port 80. If you wish to use port 2083 then, please, use link which looks like https://yourdomain.com:2083

6. Scan your webspace

To avoid having the files located in your hosting account being at hazard it is recommended to use different means of scanning for malicious software. First of all you can use an in-built cPanel virus scanner:

Also you can use some free online scanners such as this:
http://sitecheck.sucuri.net/scanner/

It is better to combine these two ways of checking your account for viruses. In order to prevent having viruses and malware on your account it is recommended to use themes and plugins only from trusted providers. In case you have any suspects regarding your account’s security then, please, feel free to contact our Support Team at any moment.

7. Always have a backup

Even though backups are scheduled on a weekly basis on our shared servers it is recommended to keep a backup of your account somewhere in a safe place on your PC or third party server. Please do not forget to update it from time to time in order to avoid losing the important information. You can create a full cPanel backup in cPanel > Backups. Note, that if your account gets bigger than 10GB or contains more than 150 000 inodes then it will be automatically excluded from weekly backups:

Even more advanced and convenient solution for creating backups is CodeGuard (later, CG). It’s main advantage is the possibility of creating *automatized* backups of your site. Using CG you can partially completely restore your site if there any changes arose, which you wish to get rid of. As CG is fully integrated in your cPanel, only several clicks are required for you to start taking advantages of this great feature we have!

8. Enable CloudFlare

We recommend you enabling CloudFlare in your cPanel. It is a great solution which improves your account’s performance and security. It can help you in protecting your account against DDoS attacks, SQL injections and other similar threats.

You can find more information in our guide How to enable CloudFlare for your domain name.

Update all third party scripts to the latest versions (e.g. Joomla!, WordPress, Magentoo or any other CMS).
Don’t load your website with every script, theme, gadget, feature, function, and code snippet you can find on the web. Each of them could let a hacker into your site. Before you use something new, read its vulnerability report.

9. CMS security tips

If your site is build on WordPress we recommend you to read our WordPress security guides:

CMS Security Issues. WordPress Security and Optimization
Internal Protection “.htaccess” (Manual setup)

and use the security tips listed there to prevent hack attempts in the future.

Following these simple recommendations you can improve your account’s security greatly. From our side we do our best to keep your account safe but if you undertake these measures a level of security increases drastically. We recommend our clients not to ignore the safety of data and always feel free to contact our Support Team in case you have any questions or complications.

How to improve WordPress website security

1. Introduction

Nowadays we face a lot of security issues with different content management systems (CMS) and web applications. WordPress is not an exception as it`s one of the most popular and powerful blogging content management systems.

There are several reasons for it:

  • CMS uses typical files for passwords and settings located in the same directories for each account (wp-config.php, wp-admin/ directory etc) so they are very easy to locate, modify after gaining partial access.
  • The admin panel (wp-admin) runs under the same domain and uses the same codebase/permission as the rest of the application.
  • Admin users can install a plugin/theme, which can then modify any file or change anything in the database (this is related to corrupted, non-official, non-updated, self-modified or fraudulent themes or plugins).

This article provides you with a list of tips and instructions that can improve a security level of your WordPress installation.

2. Making backups regularly

Making regular backups of your WordPress site is the first and the most important step. Before you apply any changes, make sure to backup your entire WordPress installation or databases.

It is recommended to create regular backups for your entire cPanel account using cPanel > Backupstool and creating Full cPanel Backup.

Also, you can backup your WordPress site using CodeGuard.

3. Updating WordPress, themes and plugins to the latest version


The latest version of WordPress is always available on official WordPress site. Official release is not available from other websites or resources, thus, NEVER update WordPress from third party resources. Also, you can easily update WordPress from Admin Dashboard directly or via Softaculous.

Make sure that your blog’s version is up to date. WordPress team works on creating patches for fixing security ‘holes’ and backdoors on a constant basis. That`s why it is very important to have the latest version of WordPress.

It is strongly recommended to update your plugins and themes to the latest versions too, as a bug in one of these can affect your whole installation. You can update both plugins and themes via Admin Dashboard > choose Plugins or Themes menu and click ‘Update now’ near the necessary plugin or theme:

NOTE: it is recommended to create backups of your WordPress files and database before applying any changes.

4. Using trusted sources


Many custom ‘free’ WordPress themes included base64 encoding, which is often used to hide malicious code. So, with such themes or plugins you can easily upload malware into your account. This is how most of the ‘hackers’ get access to your files and site.

We recommend using content only from official resource like http://wordpress.org/ as it`s the safest place to get themes and plugins.

5. Using secure username and password

The default WordPress login is ‘admin’ and most hackers know that. It should be changed to custom one with a strong password which include upper/lower keys, numbers and symbols.

Assuming you use Softaculous, you specify the username on the install screen:

Also, it is not recommended to use passwords or email addresses similar to your accounts from other web-resources.

You can change your Admin username or Password via the database, you can find the corresponding instructions here.

6. Changing database prefix, username and password


6.1 Changing database prefix

It is highly recommended to change the database prefix as the default table prefix for WordPress iswp_ . SQL Injection attacks are easier with the default table prefix because it is easier to guess. We recommend to change the database prefix to something more secure than wp_.

NOTE: create backup of your database before applying any changes.

If you install WordPress from Softaculous, you can set custom table prefix and database name at installation screen:

If you have already installed WordPress you can still change database prefix in two ways: either manually or using a special plugin.

For manual database prefix change, go to cPanel > phpMyAdmin menu > choose the necessarydatabase from the left side > click on SQL option above.

Here you need to run RENAME SQL queries on tables in your WordPress database:

RENAME table `wp_commentmeta` TO `newprefix_commentmeta`;
RENAME table `wp_comments` TO `newprefix_comments`;
RENAME table `wp_links` TO `newprefix_links`;
RENAME table `wp_options` TO `newprefix_options`;
RENAME table `wp_postmeta` TO `newprefix_postmeta`;
RENAME table `wp_posts` TO `newprefix_posts`;
RENAME table `wp_terms` TO `newprefix_terms`;
RENAME table `wp_term_relationships` TO `newprefix_term_relationships`;
RENAME table `wp_term_taxonomy` TO `newprefix_term_taxonomy`;
RENAME table `wp_usermeta` TO `newprefix_usermeta`;
RENAME table `wp_users` TO `newprefix_users`;

*where newprefix_ should be replaced with new database prefix you wish to have instead of wp_, then click Go:

Once done, you will see the new database prefix has been applied to your WordPress database:

After that you will need to search the options table for any other fields that is using wp_ as a prefix in order to replace them. It is necessary to run the following query in the same way:

SELECT * FROM `newprefix_options` WHERE `option_name` LIKE ‘%wp_%’

Then click Go and you will get the result as on the screenshot below:

Here you will need to go one by one to change these lines and replace the old database prefix with the new one. Once done, we need to search the usermeta for all fields that is using wp_ as a prefix with the help of this SQL query:

SELECT * FROM `newprefix_usermeta` WHERE `meta_key` LIKE ‘%wp_%’

After that click Go and the following results will appear:



Number of entries may vary on how many plugins you are using and such. Here you need to change everything that has wp_ to the new prefix as well.

Once done, make sure to update your wp-config.php file with new database prefix:

Also, you can change database prefix using special plugins, like Change DB prefix or Change table prefix.

6.2 Changing database username and password

In order to change the database username or password, log into cPanel >> and click on MySQL Databasesmenu in Databases section:

Under Current users you will see all created database users in your account. Here you can Set new password orRename the necessary database user by choosing the corresponding option:

For changing password, click on Set password. In the new window insert your new password two times and click Change password:

To change the database username, click Rename. In the new window you need to specify the new username you wish to have (this will be the part after cPanelusername_ ) and click Proceed in order to save changes:

Once the database username or password are changed, you need to update your wp-config.php file with the corresponding details:


7. Setting password protection for important files and folders

In order to prevent your WordPress site from being hacked we recommend setting the password protection for system files and folders.

To create the password protection follow these steps:

7.1 Go to cPanel > Security > Password Protect Directories to access a list of your site’s folders:

7.2 Choose the directory you wish to protect and click on it:

7.3 Put a tick on Password protect this directory and name your protected directory, insert the username and password and click on Add or Modify the Authorized User button to save your changes:

NOTE: it is very important to protect wp-config.php file and wp-adminfolder since they are more susceptible for hacker attack.

8. Using secure FTP (SFTP) and Shell access (SSH)

Uploading files via FTP is a quick way to make a new site up and running or add new files to your account. However, SFTP is more secure and your passwords are encrypted to help prevent hackers from learning it. You can find a more detailed guide on how to upload your files via FTP or SFTP.

If you do want to use FTP (or use cPanel details for FTP connection), it’s a good idea to delete any FTP accounts that you’re not using to prevent them from being accessed without your consent. This is a great way to help keep your site and information more secure.

9. Hiding WordPress version

Another good idea is to remove the generator meta for WordPress. This meta shows the version of your WordPress site. You may open your website and check your source code by pressingCTRL + U on Windows orOption+Command+U on Mac. If WordPress version is visible for hackers it’s more easy for them to target the vulnerabilities of the specific version to hack into your website.

In order to hide your WordPress version, navigate your current theme at /wp-content/themes/yourtheme/ and insert the code below into function.php file:

/* Hide WP version strings from scripts and styles
* @return {string} $src
* @filter script_loader_src
* @filter style_loader_src
*/
function fjarrett_remove_wp_version_strings( $src ) {
global $wp_version;
parse_str(parse_url($src, PHP_URL_QUERY), $query);
if ( !empty($query[‘ver’]) && $query[‘ver’] === $wp_version ) {
$src = remove_query_arg(‘ver’, $src);
}
return $src;
}
add_filter( ‘script_loader_src’, ‘fjarrett_remove_wp_version_strings’ );
add_filter( ‘style_loader_src’, ‘fjarrett_remove_wp_version_strings’ );
/* Hide WP version strings from generator meta tag */
function wpmudev_remove_version() {
return ”;
}
add_filter(‘the_generator’, ‘wpmudev_remove_version’);

10. Limiting the number of failed connections


It is recommended to limit the number of login attempts to your WordPress Dashboard with the help of Login LockDown plugin. It records the IP addresses of every failed login within a certain time period of time. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This allows to prevent brute force password discovery.

11. Plugins for WordPress security

One of the most important step for making your WordPress site well-protected is to use security plugins:


Wordfence Security:

Wordfence Security is free WordPress security plugin that allows to scan your website looking for malicious code, backdoors or shells that hackers have installed, shows website analytics and traffic in real time, set up automatic scanning and much more. You can find description of each option here.

Acunetix WP Security plugin:

Acunetix WP Security checks your WordPress site for security vulnerabilities and suggests corrective actions such as passwords, file permissions, database security, WordPress version hiding and admin protection.

All In One WordPress Security plugin:

All In One WordPress Security plugin is a user-friendly plugin that will bring security of your WordPress site on a new level. It provides with user accounts and login security, database and file system security, brute force login attack prevention, website scanning and much more.

12. Account and external security

Here are the tips and general recommendations that will help you to increase account and external security:

  • To keep your local environment updated and clean from viruses.
  • To protect your hosting (cPanel account) and here you can find the general tips on how to prevent it from being hacked
  • To use secure passwords and SFTP connection + type for FTP/files upload.
  • To change cPanel password regularly. Try to use strong passwords (with high and low register Aa-Zz and special symbols) and we recommend you to change the passwords for all your email accounts, as well.
  • Do not store passwords in places where they can be obtained easily (e.g. passwords.txt file on desktop is not very secure).
  • To update all third party scripts to latest versions.
  • To enable CloudFlare in cPanel. CloudFlare is a broad security solution that is designed to provide protection from many forms of malicious activity online including: comment spam, email harvesting, SQL injection, cross-site scripting, credential hacking, web software vulnerability and DDoS (denial of service) attacks.
  • Always have a backup copy of your entire website and its databases.

The tips provided above do not guarantee 100% secure of your WordPress website, however, they drastically decrease chances of getting hacked. We sincerely hope this article helped you enough in securing your online business and becoming a trouble-free and happy customer.

That’s it!

Source: NC

 

How to setup internal protection for .htaccess

This part is applicable only for cases, when you wish manually set up all the necessary settings and rules. All these settings can be done automatically with secure plugins (especially BulletProof Security). We recommend using the secure plugins first and only if they fail to deliver necessary control, perform manual configuration. If you do need to make specific changes to the .htaccess file manually, kindly use the guide provided below:

.htaccess (hypertext access) is the default name of directory-level configuration file specific for web servers running Apache

It is the one most often modified when dealing with redirects and is often used to change file types to make them executable. It is also the one you will be using to harden your environment.

To protect it you apply a few simple rules:
Set Low Permissions
Deny Access

Apply Low Permissions
The basic guidance for permissions is simple, the lower the number the harder access becomes. Good rule of thumb is keep the number as low as possible where the performance or functionality is not impacted. For most users, setting it to 640 will grant level of access that you need.
Add .HTACCESS Directives
What’s important to note here is that this only works if the attack is external. This won’t protect you from internal attacks (if entire cPanel accout is hacked, for example)
This is the .htaccess directive you can use:

#PROTECT HTACCESS
<Files .htaccess>
Order Allow, Deny
Deny from all
</Files>

Note: this only protects the file from external access.

  • Disable directory browsing

If you do not want to allow your visitors to browse through your entire directory, simply add the piece of 2 lines in your .htaccess in the root directory of your WordPress blog:

# disable directory browsing
Options All –Indexes

  • wp-config file protection

Wp-config.php is important because it contains all the sensitive data and configuration of your blog and therefore it should be locked through .htaccess. Add the code below to the .htaccess file in the root directory:

# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all
</files> 

The code denies access to the wp-config.php file to everyone.

  • Access to wp-content directory

Wp-content contains all content for your WordPress installation. This is a very important folder and it should be secured. Users should be only able to view and access certain file types like images (jpg, gif, png), Javascript, css and XML.

Place the code below in the .htaccess file within the wp-content folder (not the root):

Order deny,allow
Deny from all
<Files ~ “.(xml|css|jpeg|png|gif|js)$”>
Allow from all
</Files>

  • wp-admin files

Wp-admin should be accessed only by you and your fellow bloggers (if any).  You may use .htaccess to restrict access and allow only specific IP addresses to this directory.
If you have static IP address and you always blog from your computer, then this can be a good option for you. However, if you run a multiple user blog then either you can opt out from this or you can allow access from a range of IPs.

Copy and paste the code below to the .htaccess in wp-admin folder (not root folder):

# deny access to wp admin
order deny,allow
allow from xx.xx.xx.xx # This is your static IP
deny from all 

The above code will prevent browser access to any file in these directories other than “xx.xx.xx.xx” which should be your static IP address.

  • Prevent script injection

To protect your WordPress blog from script injection, and unwanted modification of _REQUEST and/or GLOBALS copy and paste the code below to your .htaccess in the root:

# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

That’s it!

How to Detect SQL Injection Attacks

SQL Injection (SQLi) attacks have been around for over a decade. You might wonder why they are still so prevalent. The main reason is that they still work on quite a few web application targets. In fact, according to Veracode’s 2014 State of Security Software Report , SQL injection vulnerabilities still plague 32% of all web applications. One of the big reasons is the attractiveness of the target – the database typically contains the interesting and valuable data for the web application.
A SQLi attack involves inserting a malformed SQL query into an application via client-side input. The attack perverts the intentions of web programmers who write queries and provide input methods that can be exploited. There is a reason they’re on the OWASP Top 10. Termed “injection flaws”, they can strike not only SQL, but operating systems and LDAP can fall prey to SQLi. They involve sending untrusted data to the interpreter as a part of the query. The attack tricks the interpreter into executing commands or accessing data. Attackers use this exploit to modify entries in your database, execute commands on the database (delete databases, change permission and so on) and read and exfiltrate data from your databases.
Examples of SQLi attacks can be found on the OWASP wiki.  The underlying flaws enabling SQLi attacks are introduced when developers create dynamic database queries that include user input.
Remediating SQLi attacks involves fixing coding defects that allow user-supplied input that can contain malicious SQL from modifying the logic of the query.  The OWASP wiki details some suggested defenses that application developers use to avoid introducing SQLi-enabling flaws.
The first step in dealing with SQLi exploits is detecting and investigating them.  When under attack, the following questions are critical:
  • When was I attacked?
  • Where was I attacked?
  • How widespread was the attack?
  • Were any files or tables overwritten?
  • Who is attacking me, and are others being attacked as well?
Using AlienVault USM to Detect SQL Injection Attacks
can help you detect these attacks and answer the questions above with several integrated security technologies including host-based IDS, network IDS and real-time threat intelligence.Network IDS spotting SQLi

The built-in to AlienVault USM gives you the ability to monitor all connection requests coming to your web server, plus it includes built-in correlation directives to spot activity indicative of a SQLi. Since the threat landscape is always changing, the Network IDS signatures are updated weekly based on threat research conducted by the AlienVault Lab research team, so you can stay current on new attacks.
Host IDS detecting SQLi by watching file activity
USM also includes a so you can monitor activity locally on a server. In this case, the HIDS agent would be installed on the web server itself, parsing the logs on your Apache or IIS server. Again, the built-in correlation rules in AlienVault USM make it possible to detect activity consistent with SQLi attacks and alert you immediately.  The AlienVault HIDS also monitors changes to files so you have visibility into which files and tables in your database were affected by the attack.
Here’s an example of the USM console displaying SQLi and the associated threat details:
HIDS Dashboard
AV 1
List of Recent SQLi Events
AV 1
Details about the Threat
AV 1
Real-time Threat Intelligence from the AlienVault Open Threat Exchange
In addition, AlienVault USM uses real-time threat intelligence from the AlienVault ) to spot connections with known bad actors. These are known malicious hosts or attackers whose IPs have shown up in OTX because they attacked other OTX contributors, have been identified by other threat sharing services we use, or have been identified via independent research conducted by our AlienVault Labs team.
OTX data provides context to the IDS information and can increase your confidence that a threat detected is malicious, since the activity you are observing is from a known malicious host. In addition, USM combines and correlates input from HIDS, NIDS and OTX via its built-in Security Information and Event Management (SIEM) capabilities, giving you the full picture of threats in your environment.
AlienVAult USM provides a single console with the information you need to do fast and effective incident response. Learn more:

Global Attack on WordPress Sites

As I write this post, there is an on going and highly distributed, global attack on wordpress installations to crack open admin accounts and inject various malicious scripts.

To give you a little history, we recently heard from a major provider about a massive attack on US financial institutions originating from their servers.

After performing a detailed analysis of the attack pattern, they found out that most of the attack were originating from CMSs (mostly wordpress). Further analysis revealed that the admin accounts had been compromised (in one form or the other) and malicious scripts were uploaded into the directories.

Today, this attack is happening at a global level and wordpress instances across hosting providers are being targeted. Since the attack is highly distributed in nature (most of the IP’s used are spoofed), it is making it difficult for us to block all malicious data.

To ensure that your websites are secure and safeguarded from this attack, we recommend the following steps:

  1. Update and upgrade your wordpress installation and all installed plugins
  2. Install the security plugin listed here
  3. Ensure that your admin password is secure and preferably randomly generated
  4. Other ways of Hardening a WordPress installation are shared at http://codex.wordpress.org/Hardening_WordPress

These additional steps can be taken to further secure wordpress websites:

  • Disable DROP command for the DB_USER .This is never commonly needed for any purpose in a wordpress setup
  • Remove README and license files (important) since this exposes version information
  • Move wp-config.php to one directory level up, and change its permission to 400
  • Prevent world reading of the htaccess file
  • Restrict access to wp-admin only to specific IPs
  • A few more plugins – wp-security-scan, wordpress-firewall, ms-user-management, wp-maintenance-mode, ultimate-security-scanner, wordfence, http://wordpress.org/extend/plugins/better-wp-security/. These may help in several occasions

Also, we recommend using Cloudflare, which is available free with all our cPanel accounts, to
prevent the attack from affecting the functionality of your site.

Joomla Security is Up to Date

While Joomla 2.5 has a significant number of improvements and features over Joomla 1.5, our favorites are upgrade notification and one click upgrades.

In an increasingly complex world it is not only convenient but critical to stay on top of security updates. The automatic notification system clearly shows whether your CMS installation is up-to-date. Additionally, 3rd party extensions which have been setup for one-click updating will provide notifications. This system saves an immense amount of time and money compared to Joomla 1.5, prevents obsolescence, and keeps your site future ready.

Over the next two months there will be a number of opportunities to learn more about Joomla, including: