Step 1 from the 7 Day Sequence: 7 Easy Steps to Secure Your Website
Do you remember that the security week in our SuperBlog starts today? Over the weekend we told you more about the importance of security and your website’s protection and summarized what is about to happen this week. Monday starts with: Step 1 from our sequence: Protect the Sensitive Data in Your Hosting Account
1) What type of data is considered sensitive?
Sensitive data is information that must be protected from unauthorized access to safeguard the privacy or security of an individual or organization. Unauthorized access or disclosure might lead to serious consequences.
There are four main types of sensitive data:
- Company data: documents, invoices, statements, reports, etc.;
- Personal data: biometric data, medical information, contracts, photographs, etc.;
- Website backup: backup of all files or databases;
- Application providing administrative access to the website or the account (form for uploading files, administration panel for website management).
2) Ways of Protecting Sensitive Data
2.1) Protecting a directory, containing important data
When a certain directory is located in the website’s root directory (public_html) it is publicly accessible. This is due to the fact that the files on the website must be accessed by anyone, loading the website from their browser. It also means that anyone having the URL of a certain directory from the website can load it in their browser.
The first way to restrict access to a specific directory containing sensitive data is moving it into the root directory (/home/cpuser/) so that it is located one level above the public_html directory.
А If moving is impossible, a second option is to restrict access by using a username and a password. This type of protection can be activated in cPanel, menu Password Protect Directories / Password Protect Directories.
Protecting a directory by using a password requires HTTP Basic Authentication. This type of protection enables you to restrict access to a certain resource, located in a directory by using a password and username.
Configuration is performed with a few clicks in cPanel » Password Protect Directories.
2.2) Additional Protection When Accessing the Website Administration
When the administration’s URL is a directory (e.g. mysupersite.com/admin) it can be secured by using a username and password.
URLs for accessing a website’s administration depend on the CMS and the website’s (if any) configuration.
Examples of URLs to access administration of the most common CMS:
- WordPress (mysupersite.com/wp-admin)
- Joomla (mysupersite.com/administrator)
- OpenCart (mysupersite.com/admin)
There are many more means for WordPress protection available under WordPress Manager » Security Checks that can be activated with just a click. You can read more useful information in our help article: Security Checks – WordPress Manager by SuperHosting.
Why activating additional protection to the website’s administration in case the access is restricted by requiring a username and password?
There are two main reasons:
- Neutralizing bot attacks – Using HTPP Basic Authentication to a great extend neutralizes bot attacks to CMS administrative URLs. The main reason for this is that a large number of bots are not expecting to receive an HTTP Login form when accessing the WordPress administration.
- Reducing the server resources used by the website – This protection method can also lead to a considerable reduction in the CPU/memory/disk used since bots do not manage to access the website itself, but the login form directly served by the web server.
Username for Accessing the Admin Panel
Besides username/password verification we also have to mention the change of the automatically generated data for accessing the admin panel.
It is not a secret that the most common default usernames for CMS admins are admin, webmaster, administrator, etc.
This is a big flaw in your website’s security.
Using common usernames makes them accessible for thousands of bots and allows them to guess your password.
That’s why we recommend using random usernames (for accessing the administration) that are difficult to guess. If you experience difficulties remembering them, write them down instead of using usernames such as admin or administrator.
Our customers having WordPress websites can change the admin username with just a few clicks in cPanel » SuperHosting Tools » WordPress Manager » Administrative Data.
2.3) Restricting access to a certain file
If you store important data in your hosting account, good practice requires securing them through a username/password if they are in a directory, but if data is in certain files, you can restrict access to them.
Sometimes we do not realize specific data is important to us so it may leak to third parties.
Here are a few examples for data that you need to protect from malicious activities:
- Personal/Company data (invoices, documents, etc.);
- Full or partial backups of the website which might be publicly accessed;
- Logs generated from the website system;
Restricting access to a certain directory might be performed in cPanel » Password Protect Directories.
Restricting access to a file in the hosting account might be performed by adding a few directives to the .htaccess file. Allow/Deny Access to a File or Directory via .htacces.
2.4) Restricting access by IP address
This is another very common approach for increasing the level of security. It can be used in the cases when you protect directories with a password as you can also use the two methods simultaneously.
How to configure it?
Configuration is quite easy as it can be performed through cPanel or by manually editing the .htaccess files.
What do we need to know before restricting access by IP?
Dynamic IP Addresses
First of all, ISPs and telecoms very often provide their customers with dynamic IP addresses.
Before restricting access to a resource by IP, make sure the IP is static and will not be changed by the ISP.
Proxy services (CloudFlare)
If your website uses proxy services such as CloudFlare, limiting access by IP may cause big trouble.
When a website uses a proxy service, users access proxy and the proxy accesses your website. So your website is reached by the IP addresses belonging to the proxy server and not to the real customers.
If you restrict access to a resource only for your IP address, it will be fully unavailable even for you since all queries are sent from the proxy’s IP address.
If you still wish to restrict by IP, you should configure it on the proxy server, but not in the hosting account.
Hurry up, because tomorrow the next step is awaiting for you as we will tell you more about the importance of a strong password and share some tips and tricks for selecting one.