Account / Website Security

[HelioHost]

This is a great time for all Heliohost users to think about their own account and website security since there have been a few websites hosted on Heliohost that have been hacked recently. First of all server security has been analyzed and there does not appear to be any vulnerabilities and the servers have not been compromised in any way. As always Heliohost takes the security and privacy of our users accounts at maximum priority, but we also believe in giving our user the maximum amount of access.

 

Most free webhosts restrict the capabilities of accounts so much that they are barely usable, but here at Heliohost we try to do the opposite. We try to give users as much access as possible. Since we don't restrict everything down to unusable levels it just means you have to keep your own website security into consideration. Don't worry, most of the steps that make the biggest difference as really simple common sense things, but never forget that each user is responsible for their own account and everything located on their account.

• Choose a strong password. I recommend 10+ characters with uppercase, lowercase, numbers, and symbols. You can use this website to generate strong passwords.
  
• Don't use admin username. If you use a CMS of some sort such as Wordpress, Joomla, etc don't use the default username to log into the administration area, and as always choose a strong password.
  
• Use secure connections. I know a lot of people probably love to sit around at coffee shops blogging about how inept the barista is, but public wifi can be really insecure. Also if you want to purchase and install SSL on your website it will make it even more secure.
  
• Learn unix security. Unix OS can be very daunting for new users, but getting all your permissions correct can be a huge boost to your site's security.
  
• Learn Apache security. Using .htaccess files, password protecting directories, placing index files in every directory, disabling directory indexing, etc can all increase your security too.
  
• Use latest CMS versions. Keeping your software up to date will go a long way towards preventing your site from being compromised. The longer you put it off the more vulnerabilities in the version will be discovered and the more script kiddies will start exploiting it.
  
• Disable CMS version reporting. Similar to the above point if your site is announcing its version it just makes it that much easier for hackers to know what exploits it's vulnerable to.
  
• Only download from trusted sources. A lot of free themes and plug-ins are actually infected with backdoors allowing hackers access to your site. Once you install the theme/plug-in and your site is publicly accessible it will check in with its creator and it's only a matter of time until that hacker does something malicious to your website.
  
• Take backups often. If your site does end up getting messed up somehow being able to restore a backup and only losing a couple days (or a couple hours) of content will save you a ton of grief later on.
  

Another thing to keep in mind is that every hacked website we have investigated recently has been a wordpress installation. Wordpress is a really popular CMS, and isn't necessarily insecure, but because of its popularity it's vulnerabilities are widely known. We definitely don't intend to discourage anyone from using Wordpress, but you might want to read through this article http://codex.wordpress.org/Hardening_WordPress if you use wordpress and you're concerned about your site's security.