Billing Linux cPanel Windows Control Panel Client Voip ms sql webadmin ms sql backup mysql webadmin Server Status

Main Menu
  • Better Website / Account Security

    7 comments February 3rd, 2014 3513

    We’ve seen a rise in websites account accounts being compromised, hacked and attacked due to many issues which we will be discussing here. Hopefully we can help you protect your website’s contents, protect important documents, files, images and other personal information you may have stored on our servers as well as help keep your account from being suspended.

    1. Website
      1. If your website does not write to files, does not take uploads etc. Disable write permissions on your website completely.
      2. If your website does write to files, disable write permissions on your website and use the file manager to set write permissions on only what you need.
      3. If you are using a commercial or open source available product such as WordPress, Joomla, PHPbb etc. make sure you are always running the latest version. Keep track of new release announcements and keep your website updated. Popular applications are updated frequently so keep an eye out!
    2. FTP Accounts
      1. Use FTP over SSL only, set your FTP account to “SSL Only” in the control panel to prevent connections over standard FTP.
      2. Use only trusted FTP applications and download them from their respective developer’s website. To prevent the application from stealing credentials. Do not use “cracked” or “pirated” applications as they could be insecure.
      3. Use strong passwords, the password “Mikeftp1” is not a secure password. “9876ui*O-I723_44” is a secure password.
      4. If you use FTP from locations that have a static IP or an IP address that rarely changes, use our “IP Restrictions” feature in the control panel to prevent access from IP addresses you do not specify.
    3. Email Accounts
      1. Use strong passwords, the password “Cindy1988” is not a secure password. “9876ui*O-I723_44” is a secure password.
      2. Disable the webmail service for your account if you do not use or do not rely on this for email access.
      3. Disable unneeded services. For example, if you only use IMAP, disable POP.
      4. Monitor your account closely, if you receive bounce reports or failure notices for emails you do not recognize, change your password immediately and alert our support department.
      5. Do not use the same password for all email accounts.
      6. If you can, use only SSL or TLS based connections to send and receive email

    We hope this helps you have a better idea about how to secure your website and your account from attacks, spammers, etc. If you have any questions, let us know!

    Thank you for choosing ASPnix as your hosting provider!

    1 Star2 Stars3 Stars4 Stars5 Stars (8 votes, average: 5.00 out of 5)
  1. Here is a pretty good example of the FTP application point I made about only getting your FTP software straight from the developers website.

    Comment by Christopher York Staff Member on February 4th, 2014 at 12:46 AM

  2. Hi.

    If ‘write permission’ is disabled, FTP and database will keep working? The permission is only if my application writes on disk?


    Comment by Tiago on February 4th, 2014 at 5:34 AM

  3. Thanks for this but why are you storing our passwords in the clear in your system?

    I just did forgotten password reminder on and you emailed my password in the clear.

    This password should never even be stored on your system at all.

    Store hashes of the salted password only.

    Comment by Art on February 4th, 2014 at 7:58 AM

  4. @Art The password is stored in our database, but it is not stored in plain-text. The password is stored using a hashing algorithm and salted using a large unique string of characters. The system uses this method to store multiple passwords for your account and other things.

    @Tiago “Write Permissions” is only for your website if it writes to disk. FTP has its own set of permissions and databases are also completely separate.

    Comment by Christopher York Staff Member on February 4th, 2014 at 1:22 PM

  5. I’m going with @Art on this one. Plain text passwords should never be stored let alone emailed!!!! You should have a password reset functionality. This is bananas.

    Comment by John on February 4th, 2014 at 3:46 PM

  6. @John Art made the assumption that we store passwords in plain-text. An assumption that was wrong. See my previous response. As far as emailing your credentials, your credentials were emailed to you when you signed up, they were in plain-text, not encrypted or hashed (how else would you know your password). When you perform a “forgot password”, it simply resends your account summary letter that you received when you first signed up.

    WebsitePanel is open source, you guys are free to see how it works and stores passwords. However since it is open source, we’ve done some modifications to how passwords are salted etc. So our implementation is different from theirs, however passwords are still not stored in plain-text.

    Comment by Christopher York Staff Member on February 4th, 2014 at 4:02 PM

  7. For those customers that are concerned about securing their accounts, we also have Google Authentication supported for our billing system, TeamSpeak control panel as well as our Windows control panel. The auth secret key is also not stored in plain-text, it is also stored hashed with a unique salt key.

    Comment by Christopher York Staff Member on February 4th, 2014 at 4:12 PM

Allowed tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>