Better Website / Account Security

We’ve seen a rise in websites account accounts being compromised, hacked and attacked due to many issues which we will be discussing here. Hopefully we can help you protect your website’s contents, protect important documents, files, images and other personal information you may have stored on our servers as well as help keep your account from being suspended.

  1. Website
    1. If your website does not write to files, does not take uploads etc. Disable write permissions on your website completely.
    2. If your website does write to files, disable write permissions on your website and use the file manager to set write permissions on only what you need.
    3. If you are using a commercial or open source available product such as WordPress, Joomla, PHPbb etc. make sure you are always running the latest version. Keep track of new release announcements and keep your website updated. Popular applications are updated frequently so keep an eye out!
  2. FTP Accounts
    1. Use FTP over SSL only, set your FTP account to “SSL Only” in the control panel to prevent connections over standard FTP.
    2. Use only trusted FTP applications and download them from their respective developer’s website. To prevent the application from stealing credentials. Do not use “cracked” or “pirated” applications as they could be insecure.
    3. Use strong passwords, the password “Mikeftp1” is not a secure password. “9876ui*O-I723_44” is a secure password.
    4. If you use FTP from locations that have a static IP or an IP address that rarely changes, use our “IP Restrictions” feature in the control panel to prevent access from IP addresses you do not specify.
  3. Email Accounts
    1. Use strong passwords, the password “Cindy1988” is not a secure password. “9876ui*O-I723_44” is a secure password.
    2. Disable the webmail service for your account if you do not use or do not rely on this for email access.
    3. Disable unneeded services. For example, if you only use IMAP, disable POP.
    4. Monitor your account closely, if you receive bounce reports or failure notices for emails you do not recognize, change your password immediately and alert our support department.
    5. Do not use the same password for all email accounts.
    6. If you can, use only SSL or TLS based connections to send and receive email

We hope this helps you have a better idea about how to secure your website and your account from attacks, spammers, etc. If you have any questions, let us know!

Thank you for choosing ASPnix as your hosting provider!

7 thoughts on “Better Website / Account Security”

  1. Hi.

    If ‘write permission’ is disabled, FTP and database will keep working? The permission is only if my application writes on disk?

    Thanks

    Reply
  2. Thanks for this but why are you storing our passwords in the clear in your system?

    I just did forgotten password reminder on https://panel.aspnix.com/ and you emailed my password in the clear.

    This password should never even be stored on your system at all.

    Store hashes of the salted password only.

    Reply
    • @Art The password is stored in our database, but it is not stored in plain-text. The password is stored using a hashing algorithm and salted using a large unique string of characters. The system uses this method to store multiple passwords for your account and other things.

      @Tiago “Write Permissions” is only for your website if it writes to disk. FTP has its own set of permissions and databases are also completely separate.

      Reply
  3. I’m going with @Art on this one. Plain text passwords should never be stored let alone emailed!!!! You should have a password reset functionality. This is bananas.

    Reply
    • @John Art made the assumption that we store passwords in plain-text. An assumption that was wrong. See my previous response. As far as emailing your credentials, your credentials were emailed to you when you signed up, they were in plain-text, not encrypted or hashed (how else would you know your password). When you perform a “forgot password”, it simply resends your account summary letter that you received when you first signed up.

      WebsitePanel is open source, you guys are free to see how it works and stores passwords. However since it is open source, we’ve done some modifications to how passwords are salted etc. So our implementation is different from theirs, however passwords are still not stored in plain-text.

      Reply
  4. For those customers that are concerned about securing their accounts, we also have Google Authentication supported for our billing system, TeamSpeak control panel as well as our Windows control panel. The auth secret key is also not stored in plain-text, it is also stored hashed with a unique salt key.

    Reply

Leave a Comment