at can be time consuming, and sometimes overly technical. Even though there is a lot of things to check to keep your server safe, here is a list of the most common things that you can do on your own:
I don’t know how many times I’ve seen this in our customer service department, or I’ve heard it directly from customers. “I was hacked!” Only to find out that their main server password is “123456″ or their dog’s name. This is the most common of all the security issues that I have seen. It’s very simple to apply a good password to all areas of the website, including web application passwords, database passwords, email passwords, ftp and ssh passwords. Ensure you don’t leave them as the default. Only you should know your server passwords. Do not share them with others. If other staff or vendors need to access your server, create them a separate account with another strong password. For the few minutes that others may complain about the fact that your password is “too hard to remember”, it saves you many hours in recovery of deleted data or exploited accounts due to an attacker.
Unless you have a development team in your payroll, you probably are using some open source scripts. Open source applications like WordPress, Drupal, Joomla, Magento etc. are feature rich, powerful and are backed by thousands of coders for update & support. The downside is that without an attentive administrator, your web application can be a target due to weak passwords, or outdated code.
A common way for attackers to gain access is to guess your password. If you leave the default “admin” as the username for many of the applications you install, then this increases the likelihood that your attackers will be successful. Because of this, making your admin username a “custom” name is recommended. Don’t use “admin” or “root” as your default username. Make it your name, or a nickname. That’s one more level of security added to the authentication system.
If your web server and mail server are the same server, be sure to have the email address for any admin accounts be an email that is not on that server. That way, in the event that password recovery attempts happen, they are not sent to the same server where the attacker may have access.
When you create your MySQL database, or you utilize a MySQL database server, be sure to use a password. Most scripts don’t require a password for the database, but they do have a space for it. An empty password is a huge waste of an additional layer of security for your site. Database password do not slow down the website when querying the database, so there is no reason not to have one.
Remember, this is your server. In the event you need to give access to your server to a developer, programmer, or graphic designer, it’s always recommended to give them the least amount of access that is required to do their job. Do not give them the root password, or all of YOUR passwords. Unlike giving someone a key to your home, this is like giving them just a key to one or two rooms only. You do not need to issue the root password to someone who has no obligation to you at the end of the day, especially if you don’t know if they are smart enough to close and lock the doors behind them.
Did you get the hint? Test it… From time to time, test your server’s security. Most security testing on your server will take a lot less time that trying to fix a security issue.