How can I make sure my site is secure?
Security Basics - Hardening your Account
While it is virtually impossible to guarantee 100% security for your entire site, a little bit of effort goes a long way in preventing common hacks and attackers. Listed in this guide are some steps that anyone can take to make their site and account much more secure than it would be otherwise.
Proper Security Starts at Home
It's critical that your home machine is also secure. Keyloggers, trojans, and other malicious software can all potentially be recording everything that you do, including administrating your website. It is very important to install a good anti-virus application and scan your home machine daily. A few well known security applications can be found here:
Any one of these, and many others, would be an excellent choice for home computer security.
Use strong passwords
It is much easier to remember passwords based on words, your favorite TV show or animal, or a special date, but this makes it very easy for attackers to guess or brute force your password. It is not uncommon for attackers to use large dictionary scripts full of thousands of commonly used passwords, so using something like a pets name is a security risk in itself.
We strongly recommend a randomly generated password consisting of both numbers and letters, with the minimum of 6 characters in length. There are webpages such as PCTools Password Generator that will automatically generate any number of secure passwords. If you generate a password as recommended, it will be virtually impossible for anyone to guess your password.
It is also considered good practice to change your password every few months. This further reduces the chance that someone could guess your password. It would also be very wise to use different passwords for different services. On the off chance that someone gains access to your password, this would prevent them from accessing ALL of your accounts.
Use appropriate permissions for files and folders
What are permissions and what do they mean to me? All files have a permission level assigned to them. The permissions level dictates who can execute, modify, or delete, the specific file or folder. Unless specified otherwise, all files should be set to a permissions level (or CHMOD) of 0644. This means that the owner can read and write to it, but everyone else (including all people that view your website through a browser) can only read. All folders should be set to 0755, and all configuration scripts should be set to 0444. Unless your script requires different settings for certain folders or files, this will go along way to prevent most exploits from working on your account. Most any FTP client will allow you to modify permissions, and the cPanel file manager also can perform this task.
Make sure your scripts are up to date
One of the most important tasks in ensuring your scripts are secure is keeping them up to date. With almost every software revision, features are added, bugs are fixed, and security holes are closed. Keeping your script up to date means you will have all the latest security patches and fixes as soon as the developers write them.
Make it a regular habit (at least every other week) to check the developer's homepage for news, updates, and information regarding your script. If you installed this script via fantastico, make it a regular habit to check that for possible script updates as well. As soon as a new security patch is released, you should download and install it as soon as possible. Every day that you do not install the latest security patch or update is like leaving your house unlocked for a day while you go on vacation.
Clean up those "extra" files
It is always a good idea to remove any files that you are not using from your account. The less files that you have accessible from your website, the less chance that one of them will have an exploit in the wild for it. This also includes your scripts install files. If your script leaves behind an install.php and people can access it; they might be able to install the script again, overwriting everything you have! double check the documentation, but most of the time it is safe to remove the install files.
Keep an eye on security bulletins
There are many free and commercial services available that keep track of all *reported* exploits in the wild. I emphasize reported because there are many exploits and hacks that never go reported. Checking sites such is not required, but it is a pro-active security measure that helps quite a bit.
This is just a few of the many sites that list released exploits. If you notice that a script you use is listed on any of these security lists, contact the developers for assistance immediately. This means that there is an active exploit for your website, and anyone with the know how can attack your services. However, please take note that if nothing is listed on any of these sites for your scripts does NOT mean they are 100% guaranteed to be secure, it just means that no one has discovered any exploits for it yet.
BACKUP YOUR SITE!!!
This is perhaps the most important step to take. At bare minimum, once every week, perform a full backup of your account using cPanel's backup feature, or by downloading the files via FTP and the mySQL databases via phpMyAdmin. On the off chance that your account gets compromised, or even if you make a mistake somewhere, you will always be able to grab your backup and replace compromised files with a known clean copy.
While following the recommendations of this guide will not ensure that your site is 100% impervious to any kinds of attacks, it will give you a great start in securing your account.