About website security

Started by Kevin56, Jul 10, 2022, 10:38 PM

Previous topic - Next topic

Kevin56Topic starter

Good day. I am a beginner.
I want to tell what I probably already know and what I once dealt with a long time ago.

Domain - as I understand it, this is the name of the site, which is entered at the top of the browser. Bought somewhere from people who are accredited to sell domain names. It seems to be more or less clear here, with the exception of mail. Many sites offer, along with the purchase of a domain, plus mail. It's a little unclear about mail here.

Hosting is where the site is stored. I don't know much about hosting, or rather, nothing at all.
I remember they gave me access to ftp, I entered my login and password and uploaded my site there and it was only necessary to have index.html in it. Now I'm starting to understand that hosting is not just ftp, that there must be something installed there, i.e. php, apache, mysql version i.e. What is the minimum package that should be installed on the hosting to make it comfortable to work with? Or when I buy hosting, I have to put it all myself?

If I understand correctly, I have to set up some things. Do I understand correctly, if I don't have any page on the site, but the user goes there, then the page "oops, you made a mistake" should be displayed and I also configure this page on the hosting, and not on the site?

MySQL databases - let's say I have several databases, one of which is entered by users themselves after registration, and the second is constant. I heard about hаcking sites and servers, I read that you need to set different access rights to databases. How is it done? hosting? I read that you need to set different passwords for each database.
But I specify the password and login in the code, because anyone can see the code and get access to the server database. Or am I misunderstanding something?

To be honest, I'm more concerned about the issue of security from hаcking the database, not even so much as they can download it to their computer and read it, but so much that they can get into it and change something to their own, or delete it altogether.
How to secure your site from this kind of hаcking? Maybe there are some videos with simple language, where everything is described?
And what are the types of hаcks? And how can you protect yourself from them?


1. There is a so-called "virtual hosting". This is just an option when everything you need is set up and ready to go right now. The first and probably the only advantage is the price.
Lack of performance as server resources can be split among many other heavy or impossible customizations.

2. Dedicated server. A server is bought or rented, which is stored by the host. Everything is great in terms of performance and configuration, all resources are completely at your disposal, but for the price this is the most expensive option.

3.VPS/VDS. Same as the previous version, but instead of a real server, a virtual machine. The prices are quite cheap, almost like shared hosting. Performance can depend on many factors.

4. Cloud services like AWS, azure, Heroku. Such a constructor, database on one service, file storage on another, php on the third.

The main types of attacks are: sql injection, xss, file upload (for example, upload a file with php code instead of a picture.


Choose a hosting provider that uses a Web Application Firewall (WAF) for active network monitoring. WAF is your gatekeeper, which will not allow hаckers and malicious bots to gain access to your site and exploit its vulnerabilities.
WAF should prevent hаckers from hijacking your site using SQL injection or cross-site XSS scripting. It is also a great DDoS attack protection tool.

Also, a secure web hosting provider should regularly scan its servers for malware and send scanning reports to its customers. And if (despite all precautions) your site's files are still affected by hаckers or software, the hosting provider should help you identify the vulnerability and eliminate it.

Use the HTTPS protocol
HTTPS is a secure communication protocol for encrypting and ensuring the integrity of data on the Internet. HTTPS ensures that hаckers will not gain access to user data, including sensitive information (such as passwords and bank card data).

We have already published a detailed guide on switching from HTTP to HTTPS: if you have not yet switched your site to HTTPS, be sure to read that topic.

To transfer a website to HTTPS, you need to get an SSL certificate. Update your certificate regularly, use the latest version of SSL and modern encryption.

Restrict administrator access
When hаckers try to gain access to your web site, they mostly seek to get accounts with administrator rights. It is these accounts that can give them full control over your business project. To reduce the risks from hаcking administrator accounts, restrict their use and give access to them only to trusted persons.

Use strong passwords with two-factor authentication
Using strong passwords is a prerequisite for anyone who wants to protect their accounts. However, sometimes even strong passwords do not withstand a "brute force" attack.
Therefore, it is important to strengthen the protection of the web  site and add two-factor authentication for your CMS and web hosting accounts.

If you store and process confidential information on your site, ask your users to pass two-factor authentication to access their accounts.

Change the standard settings of your CMS
By creating new malware, cybercriminals usually target the most popular CMS in order to hаck the maximum number of sites using the same code.
You will be able to protect yourself from cybercriminal attacks if you configure the CMS for yourself, since your web site will work somewhat differently than thousands of other sites on the same CMS.

Remember that even small adjustments can affect the situation. Therefore, do not forget to configure user management, change file access rights and comment settings.

Update your software regularly
Software updates improve security, eliminate bugs and vulnerabilities that hаckers usually use. That is why it is so important to establish the process of managing software updates for operating systems, server software, CMS, plugins and other products.

It is also recommended to get rid of old software that you no longer use, especially if it has not been updated for some time: such software leaves hаckers with a loophole to access your system.

Make backups — backup copies of your data and site
If you take measures to protect yourself in advance, you don't have to worry about attackers hаcking your web site. However, there is always a chance that something will go wrong - after all, hаckers are constantly finding new vulnerabilities and continue to improve their attack methods. To mitigate the consequences in case an attack on your web  site and its data does occur, it is worth reserving all that data.

There are many options for data backup. Many web hosting providers have backup included in the plan, and it is usually performed automatically. There is a downside to this:
the amount of data you can copy may be limited. If you use cPanel — one of the most popular panels for managing web hosting accounts - you will be able to use the built—in backup function, but you will have to do everything manually. 

WordPress users can use one of the special backup plugins to duplicate an existing site into a staging environment or copy web  site files to a cloud storage - their own (for instance, Google Drive or Dropbox) or provided by plugin developers. Depending on the feature set, WordPress backup plugins can be free or provided for an annual fee.

It is best to combine several backup methods. For instance, you can make both daily incremental backups for cloud storage and weekly server backups.

Check regularly whether everything is working correctly and whether you can restore your web site data from a backup without hindrance.


If you don't know much about site security, the easiest option is to use reliable checking programs (like Google Safe Browsing). You can easily find these on the Internet, just check the information about them first, read real reviews.