How to Secure Your Web Host Manager Server
Security is a big deal online and there are no magic solutions to make your Web Host Manager server absolutely secure, no matter what anyone else may tell you. Famously in the past, the secure networks of banks, international corporations, government departments, the CIA, the Department of Defense — even Microsoft, Google, and Apple — have been hacked.
The only truly secure way to protect your site and files is to switch the server off, unplug it, crush it into dust, and sprinkle the dust particles over a thousand square miles of the Pacific Ocean, and even then someone might find a backup of your data.
There are different levels of hackers, though, and there is plenty you can do to keep out any but the most persistent of hackers. The following steps outline a good way to get started:
Keep all your software up-to-date on your personal computer and on your server, including using the EasyApache facility under Software in WHM to update to the latest versions of PHP and MySQL.
Go to the cPanel section of the WHM menu (near the bottom of the menu options on the left of WHM) and click Manage Plugins.
Select and install the ClamAV and ConfigServer Security & Firewall (CSF) plugins, if they are not already installed.
At the bottom of the left-hand menu in WHM, confirm that Mod Security is installed.
If Mod Security is not installed, install it by running the EasyApache facility under the Software menu.
When Mod_Security is installed, you need to also install some security rules for Mod Security. These differ depending on how your website is built so it’s best to get some expert advice on which rules are right for you. Your web host would be a good place to start when looking for advice on Mod_Security rules.
Scroll up in the WHM menu to the Security Center and click on cPHulk Brute Force Protection to check that it is enabled.
This facility watches for people trying to log in to your server multiple times without success. If there are too many failed login attempts, the facility decides the person doesn’t know your password and locks him out.
In the Security Center, click Shell Fork Bomb Protection and check that it is enabled.
This prevents any one user from overloading the server if she gets in via Secure SHell, or SSH.
Click SMTP Restrictions in the Security Center and check that they are enabled.
SMTP stands for Simple Mail Transport Protocol and is the system that the server uses for sending e-mail. Enabling this blocks some of the tricks spammers use to hijack your server to send spam.
Select the Apache Mod_userdir Tweak option in the Security Center and enable it.
It is highly unlikely that you’ll ever need mod_userdir — it’s something only web hosts really need to use. If you do ever need it, it’s simple enough to go back in and disable it or just disable it for a specific domain.
Scroll down to the Account Functions section and click Manage Shell Access.
Only users who specifically require shell access should have it enabled, so select Disabled Shell for all other users.
Check with a service such as sucuri.net that your site/server has not already been compromised.
You may want to consider signing up for a yearly protection and monitoring plan. Your host may also supply a service like this.