This is a guest post by John Dayton.
Server security is one of the most fundamental that you need to take care of if you run an online business or have a privately hosted web presence of any kind -meaning you have your own websites instead of running your pages off of social networks or blogging platform sub-domains.
The internet is a jungle in many ways and it's full of numerous predators, both human and digital. Without a solid plan for server security, you run the risk of falling victim to viruses, Trojan horses, malware, spyware, bad bots, data thieves, denial of service attacks and hackers of all sorts in general.
Fortunately, securing your web server is not really that hard if you follow through with several key steps and make it a habit to stay watchful about maintaining the security you've set up. Following through on the following key general procedures will make your servers much safer and give you some decent peace of mind.
1. Take Advantage of Secure Hosting
If you don't yet even have servers at your command, then make sure the servers you do get are the best protected you can afford to buy. This means two different things. First, you should buy your hosting from a provider who has a full menu of security options for your use, including firewalls, server based anti-malware software, secure login, secure file transfer protocol (SFTP) and regularly updated MySQL, PHP and Apache amongst other things.
Secondly, this means that if you're going to buy hosting and want to really have an extra server security edge right off the bat, buy dedicated servers for your web presence. They cost at least 5 to 10 times more than shared hosting plans but they are much easier to secure and more resilient to certain types of online attacks such as DoS and DDoS attempts.
2. Back Up your Server Data Constantly
Without a doubt this is one of the most fundamental steps to keeping your server information and website safe. Backing up and saving away all of your data files on a weekly basis will keep your site safe from total loss in the event of a successful hack by someone who really wants to ruin everything you've got stored on your servers. The backups themselves should be stored away in a safe place such as a portable hard drive or another computer's drive.
3. Protect Everything with Secure Passwords
Your server access, hosting access and SSH password should all be as strong as possible and very hard to crack. This means not using the word "password" and more picking out pass keys that are at least 10 to 20 characters long and made up of random, varied characters. Something like this is an ideal password: YcPLoJ14thbJsuabCCf46.
4. Use the Latest Applications and Disable the Unnecessary
This is a double step to server security. On the one hand, you want to use the absolute latest versions of any extensions, plugins or applications your servers or website are running, programs such as Java, Adobe Acrobat or Flash. You also need to keep any website Content Management System (CMS) up to date at all times along with its own internal system of plugins.
On the other hand, as a corollary of extension and application security, disable any of these programs which you have installed but aren't using. If you're not using them, you're liable to have them expire and expired plugins are a major security weakness, having too many running on your site is also a weakness but less so if they're at least up to date. Some studies show that the vast majority of hack attacks are done through weaknesses in extensions attached to a server.
5. Secure all Access Points to Your Server
Securing server access points has already been indirectly covered by taking steps such as using your hosting providers security systems, updating all of your extensions and using strong passwords. However, it should also be part of a general philosophy of making sure any new point of entry or any newly discovered point of entry is consistently secured. For example, one commonly overlooked entry point to you web servers is the computer you use to upload website content and files. This too should be protected by antivirus and firewall software as well as being accessible only by typing in a large password. Additionally, the computer should have an SFTP (secure file transfer protocol) system inside it and that too should be accessible only through another strong password! Both should never be left logged on or have their automatic login enabled.
Security holes like this should be covered by a general access security philosophy of strong passwords, secure programs, security software and heavily restricted access. This is the best general mentality for keeping the digital jungle predators away from your servers.
Image credit: FreeDigitalPhotos.net
About the author
John Dayton has been a leading expert in web security for over a decade. When he is not writing, you can find him training for his upcoming marathon or covering freelance stories around structural failure analysis.