Snappy, The HostGator Mascot

Gator Crossing

The Official HostGator Company Blog!


3 Easy Steps that Protect Your Website From Hackers

Written by Taylor Hawes

Tuesday, March 19th, 2013

website security

As a webmaster, is there anything more terrifying than the thought of seeing all of your web-developed work being altered or wiped out entirely by a nefarious hacker?  You’ve worked hard on your website – so take the time to protect it by implementing basic hacking protections!

In addition to regularly backing up your files (which you should already be doing, for various reasons), taking the following three easy steps will help to keep your website safe:


Step #1 – Keep platforms and scripts up-to-date

One of the best things you can do to protect your website is to make sure any platforms or scripts you’ve installed are up-to-date.  Because many of these tools are created as open-source software programs, their code is easily available – both to good-intentioned developers and malicious hackers.  Hackers can pour over this code, looking for security loopholes that allow them to take control of your website by exploiting any platform or script weaknesses.

As an example, if you’re running a website built on WordPress, both your base WordPress installation and any third-party plugins you’ve installed may potentially be vulnerable to these types of attacks.  Making sure you always have the newest versions of your platform and scripts installed minimizes the risk that you’ll be hacked in this way – though this isn’t a “fail safe” way to protect your website.


Step #2 – Install security plugins, when possible

To enhance the security of your website once your platform and scripts are up-to-date, look into security plugins that actively prevent against hacking attempts.

Again, using WordPress as an example, you’ll want to look into free plugins like Better WP Security and Bulletproof Security (or similar tools that are available for websites built on other content management systems).  These products address the weaknesses that are inherent in each platform, foiling additional types of hacking attempts that could threaten your website.

Alternatively – whether you’re running a CMS-managed site or HTML pages – take a look at SiteLock.  SiteLock goes above and beyond simply closing site security loopholes by providing daily monitoring for everything from malware detection to vulnerability identification to active virus scanning and more.  If your business relies on its website, SiteLock is definitely an investment worth considering.

site lock hacking protection


Step #3 – Lock down your directory and file permissions

Now, for this final technique, we’re going to get a little technical – but stick with me for a moment…

All websites can be boiled down to a series of files and folders that are stored on your web hosting account.  Besides containing all of the scripts and data needed to make your website work, each of these files and folders is assigned a set of permissions that controls who can read, write, and execute any given file or folder, relative to the user they are or the group to which they belong.

On the Linux operating system, permissions are viewable as a three digit code where each digit is an integer between 0-7.  The first digit represents permissions for the owner of the file, the second digit represents permissions for anyone assigned to the group that owns the file, and the third digit represents permissions for everyone else.  The assignations work as follows:

4 equals Read
2 equals Write
1 equals Execute
0 equals no permissions for that user

As an example, take the permission code “644.”  In this case, a “6” (or “4+2″) in the first position gives the file’s owner the ability to read and write the file.  The “4” in the second and third positions means that both group users and internet users at large can read the file only – protecting the file from unexpected manipulations.

So, a file with “777” (or 4+2+1 / 4+2+1 / 4+2+1 )permissions would then readable, write-able, and executable by the user, the group and everyone else in the world.

As you might expect, a file that is assigned a permission code that gives anyone on the web the ability to write and execute it is much less secure than one which has been locked down in order to reserve all rights for the owner alone.  Of course, there are valid reasons to open up access to other groups of users (anonymous FTP upload, as one example), but these instances must be carefully considered in order to avoid creating a security risk.

For this reason, a good rule of thumb is to set your permissions as follows:

  • Folders and directories = 755
  • Individual files = 644

To set your file permissions, log in to your cPanel’s File Manager or connect to your server via FTP.  Once inside, you’ll see a list of your existing file permissions (as in the following example generated using the Filezilla FTP program):

chmod 1

The final column in this example displays the folder and file permissions currently assigned to the website’s content.  To change these permissions in Filezilla, simply right click the folder or file in question and select the “File permissions” option.  Doing so will launch a screen that allows you to assign different permissions using a series of checkboxes:

chmod 2

Although your web host’s or FTP program’s backend might look slightly different, the basic process for changing permissions remains the same.  If you have any questions about modifying your folder and file permissions, please see this helpful link.  Don’t put off taking this important step – securing your site using all of these different strategies is a big part of keeping your site healthy and safe in the long run!


Sign Up With HostGator!

Posted in

Web and Hosting Tips

20 Responses to 3 Easy Steps that Protect Your Website From Hackers

  1. HostGator says:

    Be default all files and folders should be owned by your cPanel username and a group of the same name with only you assigned to that group. Given that circumstance, 644 for files and 755 for folders is ideal.

  2. alnnasr says:

    thanks bro

  3. nexxterra says:

    UMMM…. what about the obvious, always back up your site!

  4. Tamal Anwar says:

    I use a tool called login lockdown. It prevents attempts of brutal login by people or bots.

  5. Cheap Vps UK says:

    Nice stuff,You right….website planners must ensure their scripts are very well planned and
    tested, especially those parts that deal with private information. In
    many countries there are now legal requirements to ensure the privacy of
    medical and financial records.

  6. Limit Login Attempts will temporarily lock out IP Addresses that make several failed attempts to get into your WordPress admin. Also be sure to keep your computer and browser up to date!

  7. Krzysztof says:

    Dzięki za kształcący wpis

  8. ramiszaro says:

    Thanks for the post this was awesome going to help me in further instructions .

  9. Palak Bhalala says:

    I have 0700 for .cpanel and other default directories, for public_html and public_ftp I have 0750. I think its fair enough. is it?

  10. Nashua Indigo says:

    WP Better security can destroy your website if you don’t configured in a good, way, stay away from options like file detection and Ip blocks

  11. usman says:

    i have hostgator hosting and my site is hack my site is chat room site that is my site some one did his date base to my cpanel but i cant change the seeting beacuse i don,t know how to do it plx tell me if someone knows

  12. Honey Abdikarim says:

    how can i clean SQL injection showing in google and bing,Yahoo my website has been hacked but i have scanned and cleaned all Word press Files any help to clean showing problem in this networks,how to cleab up CMS SQL Injection Vulnerability

    please help me to clear this problem

  13. KMD says:

    You know, these are some pretty good ideas that will definitely take care of your site for a little bit, but I like to have some additional security, and for that, I like to use these guys

  14. b2sstores says:

    Thanks for sharing such a wonderful information, really appreciate it, my sites was hacked , now I know hot to protect it,
    Thanks again!

  15. Çiçekçi Siparişi says:
  16. Mitesh Ganatra says:

    The best explanation I ever came across. File Permission is something that I was not aware much but now I am. Thanks a lot.

    Most common causes for a hosting account to become hacked, or otherwise compromised. If you use WordPress, Drupal, Joomla or any other PHP-script, database-driven CMS then it is vitally important that you keep these scripts up-to-date. Failure to do so is literally an open door inviting hackers to gain access to your account. Updating these scripts is as simple as logging into the back-end and clicking on any “update” notification that appears therein.

  17. Jakob Storm says:

    Good advice! Another way to find out how vulnerable your website is, is to run a vulnerability reward program. In these kind of programs, testers/good hackers are invited to find and report vulnerabilities – you then pay a reward if the vulnerability is valid and not a duplicate. You can run your own such program on