Server Protection Security Measures
HostGator takes measures to secure our servers, which helps to prevent your account from being compromised. However, security breaches of your website and your account data caused by vulnerable passwords or vulnerabilities in the software you've installed cannot be prevented with general server security.
You can ensure the security of your account by becoming familiar with common types of security breaches. Taking proactive security measures and preparing for recovery is important if a compromise catches you by surprise.
- What security measures does HostGator provide?
- What security measures are my responsibility?
- What can I do to be more secure?
What security measures does HostGator provide?
HostGator is protected from DDoS attacks (UDP flood).
We have an extensive custom firewall rule and significant mod security rule sets that protect our servers from various forms of attack. If we experience heavy flooding, our data center enables network-level flood protection. Our data centers are all highly secure facilities with restricted access.
We also employ additional server security methods and precautions that are confidential.
What security measures are my responsibility?
When you host your website on HostGator servers, you are responsible for the following:
- Password security
- Your account settings
- Keeping all installed website applications up-to-date
- Ensuring your site is malware-free
- How your account is used
It is also your responsibility to ensure that the scripts and programs installed on your account are secure and that the permissions of directories are correctly set regardless of the installation method. We recommend you set permissions of directories to be as restrictive as possible or at 755 on Linux hosting accounts.
HostGator performs regular audits to identify weak account passwords. If your password is determined to be vulnerable, you will be notified and given time to update it. If you continue to use a weak password, your account can be suspended until you agree to use a more secure password. Strong passwords should include at minimum 8 characters, one capital letter, one lowercase letter, one number, and a special character such as an "@" symbol. Passwords should also not contain dictionary words or usernames in them.
Here is a helpful video that explains your responsibilities as a website owner in securing your site against malware and vulnerabilities.
Being aware of these responsibilities is important, as an account that is found to be compromised may be disabled and/or terminated per our Terms of Service. Failure to clean your account after being notified by HostGator of an ongoing issue may result in your account being disabled.
What can I do to be more secure?
HostGator recommends several actions and services that can help you maintain security on your website. The following security tips are offered to help our clients maintain site security and protect their accounts:
Update passwords
Exploited passwords are a common form of compromise. These compromises can occur in one of two ways: brute force or through a keylogger on a local computer.
Brute force compromise
An attacker will use automated software to generate many consecutive guesses to hack your password through trial and error in a brute force compromise. While our servers have specific amounts of brute force protection enabled, we suggest creating a complex password made up of at least three of the four major character types:
- Uppercase letters (A-Z)
- Lowercase letters (a-z)
- Numbers (0-9)
- Special characters (-_.,!@#$%^&*)
When updating passwords, we recommend against using previously used passwords. Once a password has been compromised, it will remain that way indefinitely. If a password is reverted, the account is likely compromised again.
Computer viruses and keyloggers
Another form of password compromise occurs when passwords are stolen using computer viruses and keyloggers. This kind of malware sniffs out passwords used and stored by FTP and other programs or records keystrokes on a local machine. To protect against this attack, full virus and malware scans should be run regularly on all computers that access your HostGator account to ensure that they are clean. We recommend using this Malware Removal Guide to check for and remove malware from your computer.
Depending on your operating system, there are plenty of options regarding computer virus scanning. Please see the list below for some options that are available to you.
Windows
Mac
Linux
Update scripts and CMS installations
Most account compromises are caused when cyber attackers find and exploit vulnerabilities in applications installed on an account. To avoid these types of attacks, ensure that all CMS installations and related themes, plugins, and other addons are kept up-to-date. Most CMS software allows you to update from within the administration panel. Check out these resources if you need further assistance:
- Updating WordPress
- Joomla! Docs: Planning Migration - Joomla 1.5 to 4
- Drupal: Upgrading from Previous Versions
- phpBB: Installation
Make regular backups
Be sure to make regular backups of your account if there is a compromise. While HostGator does make weekly backups for Shared, Reseller, and VPS accounts as stated in our Backup Policy, we will restore a backup as well when you provide your own by contacting our support team via phone or chat.
Additional preventive steps
Use secure connections whenever possible to connect to your account. See more information on this through the links and steps below:
- Ensure all file permissions on Linux hosting accounts are set for 644 and all directories are set for 755. See How to Change Permissions (chmod) of a File for more information. You should utilize read and write-only permissions on Windows accounts as often as possible.
- Remove scripts and databases which are no longer in use. This will help eliminate the possibility of unused and outdated scripts being compromised.
- Move configuration and other files containing passwords to a secure directory outside the public HTML folder to make them publicly inaccessible.
- Edit your php.ini file with the following lines:
register_globals = Off
display_error = Off
- Secure FTP, SFTP, and FTPS
- Secure cPanel Login
- Do NOT connect to your account through any proxy sites.
- Use secure email connections when sending sensitive data. See POP3 or IMAP with SSL
- Avoid connecting to your account on public or open Wi-Fi networks.
Take proactive measures to secure your site against cyberattacks with a website security plan from SiteLock.
Special offers
In addition to the steps outlined in this article, HostGator services can help you proactively secure your website against cyber threats and recover from a security breach.
SiteLock performs a website scan that will alert you when any file on your website is infected with malware. This comprehensive service scans your website files, surgically removing malicious files and suspicious content from legitimate files.
Check out our special offers page for additional information on products and services to help protect your data:
Was your site hacked? If you discover that your site has been compromised, please refer to the following articles for detailed instructions on what you should do next: