Server Protection Security Measures
HostGator takes measures to secure our servers, which helps to prevent your account from being compromised. However, security breaches of your website and your personal account data caused by vulnerable passwords or vulnerabilities in the software you’ve installed, cannot be prevented with general server security.
You can ensure the security of your account by becoming familiar with common types of security breaches. It is important to take proactive security measures and to prepare for recovery in case a compromise catches you by surprise.
- What Security Measures Does HostGator Provide?
- What Security Measures are My Responsibility?
- What Can I Do to be More Secure?
What Security Measures Does HostGator Provide?
HostGator is protected from DDoS attack (UDP flood).
We have an extensive custom firewall rule and large mod security rule sets protecting our servers from a variety of forms of attack. If we do experience heavy flooding, we have our datacenter enable network level flood protection. Our datacenters are all highly secure facilities with restricted access.
We also employ additional server security methods and precautions that are confidential.
What Security Measures are My Responsibility?
When you host your website on HostGator servers, you are responsible for:
- Password security
- Your account settings
- Keeping all installed website applications up-to-date
- Ensuring your site is malware free
- How your account is used
It is also your responsibility to ensure that the scripts and programs installed on your account are secure and that the permissions of directories are set properly regardless of installation method. We recommend you set permissions of directories to be as restrictive as possible, or at 755 on Linux hosting accounts.
HostGator performs regular audits to identify weak account passwords. If your password is determined to be weak, you will be notified and given time to update it. If you continue to use a weak password, your account can be suspended until you agree to use a more secure password. Strong passwords should include at minimum 8 characters, one capital letter, one lowercase letter, one number and a special character such as an “@” symbol. Passwords should also not contain dictionary words or usernames in them.
Here is a helpful video that explains your responsibilities as a website owner in securing your site against malware and vulnerabilities.
Being aware of these responsibilities is important, as an account that is found to be compromised may be disabled and/or terminated per our Terms of Service. Failure to clean your account after being notified by HostGator of an ongoing issue may result in having your account disabled.
What Can I Do to be More Secure?
HostGator recommends a number of actions and services which can help you maintain security on your website. The following security tips are offered in order to help our clients maintain site security and protect their accounts:
A common form of compromise is due to exploited passwords. These compromises can occur in one of two ways: a brute force compromise or through a keylogger on a local computer.
Brute Force Compromise
In a brute force compromise, an attacker will use automated software to generate a massive number of consecutive guesses to hack your password through trial and error. While our servers have certain amounts of brute force protection enabled, we suggest creating a complex password made up of at least three of the four major character types:
- Uppercase Letters (A-Z)
- Lowercase Letters (a-z)
- Numbers (0-9)
- Special characters (-_.,!@#$%^&*)
When updating passwords, we recommend against using previously used passwords. Once a password has been compromised, it will remain that way indefinitely. If a password is reverted, the account is likely to be compromised again.
Computer Viruses and Keyloggers
Another form of password compromise occurs when account passwords are stolen using computer viruses and keyloggers. This kind of malware sniffs out passwords used and stored by FTP and other programs or records keystrokes on a local machine. To protect against this attack, full virus and malware scans should be run regularly on all computers that access your HostGator account to ensure that they are clean. We recommend using this Malware Removal Guide to check for and remove malware from your computer.
Update Scripts and CMS Installations
Most account compromises are caused when cyberattackers find and exploit vulnerabilities in applications installed on an account. To avoid these types of attacks, make sure that all CMS installations and related themes, plugins and other add-ons, are kept up-to-date. Most CMS software allows you to update from within the administration panel. Check out these resources if you need further assistance:
- WordPress Codex: Updating WordPress
- Joomla! Docs: Migrating from Joomla 1.5 to Joomla 2.5
- Drupal: Upgrading from Previous Versions
- phpBB: Automatic Update Package
Make Regular Backups
Be sure to make regular backups of your account in case there is a compromise. While HostGator does make weekly backups for Shared, Reseller, and VPS accounts as stated in our Backup Policy, we will restore a backup as well when you provide your own by contacting our support team via phone or Live Chat. For more details on how to create your own backups, please read:
Note: There may be a fee associated with requesting a backup, therefore it is important to maintain your own offsite backups of website files.
Additional Preventive Steps
Use secure connections whenever possible to connect to your account. See more information on this through the links and steps below:
- Make sure all file permissions on Linux hosting accounts are set for 644 and all directories are set for 755. See How to Change Permissions (chmod) of a File for more information. On Windows accounts, you should utilize read and write only permissions as often as possible.
- Remove scripts and databases which are no longer in use. This will help eliminate the possibility of unused and outdated scripts being compromised.
- Move configuration and other files containing passwords to a secure directory outside of the public HTML folder to make them publicly inaccessible.
Edit your php.ini file with the following lines:
register_globals = Off
display_error = Off
Take proactive measures to secure your site against cyberattacks with a website security plan from SiteLock.
In addition to the steps outlined in this article HostGator offers discounts on services that can help you proactively secure your website against cyberthreats and recover from a security breach. Check out our special offers page for additional information on products and services to help protect your data: