Source: https://www.todhost.com/blog/website-security-guide-for-shared-hosting-accounts.html

This post presumes your website is hosted on a shared web hosting account. A shared hosting service allows the web hosting company to setup multiple websites on one server, usually using a common IP address. We have recently had some complaints on forums about web hosts placing some restrictions on hosting accounts due mainly to complaints about websites creating load issues, spamming and malware issues.

These three had been the cardinal issues affecting all websites, irrespective of the hosting plan - shared, reseller, VPS, or dedicated servers. But some website account holders tend to blame their web hosts and will raise issues of website security when their websites are suspended either for running a malware or running high load or is being exploited and automatically is sending out spam mails.

There are ways to deal with all these. But let us first consider who should take the blame for website security.
Generally speaking, website security should be the responsibility of the website owner. It will however be a major responsibility for both the server manager to protect against attacks like a Distributed Denial of Service (DDOS) attack and other server security issue. In any case, website owners should tae responsibility to protect their sites. On a general note, most server managers also have an in-house DDOS security team and other security experts in-house and the most complaints we have received are related to a particular websites and not a general problem affecting every server user.
What should you do to protect your website?

1. Maintain a regular and functional backup
This is an advice that will continue to be repeated everyday and every time. Backups are the last resorts for everyone when all attempts to fi a website problems have failed. Most web hosts including Todhost provide an automated backup tool in cPanel. Such backups are stored in the home directory of the websites. We will advice that a copy of your backups be maintained on a local computer or an external saving device as a security measure. Make sure that the backup had been properly done and that the website is in a functional state before the backup commences.

2. Keep up with latest updates
The best way to avoid any breaches and exploitation on your website is to keep up with the latest website updates. It is good that most popularly used web design scripts like WordPress. Joomla Magento and many others do notify their users about latest updates. By updating, you can be sure that you are keeping up with latest security advice and addressing the bug issues which could have been spotted in your current website version.

For more reading on Joomla update, check our post on A Guide on How to update a Joomla website manually

Also read: A General guide to Safe Website Updating

3. Address load related issues
Generally, a shortcut to address load issues is to enable the cache system on your website. The other thing will be to ensure that there is not exploration of any plugin to generate rogue traffic, unnatural traffic which places heavy load on your website hosting server. Because every script used in website design is unique in some way, it is advisable to check up necessary documentation on how to enable the cache system and the best way to go about it. In Joomla for instance, we advice against the use of the progressive caching method on your website.

Also read: Which is the Most Effective Way to Secure a Website?

4. Guard against malware
Malware issues attract heavy penalty and most web hosts will terminate an account found to be running malware. It may occur without your notice especially in cases of phishing websites and plugin vulnerabilities. This underscores the need to maintain regular updates to keep up with bug fixes by the script developers. There are third party scripts which can help detect malware infections and provide a guide to fixing them. We recommend Sucuri.
Also read: How to Fix The WordPress White Screen of Death

5. Avoid Spamming
Spamming is any form of sending unsolicited emails, usually of business nature. We have found that some clients who are new to web hosting rely on this kind of massive mail sending to drive traffic and business. They will generate a mailing list from contact emails and use that to send mails about new services and promotional offers. These are no longer acceptable practices today. If you want to maintain a mailing list, you will have to do that from a double opt-in system like phplist. All emails will have to be verified by their owners for you to confirm their existence before they can receive your mails.
Sometimes, spamming is the result of exploitation. When this is reported, you can carefully detect a plugin or extension that could have been exploited on your website and remove it through an un-install process or by deleting it manually through the file manager in your website control panel.

6. Maintain a safe password policy
This is an issue that is taken lightly by most website owners. It is agreed that passwords are quite difficult to guess, even in their most simple form and guessing a password correctly is mostly possible when there is a clue. However, with Brute Force Attacks, passwords like jonny@123 and 08037774560portharcourt are no longer safe and considered as secured password. Passwords today should be at least 0 digits and combining capital and small letters as well as numbers and special characters.

This safe password policy should equally be applied to your client area access password. Your client area will be the place where you can easily manage your website including gaining direct access to your website files, emails, databases without having to remember any passwords.

It also important to use different passwords for your emails, client area and cPanel control panel. Using a uniform password on all access points is not a good and safe practice.

Also read: Build Up Customer Confidence in Your Website with SSL

7. Protect your emails
Any website is as safe as the email attached to it. Usually, a password reset request will be sent through your email. It follows that if your email password is not safe, then a reset request can allow easy access to your website control panel. This will be a dangerous one as it will allow unhindered access to your account. So, maintain a strong password on your email just as you would maintain a strong password on your cPanel control panel.

8. Remember to change your passwords regularly
You need to review your passwords regularly and check to se your current practice conforms with recommended length and complexity standards. As the attackers are getting better, you have to get smarter and step up the security standards as well.


9. Understand Your Website Script and settings
Every web development script is unique and requires some tweaks to operate optimally. For instace, the methods used to secure a WordPress website will not be the same methods used to secure a Ghost blogging platform or a Joomla website. The script you run will determine you will implement your security guidelines. It is a worthwhile practice to carefully available documentation on your website script so be properly guided on what to do to secure your website. Sometimes, experience teaches better and some users provide a better guide. Looking up independent posts outside official documentstion will be a good idea to understand how others are approaching the security of websites.
Warning: It is not good to implement every recommendation. Always double check and be sure it is a safe and worthwhile practice before you implement on your website.

Do you have any recommendations or suggestions which could help strengthen and improve website security? Share it in the comment box.

Source: https://www.todhost.com/blog/website-security-guide-for-shared-hosting-accounts.html