Posts in category: Uncategorized

Often when you talk of securing our web hosting, our minds are led to “Which host is can not be hacked?” But it is beyond that, some time we need to secure ourselves beyond just that. Things like, who signed up for the server? Which email was used? What name was used to register the domain?

Just before we look outside and start blaming web hosting service providers, we have to ensure that we personally take these tips to safeguard our service.

#TIP 1. Since this is your service so first thing is to have all credentials pointing towards you. Credentials such as usernames, emails that are used to identify you to your web hosting provider don’t have to belong to a third party but rather you. This makes it easy to recover your account easily.

#TIP 2. Enforce password complexity and 2 step verification. To make sure login is secure, you need to have 2FA enable and a strong password. This protects your account from being easily breached by adversaries.

#TIP 3. Avoid using insecure/unsupported third party apps. Web hosting service providers tend to avail you with a multitude of app choices to use for your services, from building your website, to accessing emails, to manipulating your databases. Some of these apps tend to be obsolete or insecure to use in the evolving technology. Therefore you need to look out on more secure applications.

#TIP 4. Update all apps or software used on your web host reguralrly, after making a good choice of what to use, make sure to update this tools regularly. Updates are a way to secure yourself with a fix of identified vulnerabilities or simply to keep abreast with new technology that has been added to a tool.

#TIP 5. Use the most secure web hosting you can find. No matter the content you are hosting or the services to expect from a hosting provider, Always lookout for services that are ideal in the present digital age. We have put together a list of tips to consider when choosing your web hosting provider just below.

Here are a few tips to consider to make a choice of a good hosting provider.

#TIP 1. Ensure the server has a backup policy. Backups no longer just apply to information in your computer but also you need to know that there is another option for your online information in case anything happens. You can control many aspects of backing up your computer data, but for websites, it can often depend on your hosting provider. Good enough, most web hosting providers do offer free backups, but these are variations on this theme. For example, some may require you to perform the backup procedure manually, while others may do it automatically and require you to contact their support team if you should need data restoration services. Ideally, look for a web hosting provider that carries out periodical automated backups and allows you to restore from them at any time on your own.

#TIP 2. Look out for servers with an automated Malware or Antivirus Scanning. Just as you may have an antivirus program on your computer which you are fully in control of. For websites, you depend on the hosting service provider to do this for you. It’s important to at least know they’re doing this and what level of information they can provide to you on potential problems. Some web hosts offer these services and you are able to see their reports and fixes or recommendation. But the very least you need to consider is to be able to restore your site from a previous version that wasn’t infected.

#TIP 3. Consider servers with Network Monitoring, Firewall and DDoS prevention systems. As websites are hosted in massive data centers, much of the controls here are automated. Make a choice on hosts having control and monitoring tools in place that keep an eye out for suspicious traffic or incidences. Firewalls are always our first line of defense from attacks from outside our systems and you need to make sure you have that wherever you are hosting your website. Whereas, Distributed Denial of Service (DDoS) attacks can be a big blow as attacker will want to flood your website with so much traffic to take it down completely from the site server.
These are often mitigated by using a good Contend Delivery Network (CDN) such as Cloudflare or website firewall such as Sucuri. Good enough, some hosting providers include this in their bundles, so look out for them!

#TIP 4. Secure File Transfer Protocol (SFTP). In circumstances where large files have to be uploaded to the website, it is more efficient to use FTP to do this, now there is SFTP which is the secure version of FTP and helps keep your data safe during transfer. While most popular web hosts offer FTP services, a handful of them only seem to offer SFTP so those handful are the ones you should look up to. Unless you do not use FTP or you don’t think of using it, you could skip this tip but we guarantee it is just as important as the rest.

#TIP 5. Spam filtering. You might be well aware of spam or junk. Just as annoying these messages can be is also how they can be a source of DDoS if you are suddenly flooded by such mail. If your host offers spam filtering, then the attack goes through its spam filters first which would be a win for you. Also, keeping spam out will help you save space in your mail folders. Most hosting providers have spam filters available, but some will require manual configuration. We’d suggest using those with automatic spam filters.

Hoping that these tips have been helpful to you, these are just to ensure that you have a smooth web service and you don’t have to be a victim of several hacks on the web. There are endless attacks on websites everyday and the best you can do is to have a secure web hosting service as the internet is an overwhelming place for resources and everyone is trying their best to utilize it in both good and bad ways.

How it Works?

Simplistically speaking, there are three main components in creating a connection;

1. The Client – This is the computer that is requesting information.
2. The Server – The computer which holds the information being requested by the Client.
3. The Connection – The path along which data travels between the client and server.

To establish a secure connection with SSL, there are a few more terms you need to be aware of.

• Certificate Signing Request (CSR) – This creates two keys on the server, one private and one public. The two keys work in tandem to help establish the secure connection.
• Certificate Authority (CA) – This is an issuer of SSL certificates. Sort of like a security company that holds a database of trusted websites.

Once a connection is requested, the server will create the CSR. This action then sends data which includes the public key to the CA. The CA then creates a data structure which matches the private key.

The most critical part of the SSL Certificate is that it is digitally signed by the CA. This is vital because browsers only trust SSL Certificates signed by a very specific list of CAs such as VeriSign or DigiCert. The list of CAs are stringently vetted and must comply with security and authentication standards set by the browsers.

Types of SSL Certificates

Although all SSL certificates are designed for the same purpose, not all are equal. Think of it like buying a phone. All phones are basically designed to do the same thing, but there are different companies that manufacture them and produce many different models at varying price points.

To simplify the matters, we break down the SSL Certificate types by level of trust.

1- Domain Validated (DV) Certificate 

Among SSL Certificates, the Domain Validated Certificate is the most basic and simply assures users that the site is safe. There is not much detail except for that simple fact and many security organizations do not recommend using Domain Validated Certificates for websites that deal in commercial transactions. The Domain Validated Certificate is the budget smartphone of the SSL world.

2- Organization Validated (OV) Certificate

Organizational Certificates holders are more stringently vetted are by CAs than Domain Validated Certificate holders. In fact, the owners of these certificates are authenticated by dedicated staff who validate them against government-run business registries. OV Certificates contain information about the business holding them and are often used on commercial websites and represent the midrange smartphones of the SSL world.

3- Extended Validation (EV) Certificate

Representing the highest level of trust in SSL rankings, EV Certificates are opted for by the best of the best and extremely stringently vetted. By opting to use EV Certificates, these websites are buying deeply into consumer trust. These are the iPhoneX of the SSL world.

The fact that SSL Certification has become so highly recommended today, many fraud websites have also taken to using SSL. After all, there is little difference to the websites, except for the green certification padlock. This is the key reason more reputable organizations are going for SSL Certification that are more highly vetted.

ince any successful SSL connection causes the padlock icon to appear, users are not likely to be aware of whether the website owner has been validated or not. As a result, fraudsters (including phishing websites) have started to use SSL to add perceived credibility to their websites. – Wikipedia.

How to Choose the Right Certificate Authority

Certificate Authorities are like private security companies. They are the ones who issue digital certificates that facilitate the SSL establishment process. They also belong to a limited list of businesses that meet detailed criteria to maintain their place on that list. CAs who maintain their place on that list can issue SSL Certificates –  so the list is exclusive.

The process is not quite as simple as it sounds, since before a certificate can be issued, the CA must check the identity of the website applying for it. The level of detail in those checks depend on what type of SSL is being applied for.

The best CA is one who has been in the business for some time and follows best practices in business, not only for itself but also for any partners associated with the business. Ideally, they should also be able to demonstrate proven expertise in the field.

Look for a CA that stays up to current standards, are actively involved in the security industry and has as many resources as possible that support their customers.

A good CA would also;

• Have reasonably short validation times
• Be easily accessible to its customers
• Have great support