Southfield, Michigan, December 9, 2024 – MojoHost, a trusted provider…
Staying Safe Online
Every week brings more articles about the dangers that can be faced online and lots of advice about how to personally stay safe. Many of these articles overlook the importance of keeping your websites and systems safe. Sure, there are hundreds of companies that will sell you high-priced consulting for how to defend your systems against state-level attackers. However, a few simple tips and good habits will protect your sites and online presence against the vast majority of real attackers which affect webmasters and site operators.
What’s in a password
As with any kind of online service, the single most important thing you can do to protect your sites is to use good passwords with your hosting providers. It goes without saying that using a hard-to-guess password is essential. With a critical service like your hosting provider, it is also good to use a unique password. You should never share the same password between your hosting provider and any other service. If you have ever used the same password for multiple providers, you should check with “Have I Been Pwned”. It will allow you to see if your account may have been compromised in a data breach. Have I Been Pwned is a great, free service that aggregates the data contained in many data breaches. It makes it easy and free to determine if a particular email address has been compromised. If it has, you should change your hosting password (and all your other passwords!).
The second factor
Even with a strong and unique password, turning on two-factor authentication makes a lot of sense for your hosting accounts. Two-factor authentication requires a second piece of information, in addition to your password, to allow you to log in. So even if your password is somehow compromised, an attacker would physically need access to your second factor. Fortunately, these days a cell phone provides an excellent second-factor device.
We strongly recommend that you use a second factor that’s generated on your phone. It’s better to use an Authenticator app, rather than choosing to use SMS messages. This is because an attacker can trick the phone company. The company grants access to your phone number, allowing the attacker to receive the SMS messages. As opposed to an Authenticator app would require physically stealing your phone, an impractical hurdle for an online attack.
It may seem that all of these extra layers of protection are overkill. Yet remember that your web hosting account provides a very high-profile attack target. An attacker who manages to successfully compromise your hosting account would be able to wreak a significant amount of havoc with your sites and data. At MojoHost, we also proactively reach out to our customers if we get a request that seems suspicious. We try and independently verify any major changes or implement alterations that could be suspicious. It’s also a good idea to request a similar policy from any other providers you work with.
Time for spring cleaning
In addition to these protections on your infrastructure provider account, it is also important to be mindful of internal tools that you and your tech team may install on your systems. For example, it may be the case that you have installed a tool to collect performance data or analyze logs, to see trends or just to make managing your sites easier. There is a multitude of tools that every webmaster needs, but many of them have a much lower level of security than software that your visitors interact with. A large number of successful attacks start not with the public part of a website, but by compromising an internal control panel or tool. Such systems are rich pickings for attackers. They often have very broad access to your systems precisely to enable complex and in-depth management tasks or data analysis.
At MojoHost we recommend that you keep a list of all of your management and analysis tools, and periodically ensure that they are up to date. We also recommend that you add extra security to each of these tools via a more complex and integrated login system for you and your staff. Some people say that you don’t need to secure these systems if the URLs for them are hard to guess: this is awful advice. Since wide-scale online crawling has advanced, automated bots and scanners can discover any URL, no matter how complicated. A hard-to-guess URL can certainly help increase the difficulty of attacking your systems. However, it’s no substitute for real security via a secure login.
At MojoHost, we’re happy to help set up good additional layers of security on your internal systems and tools systems. This ensures that your online services are defended in depth.
The wall, the Firewall
In addition to protecting your servers by securing your hosting account and preventing any backdoor access through internal systems, you should also consider using a service that scans all of your incoming requests for attacks and hides the IP addresses of your servers. Such systems, like MojoHost’s MojoShield product, are often called Web-Application Firewalls (or WAF). A WAF takes the security benefits of a firewall and moves it to remote data centers all around the world, making sure that bad traffic is filtered long before it even gets to your server.
A WAF like MojoShield can do all the sorts of things that a normal firewall can do, such as blocking IP addresses or allowing access to certain parts of your site only to trusted administrators. However, a WAF can also do a lot more.
With a distributed product like MojoShield, we are constantly learning from the attacks seen across our network. This ensures that your site is already protected from the newest attacks without having to apply individual updates. In addition, because the IP address of the WAF is the public address of your site visible to the public internet. This means only the WAF provider knows your actual direct IP address and your server is hidden. As a result, anyone who wants to launch a DDoS attack, or even just scan your server, has no idea what server to attack. Such protections significantly decrease the number of attacks against your server. All the hard work is done in the WAF because the load on your servers’ CPUs is reduced. Your server only sees good traffic.
The wrap-up
Following the three simple steps of using good passwords, enabling two-factor authentication, and protecting your server via a WAF, will result in a highly secure web hosting setup. Team MojoHost is always working hard to ensure that our customers’ sites are not just fast and reliable but also protected. So reach out to us and we’d be thrilled to chat about security (or anything else hosting-related). Staying safe: #ThatsGoodMojo.