Here is suggested plan for the security of your server. Security is not one man work, it needs your (the customer/client's) active participation and followup with all suggested points above all make sure that you have downloaded all the required offsite backups of all of your data before performing any of the steps mentioned below:
- Make sure scan all of your local PC or laptop or computers with any 2 leading antivirus
- Make sure to use no pirated operating system or software as piracy is done by Cyber criminals and may result in security flaws. When using a pirated OS or software you don’t know in which file it can be a key logger or trojan or any other malware hidden with the supplied pirated software. So say BIG NO to Piracy for security reasons.
- Make sure that you donot have any two or more email ids having same password, if so reset the passwords on urgent basis as each email id shall have unique strong password only.
- Make sure you donot have any ftp, email id, database user or admin user for your cms any of them with 123456, yourname123, your date of birth sort of easy to crack passwords.
- If you have developed your website in a CMS then its CMS and all its modules, themes and plugins needs to be have the latest patches or updates installed over there => That is something you need to take care with help of your developer.
- Do not store email / ftp passwords in the browser
- Do not access ftp or webmail from any public PC or insecure public places / network.
- If any client configured outlook or any other email clients in their desktop, then they should periodicaly run the vulnerability scan in their desktop.Regarding CMS, most of hte CMS websites infect through the third party plugins and themes..so should be keep this in mind when choosing the themes and plugins from the third party that they are reputed one and you keep them upto dated to latest updates released by cms / plugin / theme developer.
For Linux Servers (for VPS / Dedicated server clients only with Plesk Panel on server)
- Update the OS and Plesk to latest version. (except kernel upgrade on Linux which require KVM presence with tech so until KVM is there shall be rarely decide to go for kernel upgrade)
- Turn off IPv6 to boost Linux server security
- Disable the directory listening web server
- Disable the insecure PHP functions
- Enable Plesk multiple failed login BFD protection
- Making server keep 6 months extended logs
- Disable shell access for unknown users
- Install RootKit Hunter
- Enable strong password allowed only in Plesk.
- Keep logs retention for 6 months related KB article at
https://support.plesk.com/hc/en-us/articles/214527745-How-to-manage-log-rotation-for-a-domain-in-Plesk
https://support.plesk.com/hc/en-us/articles/214027349-How-to-change-log-rotation-settings-for-all-domains-at-once-
For Windows Servers (for VPS / Dedicated server clients only with Plesk Panel on server)
- Enable Windows Firewall
- Apply all security updates on server OS & Plesk
- Mailenable Security (disable relay so only smtp auth emails are generated from server, have hostname of mailenble == hostname of computer properties of server, spoofing allowed to authenticated users only, Yes mark to send non delivery recepits to sender only etc.)
- Change password strength to Strong In Plesk Tools & Settings area
- Use VirusTotal Website Check to check existing websites (there is free virustotal extension over there)
- Configure the FTP passive port range on Windows Server
- Keep logs retention for 6 months related KB article at
https://support.plesk.com/hc/en-us/articles/214527745-How-to-manage-log-rotation-for-a-domain-in-Plesk
https://support.plesk.com/hc/en-us/articles/214027349-How-to-change-log-rotation-settings-for-all-domains-at-once-
Kindly note that shared server are managed by our techs so any server side concern will be self managed by our techs not required to have any user interaction with the same. So above noted Linux & Windows server steps are only for those cleints who have their vps or dedicated server with us and if plesk panel is not there reasonable fee needs to be paid on unmanaged servers. For control panel based vps / dedicated server we provide On-call support only until fully managed addon is purchased. So if you have free oncall tech support with vps or dedicated server with us and have plesk panel or cpanel on it, then you can contact our helpdesk team to perform these above mentioned steps to help you as onetime free service.
