- Joined
- Apr 11, 2017
- Messages
- 200
- Points
- 18
When you’re using shared hosting, security is always a top concern. You’re on a server with other websites, which means the risks are higher. But don't worry, with some custom tweaks to your firewall and access controls, you can lock down your shared hosting environment. Let’s get this done right!
1. Know Your Hosting Environment
Before making any changes, it’s important to understand the limitations of shared hosting. Unlike VPS or dedicated servers, you can’t directly control the entire server, but you can manage parts of it—specifically the firewall and access control for your site.
ModSecurity is a popular, open-source web application firewall (WAF) that works to block malicious activity at the application level. Many shared hosting environments have it installed, but it may need to be activated.
3. Use .htaccess for Extra Protection
On shared hosting, you can utilize .htaccess files to add an extra layer of protection. These files can control things like directory access, blocking malicious IPs, and even redirecting traffic.
Block specific IP addresses:
apache
Copy code
<Limit GET POST>
order allow,deny
deny from 192.168.1.1
allow from all
</Limit>
Disable directory listing:
apache
Copy code
Options -Indexes
Prevent hotlinking (to stop others from using your media):
4. Set Up Strong Access Control for SSH
If your shared host lets you access SSH (or a form of it like SFTP), you can implement tighter access controls.
This ensures that only users with the correct SSH key can log in, and it disables password-based logins.
5. Implement a Custom Web Application Firewall (WAF)
If you have access to a custom WAF, like Cloudflare or Sucuri, these can provide an extra layer of protection by blocking malicious traffic before it even hits your server.
6. Limit File Permissions and Ownership
On shared hosting, your files are generally publicly accessible. Tighten file permissions to ensure no one can mess with your core files.
Security vulnerabilities are often patched with software updates. Whether it’s WordPress, Joomla, or any other CMS, always stay on top of updates.
Even on shared hosting, you can usually access server logs. Monitor these for suspicious activity like multiple failed login attempts or unfamiliar IP addresses trying to access your site.
It’s not exactly "firewall" related, but if your website is hacked, a backup can save your skin.
1. Will this tutorial work on most shared hosting servers?
Yes, this tutorial is designed to work on most shared hosting environments, but there are a couple of things to keep in mind:
Yep! This is very accurate for 2024. Shared hosting hasn't changed drastically in terms of security, but a few important things have evolved:
If you’re serious about your website's security, absolutely. Here’s why:
1. Know Your Hosting Environment
Before making any changes, it’s important to understand the limitations of shared hosting. Unlike VPS or dedicated servers, you can’t directly control the entire server, but you can manage parts of it—specifically the firewall and access control for your site.
- Log in to your hosting control panel (cPanel, Plesk, or any similar interface).
- Check for available security tools. Many hosts provide basic firewalls or security features like ModSecurity or Cloudflare integration.
ModSecurity is a popular, open-source web application firewall (WAF) that works to block malicious activity at the application level. Many shared hosting environments have it installed, but it may need to be activated.
- Find the ModSecurity option in your control panel. It may be under “Security” or “Advanced Settings.”
- Turn it on. In most cases, it’s enabled by default, but it’s worth checking.
- Configure ModSecurity settings. Look for an option to customize or switch to a higher security level. Set it to "High" if you're aiming for more protection.
3. Use .htaccess for Extra Protection
On shared hosting, you can utilize .htaccess files to add an extra layer of protection. These files can control things like directory access, blocking malicious IPs, and even redirecting traffic.
- Create or edit the .htaccess file in the root directory of your website.
Block specific IP addresses:
apache
Copy code
<Limit GET POST>
order allow,deny
deny from 192.168.1.1
allow from all
</Limit>
Disable directory listing:
apache
Copy code
Options -Indexes
Prevent hotlinking (to stop others from using your media):
Make sure to customize the code to fit your needs. .htaccess is powerful but be careful not to lock yourself out of your site!RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://yourdomain.com/ [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [F]
4. Set Up Strong Access Control for SSH
If your shared host lets you access SSH (or a form of it like SFTP), you can implement tighter access controls.
- Disable root access. Root access should never be used directly. Create a user with restricted privileges.
- Use SSH keys instead of passwords. This adds an extra layer of security, making brute-force attacks useless.
- Limit SSH access to trusted IPs. If your host allows, restrict SSH login to specific IP addresses.
Code:
# Edit the /etc/ssh/sshd_config file
PermitRootLogin no
PasswordAuthentication no
AllowUsers user1 user2
5. Implement a Custom Web Application Firewall (WAF)
If you have access to a custom WAF, like Cloudflare or Sucuri, these can provide an extra layer of protection by blocking malicious traffic before it even hits your server.
- Sign up for Cloudflare (it has a free tier that’s perfect for small sites).
- Activate the Firewall in the Cloudflare dashboard.
- Set security levels. Adjust the "Security Level" to high, and enable "Under Attack" mode when you notice suspicious activity.
6. Limit File Permissions and Ownership
On shared hosting, your files are generally publicly accessible. Tighten file permissions to ensure no one can mess with your core files.
- Set file permissions correctly: Files should generally be set to 644, and directories to 755.
Code:
chmod 644 file.php
chmod 755 directory/
- Ensure file ownership is correct: Ownership should be set to your user account, not “nobody” or “www-data,” which can lead to privilege escalation.
Security vulnerabilities are often patched with software updates. Whether it’s WordPress, Joomla, or any other CMS, always stay on top of updates.
- Enable automatic updates if your CMS allows it.
- Update plugins and themes regularly. Don’t use outdated versions, especially ones with known security flaws.
Even on shared hosting, you can usually access server logs. Monitor these for suspicious activity like multiple failed login attempts or unfamiliar IP addresses trying to access your site.
- Check logs in your control panel or via FTP (usually under /logs or /var/log).
- Look for unusual login attempts, errors, or access to sensitive files like /wp-admin or /wp-config.php.
It’s not exactly "firewall" related, but if your website is hacked, a backup can save your skin.
- Set up regular backups. Use cPanel or a plugin like UpdraftPlus to back up your website regularly.
- Store backups offsite (like in Google Drive, Dropbox, or other cloud services).
1. Will this tutorial work on most shared hosting servers?
Yes, this tutorial is designed to work on most shared hosting environments, but there are a couple of things to keep in mind:
- cPanel/Plesk Compatibility: These are the most common control panels for shared hosting, and the tutorial assumes you have access to one of them. If your host uses a different panel, some steps might need tweaking, but the general concepts (firewalls, file permissions, SSH access, etc.) still apply.
- Access to Custom Configurations: Some shared hosts might limit certain features (like SSH access or ModSecurity settings). If that's the case, you might not be able to implement everything, but you can still focus on the firewall, .htaccess tweaks, and file permissions.
- Cloudflare and External WAFs: Cloudflare can work regardless of your hosting provider, and it's a great option for shared hosting sites. But you’ll need to ensure your host supports it, which almost all shared hosting providers do nowadays.
Yep! This is very accurate for 2024. Shared hosting hasn't changed drastically in terms of security, but a few important things have evolved:
- Increased use of WAFs (like Cloudflare): More hosts are offering integration with external WAFs, so it’s now easier than ever to set up a security layer outside of your host. Cloudflare also regularly updates its firewall rules, so it’s a great option for modern security.
- Stronger access controls: Hosting providers are moving toward more secure access control methods, including SSH key authentication and more granular user permissions. This makes using SSH and securing access even more relevant than before.
- HTTPS everywhere: SSL certificates are now standard, and most hosts offer them for free (thanks to services like Let’s Encrypt). So, it’s assumed that your site will be using HTTPS, which is important for security, especially if you’re following the .htaccess and firewall sections.
If you’re serious about your website's security, absolutely. Here’s why:
- Shared Hosting = Shared Risk: Since you’re on a server with other people’s websites, if one gets compromised, it could potentially affect yours, too. By securing your own space with firewalls and proper access controls, you reduce that risk significantly.
- Hack Prevention: The effort you put into securing your hosting will go a long way in preventing common attacks like SQL injection, XSS, and DDoS. It’s a matter of reducing the attack surface.
- Peace of Mind: Even if you're not handling sensitive data, knowing your site is more secure will give you peace of mind, and help your visitors feel safe browsing your site.
- It’s Free (Mostly): Most of these steps don’t require additional costs (aside from optional services like Cloudflare or external backups), so you’re essentially getting better security without the hefty price tag.