Securing Shared Hosting with Custom Firewalls and Access Controls

• Log in to your hosting control panel (cPanel, Plesk, or any similar interface).
• Check for available security tools. Many hosts provide basic firewalls or security features like ModSecurity or Cloudflare integration.

• Find the ModSecurity option in your control panel. It may be under “Security” or “Advanced Settings.”
• Turn it on. In most cases, it’s enabled by default, but it’s worth checking.
• Configure ModSecurity settings. Look for an option to customize or switch to a higher security level. Set it to "High" if you're aiming for more protection.

• Create or edit the .htaccess file in the root directory of your website.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://yourdomain.com/ [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [F]

Click to expand...

• Disable root access. Root access should never be used directly. Create a user with restricted privileges.
• Use SSH keys instead of passwords. This adds an extra layer of security, making brute-force attacks useless.
• Limit SSH access to trusted IPs. If your host allows, restrict SSH login to specific IP addresses.

# Edit the /etc/ssh/sshd_config file
PermitRootLogin no
PasswordAuthentication no
AllowUsers user1 user2

• Sign up for Cloudflare (it has a free tier that’s perfect for small sites).
• Activate the Firewall in the Cloudflare dashboard.
• Set security levels. Adjust the "Security Level" to high, and enable "Under Attack" mode when you notice suspicious activity.

• Set file permissions correctly: Files should generally be set to 644, and directories to 755.

chmod 644 file.php
chmod 755 directory/

• Ensure file ownership is correct: Ownership should be set to your user account, not “nobody” or “www-data,” which can lead to privilege escalation.

• Enable automatic updates if your CMS allows it.
• Update plugins and themes regularly. Don’t use outdated versions, especially ones with known security flaws.

• Check logs in your control panel or via FTP (usually under /logs or /var/log).
• Look for unusual login attempts, errors, or access to sensitive files like /wp-admin or /wp-config.php.

• Set up regular backups. Use cPanel or a plugin like UpdraftPlus to back up your website regularly.
• Store backups offsite (like in Google Drive, Dropbox, or other cloud services).

• cPanel/Plesk Compatibility: These are the most common control panels for shared hosting, and the tutorial assumes you have access to one of them. If your host uses a different panel, some steps might need tweaking, but the general concepts (firewalls, file permissions, SSH access, etc.) still apply.
• Access to Custom Configurations: Some shared hosts might limit certain features (like SSH access or ModSecurity settings). If that's the case, you might not be able to implement everything, but you can still focus on the firewall, .htaccess tweaks, and file permissions.
• Cloudflare and External WAFs: Cloudflare can work regardless of your hosting provider, and it's a great option for shared hosting sites. But you’ll need to ensure your host supports it, which almost all shared hosting providers do nowadays.

• Increased use of WAFs (like Cloudflare): More hosts are offering integration with external WAFs, so it’s now easier than ever to set up a security layer outside of your host. Cloudflare also regularly updates its firewall rules, so it’s a great option for modern security.
• Stronger access controls: Hosting providers are moving toward more secure access control methods, including SSH key authentication and more granular user permissions. This makes using SSH and securing access even more relevant than before.
• HTTPS everywhere: SSL certificates are now standard, and most hosts offer them for free (thanks to services like Let’s Encrypt). So, it’s assumed that your site will be using HTTPS, which is important for security, especially if you’re following the .htaccess and firewall sections.

• Shared Hosting = Shared Risk: Since you’re on a server with other people’s websites, if one gets compromised, it could potentially affect yours, too. By securing your own space with firewalls and proper access controls, you reduce that risk significantly.
• Hack Prevention: The effort you put into securing your hosting will go a long way in preventing common attacks like SQL injection, XSS, and DDoS. It’s a matter of reducing the attack surface.
• Peace of Mind: Even if you're not handling sensitive data, knowing your site is more secure will give you peace of mind, and help your visitors feel safe browsing your site.
• It’s Free (Mostly): Most of these steps don’t require additional costs (aside from optional services like Cloudflare or external backups), so you’re essentially getting better security without the hefty price tag.