Author Archives: Kenny

About Kenny

Kenny is owner of webhostpark and has been working in hosting industry since 2006. We provide unbiased hosting reviews and release the latest promo news. Follow me on Google plus

Best 6 Tips for Cloud Hosting Security

best 6 cloud hosting security tips

Cloud server hosting provides the best scalability and availability comparing to any existing solution. However, security is always the biggest concern and there's no guaranteed and high efficient security rules from the industry. Thus it's always a hot topic for cloud security. We have collected following 6 tips that're mentioned and highly recommended by most professionals. Action now and secure your cloud server.

Use a reputable service provider

The most important point which you should pay most attention to. A quality service provider can save our half efforts in securing the cloud environment. A reputable cloud hosting provider is always the leader of this technology and actually has contribute a lot to the industry development. Such companies like rackspace is actually define the service standards that're followed by many other providers. Because of their leadership, they can apply necessary changes at the earliest time.

Use reliable server system

We must install a reliable server system to ensure its performance and security. Those outdated server OS should be avoided by everyone. Because of the fast tech development, we have a variety of OS choice. But we definitely need the best one for production server purpose. Some OS is only best for personal computer but not for server system. If we would like to receive the best server configuration, we might need commercial products like cloudlinux or redhat etc. Because we receive dedicated support and guidance in using the service.

Install only must required softwares

In cloud envrionment, everything can be provided with our real needs and many services are provided as SaaS so we can use directly. But we must understand the less service we add to server, the less volunability we receive. We can not treat it like our personal computer which doesn't have to be 24/7 online. We only need to configure the needed service and keep the system as clean as possible.

Based all the configured services, we should close all unnecessary server ports to reduce potential risks. Many attacks are started by scanning server ports so it's crucial to close unused ports.

Keep firewall open and up to date

Configure a reliable firewall service and ensure it's always on and up to date. No matter how we have optimized the server, an effective firewall service is a must as frontline safe guard. Many attack and unauthorized access can be blocked directly via proper firewall configuration.

Log everything and check regularly

Log should always be saved. All software service and system logs should be saved in safe place. Because we can never tell what might go wrong, log analysis will tell us directly in case problem occurs. Especially when there's security issues, we have to check logs and find the weakness quickly. Please remember to view those logs every few periods no matter if there's any issue or not. It's just good habit to follow our plans strictly.

Use private cloud instead public

Cloud hosting provides both choice – Public cloud and private cloud. Public cloud is the same logic of shared server where everything is stored on the same drive. Private cloud is separated from the environment like vps server but definitely more powerful than it. Via private cloud environment you can setup your own LAN and firewall just like a small data center where you have full control for everything. For those who run a group business with high security requirements, private cloud is top recommended.

Cloud server security is always on the way. Besides all above 6 tactics, you should always keep an eye of the industry and make necessary improvements accordingly.

5 Tips to Secure your Shopping Cart Site

best 5 tips to secure your shopping cart site

This shopping cart protection guidance focus on the most important points in securing a cart website. Some tips are actually remindings for our regular operation that we may easily ignore. All below guidance/tips are generated through our several years experience in supporting various store websites. The sole purpose is to help construct a secure cart site so you can trust in long term. If you're running or plan to open a shopping cart, it's highly suggested follow these tips.

Use right cart software

Software platform decides the overall store security directly. Different cart softwares provides different support level and support resources. We must choose the right one based our cart site requirements. If we don't program the shopping cart scripts by our own, following should be considered in selecting available solutions

  • Customer experience. See how existing users say about the software so you can get brief understanding of the software performance.
  • Ease of use. This will simplify the process in using and securing your store site.
  • Update frequency. The more frequent updates the more we should consider because it implies the official team is very active on the software project so better security/performance is expected.
  • Support resources. If there's no much support people or online resources about the software, we should avoid. Because if there's any problem in using the script we have no fix by ourselves.

Also, please pay attention to the software features. Some scripts are perfect for big site but not suitable for small cart. We must determine the proper one based real needs.

Use right payment gateway

The same rules in selecting cart software. Since payment gateway is core function on ecommerce website, a reliable and secure service should be considered for all sites. Basically, those crappy solutions should be avoided no matter how good it says. Instead, those leading service providers should be used such as 2checkout, authorizenet etc. If you don't have busy online transaction, paypal is also good choice for it's simplity.

SSL is a MUST

No matter what kind of product/service you sell on website, SSL is a must. No matter if you purchase your own certificate or use your hosting server shared service, you must configure it or else everything on your website is in plain text and hackers can easily get your store privacy.

Also please pay attention to SSL secure level, 128 bit products are approved insecure from industry announcement. For business store sites, we need to install at least 256 bit certificate for guaranteed protection. Because all kinds of ssl services are still provided on the market, we must pay attention to this.

Protect admin area

Store admin area should be protected by all tactics you can think of because it's direct access to all your website properties. Technically, following tactics are highly suggested.

  • Set strong user/password. The first place we should look at, we should replace the default user "admin" to others and configure complex password for it.
  • Password protect. Admin area can be password protected easily via hosting control panel. It simply adds another secure layer to the store.
  • IP restriction. You can configure IP whitelist/blacklist to access the admin side. Many softwares have this function built in.

Use right hosting service

The right shopping cart hosting is the best security guard of your store site. Hosting security refers to both server and network configuration. A secure hosting server must be setup by up to date hardware and softwares and fully optimized for business requirement. Anti virus and ddos equipments must be setup on both hardware/software level. The most important is the network and IP blocks must be spam free. It's essential point because we can avoid lots of potential security risks.

Besides all above, the hosting service must be easy to use. We don't have to research a lot for the service itself. If our softwares are php mysql programmed, a standard cpanel hosting service is suggested. If it's sql server technologies, websitepanel and plesk are good solutions.

8 Tips to Secure a Joomla Website

best 8 tips to secure joomla website

Joomla is the most popular CMS software which is free to get and fully customizable. You can easily create a professional and full functinoal website using this platform. However, because of its powerful and complex structure, it's a big challenge to set perfect security protection. In order to minimize the chance to get hacked, we collected the following 8 tips to secure your joomla site. Please follow instructions and configure your website.

Keep core/extensions up to date

The basic but most important requirement for all website softwares. Every new release contains lots of bug fix from previous edition. So make sure to check regularly on your site and keep updated with most reliable release. How to upgrade joomla to new version? Just login to joomla administrator panel and new version notification will be shown under "quick links". Click "Update now" to proceed the upgrade.

To update extensions, just navigate to extension manager then click "update" link on left panel. It will show up all available extensions. Select all then click "update" button on left top to complete the update process.

Back up often

Backup is always your most reliable source in case something goes wrong. Joomla backup includes both website files and mysql database. For joomla files, just refer to hosting control panel file manager and zip your joomla website directory then download to local computer. As about mysql database, you need refer to phpmyadmin -> select your joomla database -> select all tables -> Click "export" to save the sql file on local computer.

Now you have successfully generated a full backup of your joomla site.

Set strong login credentials

Strong login id/password is always suggested. Not just about password, we can also edit its default user name "admin". To complete this, login to joomla admin panel then refer to user manager. Click the edit link and provide a new user name/password you prefered. This greatly reduces the chance to be hacked.

For further protection, we can also set password protection to "administrator" folder in control panel so users need to authenticate before get the login form. For some crucial sites, website admin even set IP restriction so just people from the specific IPs can access to it. It can be done by uploading a .htaccess to administrator folder and put following to this file:

Deny from ALL
Allow from 10.2.2.2

Just replace the 10.2.2.2 to the exact IP address you allow to access.

Set proper file permissions

Proper file permission will stop lots of potential hacking. Many people give 777 during setup and forget to change it back. It's a big security issue that we should avoid. From joomla official recommendation, following file permissions are suggested

  • Joomla folders permission set to 755
  • Joomla files permission set to 644
  • configuration.php file permission set to 666

Joomla security extensions

There're lots of official and third party extensions to tight joomla security. Following names are highly suggested

  • SH404SEF: Re-write urls to friendly ones and prevent url exploits by hacker.
  • Akeeba Admin Tools: Automate the process of joomla update, maintain and optimization.
  • jomDefender: Joomla security guard with lots of configurable parameters.
  • jSecure: Similiar to above with whitelist/blacklist IP feature.

Manual installation

Lots of people today use control panel auto installer for joomla installation because it's simple and quick. However we highly recommend the manual option. Not just because the learning process but also about security. During installation we have lots of parameters to configure, especially the default database table prefix "jos_". It's used by every joomla installation by default. It's absolutely not good for secure site. Instead, we can change it easily during manual installation. By changing that, we can prevent most sql injection attempts.

Hide version details

It's good tactic to hide your website version so hackers can not determine the proper hacking attempts. We can now easily turn on/off the version details from joomla global configuration.

Log into Joomla administrator dashboard -> click Global Configuration -> click Site -> Click Yes / No beside "Show Joomla! Version" at the bottom -> click Save to reflect your changes

Use a secure hosting server

The most important part. Hosting server decides your joomla site security directly no matter how you configured from client end. Web server software, PHP variables and mysql servers etc are all critical to joomla security. A secure joomla hosting server must be setup to meet up with the script extreme requirements. Server hardwares/network must be powered from certified data center space. Based joomla expert experience and official recommendation, inmotion hosting is on top of the best joomla hosting provider list. Not just because their secure and blading fast server, their people are actually joomla enthusiasts that apear in various joomla events.

8 Web Hosting Lies You Should Know Of

top 8 web hosting lies

This article unveiles the web hosting lies that're promoted by lots of providers. It covers both hosting features and the actual experience in using the service. We would not like to mention the exact company name but we did experienced from multiple providers. We post our experience here just want to put a reference for our readers in case you're evaluating a service plan. Honesty is virtue for all business but it does not always apply on this full competition market.

We Guarantee 99.99% uptime

The biggest lie among all. Have you ever calculated the exact downtime for this guarantee? Less than 3 hours. How much per day? Almost none! Such guarantee requires very powerful server and data center system configuration. On hosting company end, there's no explanation for any possible case such as regular daily maintenance or network outage etc. But once problem occurs, they will give out various excuses such as backup operation, urgent maintenance etc. Why they can provide such brave guarantee? Because they know how good we are and won't blame them for small issues. Once there's really serious problem, such guarantee is nothing but words.

Any time money back guarantee

More and more hosting service support any time money back guarantee to make people believe your money is safe with them. But actually it's worse than specific period full money back guarantee service. The term "any time" simply tells us we can close account then claim pro-rated refund. For almost every company people will be charged for minimum one month. But for those 30 or 60 days full money back service, we loose nothing in case we want to leave them within this period. Don't be confused by the marketing trick.

unlimited hostingUnlimited hosting

Another lie. Not to mention everything has a limit, it's a joke to provide unlimited service for server hosting. Firstly, no people will really need unlimited stuff. Secondly, everything is actually limited by server admin. Some essential features like CPU/RAM usage is strictly limited per account. Once you reach the limitation you will receive warning notice to ask you delete something.

Another trick for those unlimited service is the fuzzy explanation. We worked with a popular hosting service who provides "unlimited domains to site". They actuall support up to 5 sites per account and when we need to add more, it prompts up billing notice. After contacted support, they explained it's "piont unlimited domains to existing website". Why should I point unlimited domains to existing site?

Free domain

Free domain is not free! It's not a joke but truth. Normally, hosting company will provides a free domain for one year, but when it's due for renewal, the price will be more expensive comparing to certified domain registrar service. For example the regular registration fee is around $10/yr from godaddy, but when we renew from hosting provider, the price is always higher than that. Another problem is many hosting providers do not tell you where you registered the domain from, thus if you want to transfer out, they might not cooperate with us at all and simply tell us to contact the registrar directly.

cheap hostingWe're cheap

Is cheap hosting service really cheap? Not really. Many cheap hosting service are trying to sell you addon products after account setup. Those service like scheduled backup, ssl and security scan etc are not cheap at all. They not only want to be profitable by selling those products but also want to link your business with them so you can renew year and year again. Because we have purchased those products in hosting account, we may not wish to reconfigure everything again from other providers. Also, many cheap service will be renewed at expensive "regular price".

We're working on your ticket

When your hosting support tell you somebody is working on your ticket, the technician in charge might be sleeping instead fixing problems. Normally, when a ticket is created, it will be auto assigned to according technicians and be queued in their schedules. Because technicians have lots of tickets to work with so we can't expect instant response like live communication. Live support can only view the ticket status but not sure if somebody is really working on it unless he contact that technician. However, most of the time live support just want to end the communication as fast as possible so they will not contact technician.

Multi-country service

You need hosting from different countries? It might be great idea if the hosting company provides server service in multiple countries. But please keep in mind, not too many groups can really do that since it's a costly setup. Lots of hosting service setup support branch from oversea areas but don't manage servers in that country. If you really need service from the specific area, search a local service provider directly.

We never keep customer data

There's no way to verify if our data is copied anywhere or not because we don't have access to their system. Especially for those account backups, even the hosting company itself can not tecll how its stored. There's no government policy/laws to guide how should server companies handle those data so everything is actually operated by human virtues. Because we can not verify this, any guarantee is not trustable.

10 Tips in Using Hosting Service by Best Practice

It's easy to get your prefered hosting service nowadays because of the amount of providers. However, not everybody can use it properly even they have used the service many years. Based our editorial experience, almost every hosting service is different from each other. We have generated following 10 tips to help managing a healthy hosting account. It's extremely helpful for hosting novice who is not so familiar with the business.

Pay by paypal
It's highly suggested pay your hosting service via paypal instead other solutions like credit card. Why is that? Because in case you find the hosting is not what you needed, you can request money back easily. Especially when your hosting provider does not cooperate with the dispution, you can do chargeback request directly from paypal center.

Disable auto renewal
Many hosting service have auto renewal option turnned on after account setup. It's not good to clients because not everybody will use the service for more than one year. The trick is they provide us "regular price" other than promotional one from the first sign up. We might receive very good price for sign up but pay much more for renewal. The only way to save money is probably to renew several years. Hence, it's suggested to check if your account is set to auto renew after account setup.

free domain opportunityFree domain or not?
Yes, almost every hosting provider offer free domain opportunity. Should you take it? We suggest no. Using free domain option means your business is tied up to hosting company. Most hosting companies are actually domain reseller from certified registrars like Godaddy, Enom etc. Thus if you need to transfer out to other company, they can not handle it efficiently or even ignore your request sometimes. That's why we always suggest use domain and hosting from different providers to keep your properties in safe hands.

Dedicated ip or not?
Many providers highlight dedicated ip offers to attract visitors. Especially from old times when dedicatd IP was considered as great feature for SEO. But such advantage does not exist anymore today. Google has clarified this multiple times from official announcements. When do we need dedicated IP? Mostly when we operate an online cart that needs SSL protection. SSL installation requires a dedicated IP address to proceed.

Evaluate addon products carefully
It's easy to pick up a cheap and good hosting service, but it's not the end. Many hosting providers even those leading brands put advertisements in hosting control panel. They either provide this service directly or affiliate with third party providers. They always give good reasons to convince people to get registered. Once you get into such service, you may receive unlimited marketing emails.

account usage analyticsCheck account usage regularly
Every hosting service provides analyzing tools for account usage such as disk and traffic. This will help us understand how much we have used and how is our website performing. The traffic report will also tell us some unnatural visits like hacking attempts so we can apply necessary security reinforcement.

About shared SSL
Shared ssl is working the same as dedicated one. However, please keep in mind the secure url will be working on server address not our actual domain. For example https://serverid.servername.com. It's always provided free but may be not perfect choice if you're promoting a cart site. Your dedicated ssl will keep everything on your own site but not others.

About secure FTP
Secure ftp is highly suggested if you concern about account security a lot. You just need to make initial configuration then everything will be transfered via secure tunnel. Check with your hosting support if they support secure ftp or not.

hosting announcementPay attention to hosting announcement
Your hosting team will always send out newsletter every few periods. It's not all about marketing, sometimes they send out announcements for security fix on some popular website softwares. If you use such softwares, you should follow their guidance to upgrade its security. They also send out promotional offers for your account service sometimes that could save a lot such as for renewal. If you keep an eye on this, you're saving money with their service.

Don't use from pubic computer
It's not recommended to login your hosting from public computers because it will leave cookies. Especially for ftp connection, it will keep your connection once it's configured from softwares like filezilla, it brings big security issue by doing this. Unless you can clear out everything after use, it's never recommended to login your hosting service from pubic computers.

How to Secure Website Under Shared Hosting?

secure website under shared hosting

Shared hosting is the most popular choice by lots of people for its ease of use, low cost and rich features. Comparing to all other hosting solutions, we can put up website online in least time. However, because of the shared environment, there're hundreds or even thousands of other websites, security is a must concern. We have reviewed the top tactics for website protection under shared server and hopefully our readers will benefit from it.

Unlike VPS or dedicated server service, there're many uncertain factors for security setup. What we can do is to apply as much rules as we can to ensure the best security for our websites.

Use strong password

Strong password should be used for whatever online service. No matter for hosting control panel or website admin login, it's necessary to set a strong password and keep it at safe place. You might also consider to change passwords every few periods for best security. If you operate a business website, it's necessary to apply a fail try blocking so people who try to login via bad credentials will be blocked.

Use secure website software

Website script is core of security. No matter if you programmed by yourself or use any existing CMS, you should evaluate its security seriously. More and more people use cms softwares today thus it's crucial to use the right one. This includes two points – The software overall performance and your familiarity to it. Because many softwares are open sourced and everybody be able to view its source codes, you must find a reliable solution. Those leading softwares like joomla/drupal are supported and tested by thousands of users with frequent security fix. They're highly recommended if you like to use such solutions. Those less popular solutions should be avoid for business site creation since there's less support articles and you can't learn good experience from other users.

No matter what software you use, it's quite important to keep updated with the latest software release. Those vendors are always active in collecting customer feedbacks and do testing by theirselves to find security holes then apply hot fixes. Once there're enough bugs to fix and new features requirements, they will release new versions. Hence it's crucial to keep updated on your website for best security protection.

types of website hacking

Disable database remote access

Mysql database remote access is disabled by default in cpanel. Web masters always have to enable the connection for easy remote maintenance. But once you finished the work, you should disable this feature so no people can hack into your data easily.

Scan your files regularly

This includes both file permission and virus affections. Many security issues are produced by permission settings other than website itself. By default, all permissions are good enough in control panel because it's generated by optimized server settings. However, we always need to edit it sometimes. For example some app installations require full 777 permissions to proceed, but once installed, we don't have to keep everything under such permission so we must remember to reverse it back.

For other website volunabilities, we highly suggest use some reputable service like 6scan. Once we set the service, 6scan will frequently check your site and give out good reports for potential security issues. The best of the best is it will provide step by step fix. We personally received multiple warnings from 6scan service and applied several crucial fixes.

Use a good hosting provider

The most important part. No matter how you secure your website, if it's hosted on bad server with bad support, all your efforts worth nothing. A good web hosting service will save your half work in configuring a secure site. What's considered a good hosting regarding to security?

  • Leading server/network setup. Server hardware/software should be up to date and installed from reputable data center space. It's the best if hosting company manages their own data centers.
  • Good selling policy. No overselling can avoid lots of potential issues no matter for performance or security.
  • Ease of use. An ease of use service can simplify the process of securing account & fixing potential issues.

By following above rules we might have found it's not cheap to get such service. Price and quality are always on the same level. If we need high performance and quality security protection, those several bucks per year service should never be considered. Instead, a little more paying will actually save a lot in hosting a healthy site.

secure shared hosting