Ajouter un tutoriel
Introduction
You will see in this article how to secure your shared hosting.
Sending mail
To be sure that the sending of your mail is authorized only from your hosting for your domain, we invite you to check if there is an SPF record in your DNS zone.
If none is present, you can follow this article to do it : https://en-wiki.ikoula.com/en/What_is_SPF%3F
If an mail is sent with your domain name via an unauthorized server, it will be considered SPAM and will be blocked.
For your information, you can manage your DNS zone like this : https://en-wiki.ikoula.com/en/How_to_administer_my_since_my_PLESK_DNS_zone
Password
Use complex password for your mailbox, your FTP access, your Ikoula accont, your WordPress interface and your database.
You can use this website to generate your password : https://www.lastpass.com/fr/features/password-generator.
- To change your FTP password, you can do it via the FTP access management on the Plesk interface : https://en-wiki.ikoula.com/en/Access_to_the_management_of_my_FTP_accounts_(PLESK)
- To change your mailbox password, you can do it via the mailbox management on the Plesk interface : https://en-wiki.ikoula.com/en/Access_to_the_Mail_management_(PLESK)
- To change your Ikoula account password, you can do it like this : https://en-wiki.ikoula.com/en/How_to_change_password
- To change your database user password, you can do it from your Plesk interface
Keep your CMS Updated
If you are using a CMS, we recommend that you keep it updated, in fact most of the hacks come from loopholes.
You can check those website that lists the loopholes :
- Wordpress : https://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/
- Joomla : https://www.cvedetails.com/vulnerability-list/vendor_id-3496/product_id-16499/Joomla-Joomla-.html
- Prestashop : https://www.cvedetails.com/vulnerability-list/vendor_id-8950/Prestashop.html
Those loopholes are generally corrected in the updates
Here are the links that explain how to update some CMS :
- For WordPress : https://wordpress.org/support/article/updating-wordpress/
- For Joomla : https://docs.joomla.org/J3.x:Updating_from_an_existing_version
- For Prestashop : https://addons.prestashop.com/en/data-migration-backup/5496-1-click-upgrade.html
Plugins/Themes
Use trusted plugins/themes, we are invinting you to use official websites to obtain those. for example for Wordpress, https://en-gb.wordpress.org/themes/ , https://en-gb.wordpress.org/plugins/
Don't forget to update them
Also, check the score/opinion of plugins to see if some users had problems before.
Malwares analysiss
You can launch a scan of your website to detect existing malwares via online tools like : https://sitecheck.sucuri.net/
Sending mail with an unauthorized script
If a mail is sent with a script, you can identify it in the mail header (https://en-wiki.ikoula.com/en/Recover_my_mail_headers) with the field : X-PHP-Originating-Script: nomduscript.php , then you can rename or delete so it won't execute again.
Example of a mail sent with a script :
Return-Path: <sitename@server.example.com> Received: from [x.x.x.x] by example.com (MTA v5/:PGFiZWxsZW5AbWFuYWdlZHNoYXJlZDIuYXJyb3dxdWljay5uZXQ_) with SMTP id <20130717204350103198600015> for <example@example.com>; Wed, 17 Jul 2013 20:43:50 -0500 (CDT) (envelope-from sitename@server.example.com, notifiable emailhost server.example.com) Received: by server.example.com (Postfix, from userid 1040) id 888C414E32F; Wed, 17 Jul 2013 20:27:09 -0500 (CDT) To: example@example.com Subject: Order Detail X-PHP-Originating-Script: 1040:kka3f2.php From: "First-Class Mail Service" <test@example.com> Reply-To: "First-Class Mail Service" <test@example.com> Mime-Version: 1.0 Content-Type: multipart/alternative;boundary="----------137411082951E7446D85129" Message-Id: <20130718012709.888C44414E32F@server.example.com> Date: Wed, 17 Jul 2013 20:27:09 -0500 (CDT)
In that case, we will delete or rename *kka3f2.php* to stop it from being executed.
Securing your WordPress installation
For WordPress, you can secure it by following this article : https://fr-wiki.ikoula.com/fr/Comment_s%C3%A9curiser_et_maintenir_son_installation_Wordpress
Encrypt exchanges between client and server
Encrypt exchanges between client and server by issuing a SSL certificate, you can use 'Let's Encrypt' on hosting with Plesk : https://en-wiki.ikoula.com/en/How_to_install_a_certificate_Let%27s_encrypt_since_my_access_Plesk%3F
It will stopped a third-party from seeing what passes between the browser (client) and the server so they can't get important information.
We also offer SSL certificates here : https://www.ikoula.com/en/ssl-certificates
Permissions
It is not recommended to use full permissions for your files on your hosting (777), by default we advise you to use '755' or '705' permissions like this (755) :
