The cPanel security plugins you cannot live without

Shared hosting is rife with attempts to break in to websites and exploit vulnerable code.  In this article we look at the best cPanel Security plugins that anyone hosting a cPanel shared web hosting server should be using to protect their hosting environment from these attacks.

The plugins we recommend below are a mixture of free and paid-for plugins, either with subscription models or once-off fees. Our team has used these plugins extensively over the years and evaluated other plugins which didn’t make this list. We believe each of them can contribute to a safer, more secure environment for your clients and your shared hosting business.

ConfigServer Security & Firewall

This is the ConfigServer teams’ flagship’ free product and is perhaps the most essential security plugin for a shared cPanel server. It acts as a software firewall and login failure daemon for the entire cPanel server with an exhaustive list of options to ensure that your server blocks malicious activity. It provides brute-force detection and automatic IP Address banning for malicious behavior across a range of the servers services.

One of the best features about this plugin is the ‘Check Server Security’ option once it is installed. This will provide a list of recommendations for settings that it believes should be changed which will minimise security risks across your base cPanel installation.

Cost: Free

ModSecurity

Having ModSecurity installed in a shared web hosting environment is great for protecting incoming HTTP / HTTPS requests against all kinds of malicious activity. Although it can be a little advanced, the plugin allows for some very advanced rules to be setup so that you can define triggers and rules at a very granular level. There is a treasure trove of rules available for use with this plugin around the web, especially when you are looking for a rule to block a specific activity affecting a particular brand of CMS and can also be really helpful in blocking things like XSS (Cross Site Scripting) attacks and SQL Injections.

In addition to the single rules, there are whole rulesets developed for this plugin such as the OWASP rules and many SSL certificate security companies also publish rulesets for mod_security (such as Comodo and Trustwave).

Cost: Free

CloudLinux with CageFS and LVE Limits

Although CloudLinux is whole kernel replacement for a shared web hosting server rather than a plugin. The components act like plugins and provide many enhancements for shared web hosting providers. Some of the components found in CloudLinux are paramount to running a stable and secure shared cPanel web hosting environment.

CageFS

CageFS isolates each individual hosting account away from the other hosting accounts on the machine. This provides a jailed environment of which prevents an account (if compromised) from being able to potentially find other accounts and compromise them on the machine. This is integral to ensuring that each of your shared hosting accounts are isolated.

LVE Limits

Enabling LVE Limits from within CloudLinux protect your servers and the individual accounts on there from a single account being able to consume all of the resources of the server. Up until the introduction of this technology, one site being attacked could easily crash an entire shared web hosting server. These limits allow enhanced stability and security regarding resource usage.

Cost: Starting at $14.00 USD / Month

ConfigServer eXploit Scanner

This is the second plugin from ConfigServer that makes this list. ConfigServer eXploit Scanner is the front-line defence against malicious code from being uploaded to your server when a website is being exploited. Hooking in to ModSecurity, it analyses uploaded files whilst they are being uploaded and can be set to auto-quarantine files that match it’s elaborate repository of exploit fingerprints.

If you choose to not quarantine, you can get email notifications when the service has detected a malicious file uploaded. The plugin also comes with the ability to scan entire accounts or the entire server when required and email you a detailed report of any suspicious or malicious files it detected from the result of a scan.

Cost: $60.00 USD / Once-off

Patchman

Patchman is the new kid on the block when it comes to cPanel Security plugins. It works in a similar way, to ConfigServer eXploit scanner for malware scanning, but has the added ability to patch popular CMS releases vulnerabilities, without having to update the core CMS when it detects the version as vulnerable. This provides you with a handy GUI tool to evaluate the vulnerability of major CMS products on your server and provides a pro-active prevention method rather than a reactive way of increasing the security of the websites hosted on your shared hosting server.

Cost: €20.00  / Month

All of the above plugins combined make a great difference when it comes to securing your shared cPanel hosting machine and each serves a different purpose in ensuring that your environment is well protected.

The Top 10 ways to speed up your website

Suffering from a slow website? Getting frustrated over the tortoise pace sites? Perfect! We can guide you through speeding up your websites in no time. Moreover, most of these tweaks are free and just require a few configuration changes to undertake.

Find out the current loading speed of your website with WebPagetest or Google PageSpeed. It’s a great way to gauge the speed of your site for the average visitor and check again later once you have made some improvements.

A great first-step is to begin by looking at the infrastructure supporting your website. The technologies being used really make a big difference, especially if you are hosting in a dedicated server environment where you have the flexibility to choose how the web application stack is setup. Often we find people using under-resourced shared hosting packages that do not provide them with enough resources for the site to be fast. Hosting on a purpose-built dedicated server can be great help to your business, especially if you started with a cheap service and now have increased traffic.

Reduce server response time

Ideally, your website should have less than 200 milliseconds of ‘time to first byte. This helps to make your web experience a better one. One of the best ways to achieve this is to use a front-end caching system. One of the most popular ones for larger websites in varnish, which acts as a front-end cache and can be customised to only cache the objects on the front-end that are not individual-user specific.

Read more on how to improve server response time here.

Enable Gzip compression 

Gzip compression is one of the most important tools to have setup as part of your hosting, as it can save downloads of 1MB+ on each page load, dramatically increasing the speed your website can be received by and end-user. It is very effective in compressing the size of HTTP assets being returned by up to 70% and reducing your response time.

There are a couple of ways to enable this and it all depends on the server environment you are using. If you are using a shared cPanel server, then you should be able to ask the host to enable it server-wide. Alternatively there are many how-to’s available on the internet which will explain for a way to add this in to a .htaccess file to enable it for your website.

Install a caching plugin

Every major CMS has a different method of being able to cache it’s assets. By installing a caching plugin, the CMS will no longer get queried for data that is not unique (depending of course on how you set it up). 

This allows for pages that have not got dynamically generated content do not rely on PHP and MySQL to generate them (presuming you are using these technologies). By bypassing these two services, the web server can instantly send through the required HTML to load the page and reduce the page load time drastically.

Optimise images

Images may not be the first place to look in order to gain additional speed out of your website, but they can definitely be a large factor in reducing the amount of data that needs to be transferred, which will always enhance page load speeds. By default, the majority of images created are not created in a web-optimised state. There are many methods of converting all of your image using ‘loss-less’ conversion methods to get your image file sizes down at no-cost to the end-user experience.

There are many tools and plugins you can use in order to perform loss-less compression on your websites images. Some CMS’s have plugins you can install that will retrospectively go through your website and perform this task for you. Alternatively there are online image resize tools such as  TinyPNG of which you can use prior to uploading images to your CMS.

JPG is our recommended default as it is the smallest and fastest loading file type. Use PNG for images with texts or transparent background to optimise response time. We would also recommend cutting out the use of GIF images as they can slow down loading time.

Enable KeepAlive

KeepAlive is a setting that is set server-wide in the web server service itself. In a shared hosting environment this would be completed by the hosting provider themselves as unfortunately it cannot be enabled for an individual website. On a dedicated instance this option should be enabled on the web server. The vast majority of web server daemons support the use of KeepAlive.

KeepAlive keeps the TCP HTTP session alive when making requests rather than causing the client to have to reconnect to the server for each asset it requests. This will save minimal amounts of bandwidth and definitely speed things up by facilitating less connections to the server and less TCP handshakes.

Minify resources / codes

At a basic level, minifying is the manual act of eliminating any additional spaces in your HTML, comments in your code, white spaces, indentation in your codes, etc. Each of these adds to your page size.

On a more advanced level you can use a ‘minification’ plugin developed for your CMS. This will remove all of the objects that are wasting space in your CSS, Javascript and HTML reducing the file size and creating a faster end-user experience.

Minify Cascading Style Sheets (CSS) and Javascript (JS) files

Browsers have limit to handling HTTP requests, when this limit is reached, other files wait to be loaded.  By merging all CSS or JS files into a single file, the amount of requests going to the server can be drastically reduced, which in turn can page improve page response time. Again, the best way to achieve this is through a plugin for your CMS as each CMS has different requirements on how to achieve this best.

Minimise redirects

Redirects adds an extra HTTP request which (especially when it is the main site) could add hundreds of milliseconds on to the initial page load. Try to only keep redirects which are really necessary. Another thing to avoid is referencing URLs that frequently redirect to other URLs.

Another key thing to do is to try and reduce the amount of domains that your content is served from.

Minimise HTTP requests

Up to 80% of a website load time can solely be the transfer time of downloading the assets on the webpage (like scripts, images, Flash etc). This generates an additional HTTP request for each asset which, in turn increases the time for a page to load.

A couple of additional tips to improve your web speed:

  • Reduce the number of elements on page, use only what is necessary.
  • Use CSS whenever possible
  • Combine multiple style sheets to one
  • Remember to keep your website as lean as possible.

Take care of your page size

Trying to keep a lid on the size of your pages is key to being able to have a fast and responsive website. Although many people find it attractive to fit as much content on to a page as possible, this can often have unseen consequences when it comes to your websites ability to have a quick end-user experience. Keeping the overall size of each page load to a minimum is always going to assist you with this.

With the growing amount of mobile users making up website visitors, page load times over slower networks is more important than ever. Loading a large website is never fun over a 3G connection and it is always good to be mindful that people on average do not like to wait a more than 3 seconds for a page to load.

Conclusion

There are many factors to consider when making a webpage faster and sometimes it’s best to consult professionals who do this work for a living. Having a fast site may be the difference of of being ranked higher on Google. Not just that, but people will be happy to visit your sites, conversion rates should increase and you make more sales.

Best practices for updating WordPress websites

 

With the evolution of WordPress (WP), new features and updates are always available to account for web security and improve WP experience. The latest versions of WP will always provide the best that it can offer in terms of security, bug fixes and new features.

Losing data and information are perhaps the reasons why users avoid updating their WordPress websites. However, it is also important to know that new updates/versions are always tilted to create a better experience for users.

The first and most important thing to do before you update a new feature or version is to backup your WordPress website. I can’t emphasise that enough, but ALWAYS remember to back up your site first. You don’t want to risk losing  all your data and go through the trouble of restoring your old version if anything goes wrong.

Below are some practices to avoid some common errors with WordPress updates.

Backing up your WP Website

You can back up your WP installation by accessing your server with an FTP-client and download the entire folder to your desktop. You could also trust your backups to premium backup plugins like BackupBuddy or WP-DBManager. Spending some money on a good backup is definitely worth more than going through the trouble of restoring your page in case of failed attempts.

There are also some web hosts who offer backup solutions for users. To make your life easier, you could check  for backup solutions with your web hosts.

Avoid making an Upgrade on Live Install

It can be extremely taxing to recover a website after a failed update attempt. Especially when you start receiving complaints that your customers can’t access the site.

To avoid failed updates, always attempt new versions/updates on a remote copy of the site first. Create a ‘play space’ where updates can afford to fail without any immediate effect on your web traffic.

Use Child Themes and Plugins

Avoid making changes directly to themes or core files as they can be overwritten when updated. Be sure to use child themes and plugins.

Check compatibility for your Plugins

Certain plugins play an important part in the functionality or design of a web page. You have to ensure that your plugins are compatible with the new versions before updating your WordPress. You can do so by checking compatibility here.

Now that you know the best practices for updating your WP website, remember to be mindful and do all your backup before hand! These 4 guides are  relatively easy to follow, you will be surprised by how much it can boost your experience with WP. Here at Network Dynamics, backups solutions are available for clients, click here, to find out more.

 

Choosing between shared hosting or a virtual dedicated server

In today’s modern society, having a website for your business can be quite simple and very affordable. A lot of the time however many businesses choose the wrong package for their online presence. It is quite cheap to obtain registration for a .com or a .com.au and find budget hosting for what is essentially the online store-front for your business. It pays however to be quite savvy when choosing the solution and understanding the technology and limitations you may face depending on the solution you choose.

There are many differences between web hosting solutions, Some of these key differences are in storage space, reliability, control, website and server speed and the technical knowledge required to drive the solution. This article will bring you through the differences between Shared Hosting and Virtual Dedicated Servers.

Shared Hosting

To put it simply, Shared Hosting is like being in school and every student in the school has to share the available facilities with everyone. It’s the cheapest of website hosting solutions, but the quality between providers can differ greatly.

When purchasing shared web hosting, the hosting provider will be renting you resources on a physical or virtual server that they own and allow you to have an allocation of disk, memory, CPU, bandwidth and disk I/O to provide your web presence. The majority of web hosts these days use technologies such as Cloudlinux to ensure that the resources allocated to each account cannot be exceeded so as to impact on other users on the server. The majority of shared web hosting is provided with a control panel of some sort (usually cPanel, Plesk or a custom control panel the host has developed) with most common settings easily available so that the client is able to provide self-service within the environment.

Advantages

Price is often a factor when deciding which web hosting provider to choose. Shared Hosting is, as a general rule, cheaper than that of Virtual Dedicated Server (VDS) and you don’t require a high technical knowledge to operate the service as the base system administration is taken care of by the hosting provider. Shared hosting provides easy-to-use, web-based control panels for their users to effortlessly configure their sites to work. The whole process makes it simple for users to upload their websites, create email accounts and add databases. It is nearly always the preferred method of hosting a smaller sized website.

Often the hosting provider will provide ‘one-click’ installations of popular CMS engines such as WordPress or Joomla as part of this control panel to further enhance the end-user experience of deploying a functional CMS.

Disadvantages

A lot of the time shared hosting can be a lucky dip. The vast majority of the time you will not be provided the hardware specifics of the server you are being hosted on or the amount of other accounts the hosting provider has on the same server. For providers who mainly compete on cost, this can lead to chronic overcrowding of accounts leaving the server to be under a high load and consistently slow for end-user experience trying to access the sites hosted on the server.

Often shared hosting can be under-resourced for larger websites, especially those that have an E-Commerce focus. If the account is under-resourced for the websites requirements ‘508 – Resource Limit Reached’ errors can be generated, preventing your website from being viewable, sometimes when there are only two or three concurrent visitors. If your business ever does promotions that can drastically increase the amount of concurrent visitors to your site (radio advertising, tv advertising) then again, shared webhosting is only going to cause you headaches.

Shared hosting also restricts clients from installing any non-standard applications on the server which can prevent third-party integrations from being able to function. The server is serviced and secured in a way that suits most of the clients’ needs, but the majority of providers will not make exceptions to their built to allow for custom applications to be installed or run on their shared webhosting service.

Virtual Dedicated Server (VDS)

VDS hosting splits a physical server into virtual servers with their own physical resources and Operating System. This provides the web application, or multiple web applications to be deployed on to the machine using the technologies of their choice in order to provide an optimized environment for the application to function in. Each Virtual Server will come with different physical resources allocated to it (Disk, vCPU, Memory, Bandwidth), of which you will have less restrictions imposed on you when compared to shared webhosting.

As you can choose the Operating System on a Virtual Server, you can also choose whether or not you would like to host your application within a control panel environment or if you would like to run it using a custom built ‘web stack’. The most common of these being LAMP (Linux, Apache, MySQL and PHP). Using a web stack can allow for a higher level of security on the server for your site but can often lead to misconfiguration for those who are new to the Linux’s CLI (Command Line Interface).

One of the biggest things to consider when it comes to running a Virtual Dedicated Server for your website or sites is who is going to look after the environment for you? Many virtual server providers will provide a managed solution and many providers will only provide unmanaged environments.

Advantages

The ability to configure the environment to suit your exact requirements is one of the biggest advantages to running your own Virtual Dedicated Server. With the use of the right server side daemons (technologies such as NginX, HHVM and Varnish) you can often get far greater performance and site speed than you ever could on a shared webhosting server.

An isolated environment means that there is no multi-tenancy on the machine and you can also make security enhancements over and above that of shared webhosting.

It is in the majority of cases a lot easier to scale a Virtual Server as you grow than it is to scale a shared webhosting account. If, all of a sudden, your business expands and the traffic to your website(s) experiences large growth, the majority of providers can provide additional dedicated resources to your machine making it able to handle more concurrent visitors than it could previously. This can often be very handy if your business is undergoing a marketing or advertising campaign and you need to scale up the resources for the duration of the campaign.

Disadvantages

Technical knowledge of running a web server is required to make proper use of your server and to ensure that systems administration tasks are being performed on a regular basis. This however can often be outsourced to the provider of the virtual server for a small monthly fee.

Ease of use can often be less when using a dedicated environment as shared webhosting providers often pack in a lot of software packages in to their shared hosting environments that require licensing for general use. This could be as much as a control panel or as little as a one-click installer or a security plugin.

Monitoring your own virtual server environment is a must as often the provider will not complete this for you. If your server crashes in the middle of the night who will be notified and resolve the problem for you? Again, most service providers are willing to provide this as an option for you as part of their management fee, or alternatively there are many third-party SaaS monitoring tools which can provide this for a small fee per month. We recommend clients use both.

Summary

Both Shared Webhosting and Virtual Dedicated Servers are great products and the technology surrounding them has improved drastically over the past decade. Shared hosting is a lot more stable than it was prior to the advent of Cloudlinux and Virtualization technology has become a long way with the advent of ‘Cloud’ and a more mature competitive marketplace.

If you are choosing between the two options, one of the best things you can do is to ask a professional who deals with both environments on a regular basis for their input as to what you need and the advantages your business will get out of choosing the right solution and to research your provider thoroughly before committing to a solution.