Security recommendations
Essential security recommendations for your websites
We've compiled some essential security guidelines to help reduce the risk of malicious activity on your sites. Following these practices will help secure your data and ensure smooth site operations.
Use complex passwords to prevent brute force attacks
Ensure your passwords are at least 8 characters long, with a combination of uppercase and lowercase letters, numbers, and special characters. It’s important to:
- Use different passwords for each account (FASTPANEL users, FTP/SFTP accounts, mailboxes, site admin panels).
- Regularly change passwords to reduce the risk of them being compromised.
Host sites on separate FASTPANEL user accounts
Avoid hosting multiple sites under the same user account. If one site is compromised, it can impact all sites sharing that account. Hosting on separate accounts prevents malicious scripts from spreading across sites. This is especially important for agencies or users managing multiple clients’ websites.
Set up backups
Regular backups ensure you can quickly restore your site in case of failure or hacking. Here's why backups are essential:
- Restores your site after failed updates or security breaches.
- Prevents data loss during an emergency.
Follow this guide to set up automatic backups.
Need more space for backups?
Rent backup storage
Implement captcha to prevent spam and brute force attacks
To reduce bot-driven spam and hacking attempts:
- Install captcha on all web forms (login, registration, comment sections).
- Check your CMS for built-in captcha plugins. Popular CMS platforms like WordPress and Joomla offer easy-to-use plugins like Google reCAPTCHA.
Captchas can drastically reduce spam submissions and password brute-force attacks, thus securing your site's integrity.
Keep Your OS, CMS and plugins updated
Software vulnerabilities are regularly discovered by developers, who release patches to secure them. Here’s what you should do:
- Check for updates on your CMS, server OS and installed plugins regularly.
- Schedule automatic updates where possible to ensure critical security patches are always installed.
What to do if Your website is hacked
In the unfortunate event of a hack, follow these steps to minimize damage and restore your site:
Restrict Access:
Immediately close access to the compromised site using HTTP authorization to prevent malicious scripts from spreading. You can manage this via FASTPANEL's site settings.
Check cron jobs:
Malicious cron jobs are often added during an attack. To review cron jobs for the compromised user, run the following command via SSH (replace USER
with your actual username):
crontab -l -u USER
Reboot the server:
To stop malicious processes, reboot the server via "Settings" -> "Main" in FASTPANEL.
Investigate and clean the hack:
- Use server logs and file modification timestamps to trace the hack’s origin.
- Remove malicious code manually or restore from a clean backup created before the hack.
- Use FASTPANEL's Scan feature, but be aware that not all malware may be detected.
Update software:
After identifying the vulnerability update your CMS, plugins, and server components to the latest versions.
Back up after cleanup:
Once the site is clean, create a fresh backup.
Monitor site behavior:
Allow public access to your site and carefully monitor its behavior to ensure no further malicious activity occurs.
Ongoing maintenance
Even after recovering from a hack, it's important to continue proactive security measures:
- Regularly check server logs for unusual activity.
- Perform routine vulnerability scans.
- Ensure all site components are always up to date.
- Implement multi-factor authentication (MFA) for critical accounts.