What Security Measures Are Used to Protect My Server?

HostGator provides a number of security measures to protect our servers and prevent your account from being compromised via the server itself. While our servers are secure, security breaches of your website and your personal account due to vulnerable passwords or known exploits in the software that users choose to have installed on their server cannot be prevented with general server security.

By being knoweldgeable and familiar with common forms of attacks, you can ensure both that your account is secure against preventable compromises that you are in control over, and be better prepared to recover from the compromises that catch you by surprise.

What Security Measures Does HostGator Provide?

HostGator is protected from DDoS attack (UDP flood).

We have an extensive custom firewall rule and large mod_security rulesets protecting our servers from a variety of forms of attack. If we do experience heavy flooding, we have our datacenter enable network level flood protection. Our datacenters are all highly secure facilities with restricted access.

Our other server security methods and precautions are confidential.

What Security Measures are My Responsibility?

You are responsible for the security of any passwords, settings, or software that you have the access to change or install on your account. By hosting on HostGator servers, you have agreed to be fully responsible for all use of your account and for any actions that take place through your account. It is your responsibility to maintain the confidentiality of your password and other information related to the security of your account.

It is your responsibility to ensure that scripts/programs installed under your account are secure and permissions of directories are set properly, regardless of the installation method. When at all possible, set permissions on most directories to 755 or as restrictive as possible. Users are ultimately responsible for all actions taken under their account. This includes the compromise of credentials such as user name and password. You are required to use a secure password. If a weak password is used, your account may be suspended until you agree to use a more secure password. Audits may be done to prevent weak passwords from being used. If an audit is performed, and your password is found to be weak, we will notify you and allow time for you to change or update your password before suspending your account.

Being aware of these responsibilities is important, as an account that is found to be compromised may be disabled and/or terminated per our Terms of Service. Failure to clean your account after being notified by HostGator of an ongoing issue may result in having your account disabled.

What Can I Do to be More Secure?

HostGator recommends a number of actions and services which can help you maintain security on your website. The following security tips are offered in order to help our clients maintain site security and protect their accounts:

Update Scripts and CMS Installations

The vast majority of account compromises are caused by malicious users who have found exploits in scripts installed on an account. Therefore, the best advice we can offer is to make sure that all CMS installations, as well as any related themes, plugins and other add-ons, are kept up-to-date. Most CMS software has an option to update from within the administration panel; however, the following resources may be of further assistance:

If your software was installed with QuickInstall, please see the following article for details on how to enable automatic updates:

Update Passwords

Another common form of compromise is due to exploited passwords. These compromises can occur in one of two ways: a brute force compromise or through virus/malware on a local computer.

Brute Force Compromise

In a brute force compromise, the attacker will repeatedly guess the password until the correct combination is guessed. While our servers do have certain amounts of brute force protection enabled, we suggest creating a complex password made up of at least three of the four major character types.

  • Uppercase Letters (A-Z)
  • Lowercase Letters (a-z)
  • Numbers  (0-9)
  • Special characters (-_.,!@#$%^&*)

When updating passwords, we also suggest that you do not use previously used passwords. This is due to the fact that once a password has been compromised, it will remain that way indefinitely. So, if a password is reverted back, the account will most likely be compromised again.

Viruses and Malware

Another form of password compromise occurs when account passwords are stolen using viruses/malware located on local computers from which accounts are accessed. This malware sniffs out passwords used and stored by FTP and other programs. In order to protect against this form of attack, full virus and malware scans should be run on all computers which access the account to ensure that they are clean. We recommend following the instructions found here:

Depending on your operating system, there are plenty of options to choose from regarding PC virus scanning. Please see the list below for some options available to you.

WindowsWindows

MacMac

LinuxLinux

Make Regular Backups

Be sure to make regular backups of your account in case there is a compromise. While HostGator does make weekly backups for Shared, Reseller, and VPS accounts as stated in our Backup Policy, we will restore a backup as well when you provide your own by contacting our support team via phone or Live Chat. For more details on how to create your own backups, please read:

Additional Preventive Steps

Other preventive steps you may take to imprpove site security include but are not limited to the following:

  • Make sure all file permissions are set for 644 and all directories are set for 755. See How to Change Permissions (chmod) of a File for more information.
  • Remove scripts and databases which are no longer in use. This will help eliminate the possibility of unused and outdated scripts being compromised.
  • Move configuration and other files containing passwords to a secure directory outside of the public_html folder to make them publicly inaccessible.
  • Edit your php.ini file with the following lines:
    • register_globals = Off
    • display_error = Off
  • Use secure connections whenever possible to connect to your account. See more information on this through the links and steps below:

Special Offers

Following the steps in this article will help both prevent account and site compromises as well as recover from them when they do happen. In addition to this, HostGator has special offers for addtional services which can help you be ahead of the game when it comes to both prevention and recovery. Please check our special offers page for addtional information on products and services to help protect your data:

Site Hacked?

If you find that your site has been compromised, please refer to the following articles for detailed instructions on how to properly remove the hack: