Edit

How to Secure Your Server

General Recommendations

Often, standard hosting services have limited options for fine-tuning security, so we recommend hosting your exchange service on a Virtual Private Server (VPS/VDS) and configuring it to reduce the risk of hacking. Typically, hosting providers offer paid services for setting up virtual servers. You can hire external specialists for configuration, but only those you trust.

  • On the hosting service (billing for managing the service) where your site is hosted, enable SMS authorization for your account. Set up other access restrictions if your hosting provider offers them. For Reg.ru hosting, at a minimum, enable SMS authorization and email notifications for account logins.

  • Update the Ioncube Loader module to the latest version.

  • Install and configure the fail2ban module on the server.

  • Install antivirus software and a port scanner on the server. Set up regular scans of server files and ports.

  • Configure the firewall. Block ports for FTP, SSH, and various shell clients.

  • Block standard URLs for server login forms. For example, for Ispmanager, these are: https://ip_address/manager, https://ip_address/manager/ispmngr, https://ip_address/ispmngr.

  • Change the default port for the server login form. For Ispmanager, the default port is usually 1500. Set it to any available port number.

  • Block access to phpMyAdmin. You can do this by setting the permissions of the phpMyAdmin folder to 444 on the server.

  • Block access to webmail clients. For example, https://ip_address/webmail/, https://ip_address/roundcube/, etc. Again, set the permissions of the mail client folder to 444 on the server.

  • For all server users, including root, set a password that is at least 15-25 characters long.

  • Do not store backups of files and databases on the server, especially in the root directory of the site.

Configuring Services and Options

  • Disable the use of web shells through the php.ini file (edit the existing directive or add a new one):

    disable_functions = exec,system,passthru,shell_exec,proc_open,show_source
If you are using Ispmanager, follow these steps:

  1. Log in to Ispmanager as a root user.

  2. Go to the "Websites" section, select your website, and click the "PHP Settings for the Site" button.

  1. Search for the disable_functions directive, check it, and click the pencil button ("Edit Variable").

  1. Add the specified functions (do not remove the previous values — just append the specified functions): exec,system,passthru,shell_exec,proc_open,show_source and save the changes.

  • Disable file uploads through allow_url_include and allow_url_fopen — this will reduce the risk of remote code execution:

    allow_url_fopen = Off
allow_url_include = Off
If you are using Ispmanager, follow these steps:

  1. Log in to Ispmanager as a root user.

  2. Go to the "Websites" section, select your website, and click the "PHP Settings for the Site" button.

  1. Search for the directives containing allow_url, check them, and click the pencil button ("Edit Variable").

  1. Set Off for the variables and save the changes.

  • Disable certain extensions (if they are not needed). For example:

    extension = phar.so ; // if phar is not used
If you are using Ispmanager, follow these steps:

  1. Log in to Ispmanager as a root user.

  2. Go to the "PHP" section, select the PHP version that your website is using and click the "Extensions" button.

  1. Search for the extension phar (for example), check it, and click the pencil button ("Disable Extension").

  1. Click the button and confirm the disabling of the extension in the pop-up window.

  • Restrict access to php.ini and wp-config.php through the .htaccess file:

    <FilesMatch "^(php\.ini|wp-config\.php)$">
    Order deny,allow
    Deny from all
</FilesMatch>
If you are using Ispmanager, follow these steps:

  1. Log in to Ispmanager as any user.

  2. Go to the "Websites" section, select your website, and click the "Website Files" button.

  1. Find the .htaccess file and enter edit mode by double-clicking it.

  1. Add the text specified above to the file and save the changes.

File Permissions Configuration

If a warning about file permission errors appears in the admin panel as an animated red circle, open the section with errors.

If the section displays an error about incorrect file permissions, change the permissions of the specified files to more secure settings (struck-through value — current permissions, after ➔ recommended permissions).

Official instructions from WordPress on configuring file permissions.

Warnings are also displayed in the "Console" section, under the "Security Check" block.

When using Ispmanager, go to the "Websites" section, select your website, and click the "Website Files" button.

Select the file with incorrect permissions and click the "Attributes" button.

Set the recommended permissions in the "Access Rights" field and save the changes.

After changing the permissions, the warning will disappear from the admin panel.

PreviousHow to Protect Accounts in Payment SystemsNextChanging Passwords for Server Users

Last updated