Site Security

BYU Domains has many protections in place to prevent your site from being hacked and to help recover your site in the event that it has been hacked.

The following are security preventions that you should perform:

  1. Check your site often: You should review your domain at least monthly (if not weekly) to ensure that your applications are always upgraded to the latest version. By default, the settings are set to auto-upgrade to latest versions as they are released.
    • In addition, sometimes application updates can break a theme or plug-in that you are using or vice versa. This should never deter you from upgrading to the latest version. There are always workarounds for non-compliant themes or plug-ins.
  2. Password Strength: Passwords strength should be strong or very strong. Go to besafe.byu.edu for more information on how to set strong passwords. You can use a password vault to store, organize, and easily recover your passwords on any device. These tools help create very strong passwords that are very difficult for hackers to hack but easier to remember or retrieve when you need to log in.
  3. FTP account password change: When you first signed up for your domain, you were sent a “New Account Information” email that contains, among other things, your FTP username and password. Emails are not a secure transport mechanism for information and therefore it is recommended that you change this password to a strong or very strong password. To change the FTP password, go to the “Manage Your Account” menu and choose “FTP Information”.
  4. SSL: Use SSL certificates to secure your website. SSL allows you to secure pages on your site so that information such as login credentials, credit card numbers, etc., are all sent encrypted instead of as plain text. It is important to secure your site’s login areas, shopping areas, and other pages where sensitive information could be sent over the web. SSL should be set up on public sites as well. Let’s Encrypt is an easy way to set up SSL certificates and auto-renew them.
  5. PHP Version: Use MultiPHP Manager (found in the cPanel) to upgrade the version of PHP running on each of your domains. It is recommended to run the latest version. Some applications, themes, and plug-ins require older versions, so it is recommended to use applications, themes, and plug-ins that are tested on the latest versions of PHP.
  6. Virus Scan: Do a complete virus scan at least monthly.
  7. Error logs: Ensure your error logging is working well. The “Errors” feature on cPanel will work well using default installations. WordPress includes additional important error logs as well. Some themes and plug-ins have their own error logging as well.
  8. Remove unneeded or foreign files: Become familiar with the file structure in File Manager. Be aware of foreign files and directories that might appear and clean them out as needed.
  9. Remove unneeded themes: If you are not using a theme, then it should be removed. This will help avoid them becoming out-of-date and the need to maintain additional code.
  10. Remove unneeded plug-ins: If you are not using a plug-in, then it should be removed. It is not enough to disable it. This will help avoid them going out-of-date and the need to maintain additional code.

The following are security issues that you should be aware of:

  1. Custom Themes or Plug-ins: It is not recommended that you use custom developed themes or plug-ins that are designed by consultants just for you. This is because every time the main application updates, you might have to pay someone to also upgrade and test your theme or plug-in each time. This could become very costly.
  2. NetID & Password: Do not share your NetID and/or password. To provide admin access to your domain, you can either create an FTP/SSH account for a guest, or you can add them as an admin user in WordPress. Sharing your Net ID and password would also provide those people with access to other important university information.
  3. Email: If you are using the email features on BYU Domains, it is important to manage email. Manage email accounts and ensure that spam on each account is controlled by using spam filters and Box Trapper. Secure important email content with SSL and encryption.
  4. Database security: All databases are maintained using phpMyAdmin. All user and system access to databases is provided using the “MySQL Database” tool. Very strong passwords are highly recommended for all database accounts.

Security Features

For a brief overview of many of the security tools found in cPanel, see the following video;

The following is a list of features in BYU Domains to help you ensure your site is better protected and secured.

    • This tool helps you create a manual on-demand backup of your domain.
    • If your site does not change often, you may want to create an occasional backup to your local computer or another storage medium. Normally relying on JetBackup is adequate (see #5).
    • Set a password to protect certain directories of your account. When you enable this feature, a user that tries to open a protected folder will be prompted to enter a username and password before they can access your content.
    • Default=none
  1. Files | FTP Accounts
    • Add and configure FTP Accounts to get your website on the internet quickly. You can use an FTP client to manage your website’s files. This tool includes a password strength meter to ensure strong passwords.
    • Default=one system assigned account
    • An unlimited number of accounts are allowed
    • Monitor visitors that are logged into your site through FTP. Terminate FTP connections to prevent file access by unwarranted users.
  2. Files | JetBackup
    • This is the automatic domain backup tool that backs up all files, emails, databases, SSL certificates, and cron jobs. As a precautionary measure, these backups are not on the same server or data center as your domain account.
    • Jet Backup runs on all domains by default
  3. Applications | My Apps
    • These are your applications installed using Installatron. Choose “View/Edit Details” (the wrench icon).
    • “Automatic Update” is set to “Update to any new version” by default.
  4. Applications | My Apps | WordPress installs
    • It is highly recommended to install Wordfence onto every WordPress site. WordPress has a free option that is adequate for most needs.
    • wp-admin username and password
      • Default=same as domain account
    • Limit login attempts
      • Default=No, Yes is recommended
    • WP Auto updates
      • Default=on
    • Plug-in Auto updates
      • Default=on
    • Theme Auto updates
      • Default=on
    • Update backups
      • Default=create a backup
    • Auto backups
      • Default=Do not create an auto backup (Installatron backups are not necessary since BYU Domains uses JetBackup to back up the entire domain regularly)
    • Database password
      • Default=system assigned (very strong password)
    • This feature lets you create and manage email accounts.
    • Default=one admin account
    • An unlimited number of accounts are allowed
    • GnuPG is a publicly available encryption scheme that uses the “public key” approach. With GnuPG, messages are encrypted using a “public key.” However, they can only be decrypted by a “private key,” which is retained by the intended recipient of the message.
    • Default=none
    • Create database accounts to provide user or system access to databases. The user account must be created first.
    • Default=one admin account
  5. Databases | Remote MySQL
    • Add a specific domain name to allow visitors to connect to your MySQL databases. Applications like bulletin boards, online shopping carts, and content management systems require databases to operate.
    • Default=none
    • You should be careful when using this feature and only use it in very specific circumstances
  6. Security | Hotlink protection
    • Prevents other websites from directly linking to files (or file types) on your website. Other sites will still be able to link to any file type that you don’t specify below (ie. html files).
    • Default=Blocks jpg,jpeg,gif,png,bmp
    • An example of hotlinking would be a foreign site using a <img> tag to display an image from your site from somewhere else on the net. This means the other site is stealing your bandwidth.
  7. Security | IP Blocker
    • This feature will allow you to block a range of IP addresses to prevent them from accessing your site in any way. You can also enter a fully qualified domain name, and the IP Deny Manager will attempt to resolve it to an IP address for you.
    • Default=None blocked
    • Be aware that hackers can change IP addresses constantly. Blocking one might not completely block them. Blocking IP ranges is more effective (Or even in some cases entire countries).
  8. Security | Leech Protection
    • Prevent your users from giving out or publicly posting their passwords to a restricted area of your site. This feature will redirect accounts which have been compromised to a URL of your choice (and suspend them, if you choose).
    • Default=None
  9. Security | SSH Access
    • SSH (Secure Shell) is a program that allows you to log into another computer/server over a network securely. It provides strong authentication and secure communications over insecure channels. Manages SSH Keys for accounts.
    • Default=one system assigned account
    • An unlimited number of accounts are allowed
  10. Security | SSL/Let's Encrypt
    • Generates SSL certificates, certificate signing requests, and private keys. These are all parts of using SSL to secure your website. SSL allows you to secure pages on your site so that information such as logins, credit card numbers, etc., are sent encrypted instead of as plain text. It is important to secure your site’s login areas, shopping areas, and other pages where sensitive information could be sent over the web.
    • SSL should be set up on public sites as well.
    • Let’s Encrypt is an easy way to set up SSL certificates and auto renew them.
    • Default=None
  11. Metrics | Errors
    • This function displays the most recent entries in your website’s error logs in reverse chronological order. You can use this information to find broken links or problems with missing files.
    • WordPress also includes error logs within its directories.
  12. Software | MultiPHP Manager
    • Upgrade the version of PHP that is running on your domain.
    • Default=Version you signed up with is what is currently implemented
    • PHP versions PHP 5.5, PHP 5.6, and PHP 7.0 are deprecated. It is recommend that you update to a supported version of PHP for all your domains.
    • Some noncompliant applications, themes, or plug-ins require older versions of PHP. They may break if you upgrade. It is recommended to use more compliant and newer apps to ensure a more secure site.
  13. Software | Perl Modules
    • Perl Modules include many security related modules that can be added to your site to create additional layers of security, authentication, error logging, notifications, etc. to better secure your site.
    • Default=None installed
  14. Advanced | Virus Scanner
    • Scan your domain or portions of your domain for viruses and malware.
    • This is a manually run tool
  15. Preferences (or Left side bar) | User Manager
    • Manage user accounts for Email, FTP, or Web Disk access.
    • Default=One admin account, one log account

Security features that are automated or set to a default:

(As described above)

  1. My Apps Installatron auto updates (including WordPress)
  2. FTP Accounts management (Admin accounts are automatically created)
  3. Email Accounts (Admin accounts are automatically created)
  4. MySQL Databases Accounts (Admin accounts are automatically created)
  5. JetBackup
  6. Error logging

Security features or tasks that require your intervention:

(As described above)

  1. Checking your site often
  2. Password Strength
  3. Default FTP account password change
  4. Backup Wizard or Backup
  5. FTP Accounts management
  6. SSL/Let's Encrypt
  7. SSH Access
  8. Email Accounts
  9. Email Encryption
  10. MySQL Databases Accounts
  11. PHP Version (MultiPHP Manager)
  12. Virus Scanner
  13. Remove unneeded or foreign files
  14. Remove unneeded themes
  15. Remove unneeded plug-ins
  16. User Manager

Other useful security prevention tools

(As described above)

  1. Directory Privacy
  2. Remote MySQL
  3. Hotlink protection
  4. IP Blocker
  5. Leech Protection
  6. Perl Modules

Recovering your Site

It may be that your site is not currently functional. This usually happens for one of two reasons. One, a recent upgrade of an application (e.g.: WordPress) or a theme or plug-in upgrade has created issues that has broken your site. Two, someone has hacked your site or domain. This is one reason you should check your domains regularly, so problems can be corrected before they become larger.

  1. Domain errors and error logging can provide clues as to the source of the problem. Checking error logs often will show you which files are causing the error, and often provide clues as to when the problems might have started. This article offers some helpful information on how to overcome this problem. Often you can rename a directory and at least regain the access needed to upgrade the application, theme, or plug-ins or to change to a better one.
  2. Another clue that your site might have been hacked is if there are foreign files or directories. You can browse files and directories using File Manager and even see when foreign files were first introduced.
  3. There are several metrics apps that can provide clues as to when suspicious IP addresses tried to access your domain and even some of the methods they might have used.
  4. You can also take steps to restore your site back to a date when you know it was fully functional and then upgrade your application, theme, or plug-ins.