Modsecurity in cPanel

Another great feature in WHM/ cPanel easily neglected is the modsecurity. It is useful you have not got any web protection like Sucuri Firewall Pro. Users did not enable this feature to protect their open sourced website like WordPress, Joomla etc. This module is enabled by default but there is no rule to process. So it is as good as it is disabled.

Go to modsecurity to install vendors, I use OWSAP commonly. And remember to enable to process the rules in configuration. The rules will stop common attacks and viabilities of your website. This is important feature to those do not have ant web protection.

Transfer Tools in WHM/ cPanel

This is a very useful tool in WHM/ cPanel. But many server admin or users have neglected this. Either it is not often used or the control panel has many features and too clustered. But nevertheless, today I’m showing you these tools found in WHM/ cPanel.

transfer tool in cpanelThere are 2 transfer tools might be handy if you are moving to another host. The Restore a Full Backup/cpmove File and the transfer Tool. So both do the same job but the processes are different. You must know these tools in case one has an error. Restore a Full Backup/cpmove File is kind of semi-migration tool. You go to the website via cPanel of the source server and do a Full backup, The backup will be in certain formatted name recognised by cPanel as a restoration when it has completed. The backup file will be located in your home directory. You can either use rsync if you have the root access or use FTP to the source server. Place the backup file in the backup home directory of the destination server, and you use Restore a Full Backup/cpmove File to restore a backup file.

On a full backup, you can also use FTP 0r SCP remotely dump the backup file to the destination server also. But I found that rsync is more reliable. It is a personal preference, o it is about transfer a file from the source to a destination server.

transfer toolThe other is the transfer tool. The tool migrates the desired accounts or websites from the source server to the destination server. So the transfer tool might be suitable to an intermedia user. You need root or sudo users to access, to migrate the accounts. After you have initiated a transfer, you do not need to stare or watch them.  You can safely close your browser, and the session is still active. You can come back to review the entire transfer process later. Most are self-explanatory, I will not further elaborate.

These 2 migration tools have a high success rate. Even you are migrating a website from another control panel, which limited to the ‘Transfer Tool’. They have saved us plenty of time and effort.

Why WordPress? Do and Don’t

It’s WordPress again? Someone has written to our tech support department, asked if we can install WordPress for him. If you are using Plesk Onyx or cPanel, they have a one-click installer for WordPress in the control panel. Plesk Onyx has this WordPress Toolkit to manage your WordPress under one roof. But this is not the topic today. There are so many WordPress websites. If you are an amateur, I recommend you read further to understand WordPress further. This is extremely important and you will know why.

There are many websites are hacked each day, do you know it is 70% of them are WordPress websites. It is because most have installed WordPress and leave it in Auto-Pilot mode. Things start to turn ugly if you are doing this.

a. If you have decided to use the WordPress website, you need these skills like adjust the php.ini, restart your web server to address the changes if you have a VPS. For Shared Hosting users, you might need to address this through .htaccess or a custom php.ini, for example, time-out error when you are trying to upload a file through WordPress. Contact your web host if necessary.

b. Load only the plugins are needed. Not the more the better. A plugin uses resources like memory and processing power. They can slow down your website. This is bad for your visitors.

c, Compress your image. Do not use a large image with very high DPI. They will greatly slow down the loading time of the page and website. Keep it low enough resolution and still details enough on a computer screen.

d. Always protect your wp-admin login. You can use Sucuri Firewall Pro or Wordfence to protect any unauthorized login attempts to your wp-admin page. Remembered, you are using opensource CMS, anyone can download. The admin login URL or path is known to all. Thus, brute-force login using an automated script is possible and this is happening to all WordPress websites.

f. Update the WordPress and its plugins as soon as there are new releases. As they are opensource, it is vulnerable and especially you do not have any protection. If you are unable to spare the time to monitor and execute this, I will suggest you look for an alternative CMS. Frankly speaking, all opensource CMS has this nature in common. They are vulnerable and hacking is always possible. Tus, protection like Sucuri Firewall Pro is a must.

g. Backup your WordPress website, as often as you made changes. The backup will restore the website in the event if the website is hacked or any incompatibility of plugins. You never know when you will need them. But a backup can save you from a lot of works.

Control panel providers have made life easier to install WordPress into your website. Yes, it is not difficult to install. The problems will start to come when you are maintaining it. In my opinion, it is easy to start but not straightforward at all to maintain it or choosing a right platform isn’t easy. I have seen most WordPress sites are slow. There are a few plugins may help by implementing caching. Again, if you are working with limited resources, you have to avoid heavy plugin like woocommerce for example.

How to protect your email account

We are using our email account to communicate with peoples, coworkers, friend, or business associates. The emails you have sent is representing you, I’m sure you do not want to see they are abused, and impersonating your identity. The truth is these are happening every day. Email accounts from someone are sending Spam, send unwanted email, email that impersonates any financial institutions asking for banking details. These emails are normally from compromised accounts or look similar domain names to trick you.

It’s not surprising that you have received these email. Me too, it’s common to see this type of emails not filtered even your best anti-spam email gateways. There are a few rules to follow can protect your email accounts.

  1. Bruteforce attack is common today. If you have the choices to use a unique username. A common username like sales, support, customerscare, and similar, are targetted. For example, your name is John Tan, avoid using John as the username but john.tan. This can minimize the risk of successful guessing from a hacker.
  2. Always use strong Passwords and update them in 3 months interval or shorter. A strong password consists of capital letters, small letters, number and symbol. I recommend at least 10 characters long.
  3. Use latest anti-virus definition to scan your computers and smart devices for any malware periodically.
  4. Careful emails with links and attachments, never respond to unknown or suspicious emails. Click on links may indirectly infect your computers. Attackers can send you emails with attachment with malware. Scan them,  and do not open these attachments.
  5. Avoid logging in to public and not personal devices to check emails. This will increase the risks that your credentials stolen by bad guys.
  6. Quite similar to point5, do not connect to an unknown or public network to check your emails.

Actually, these apply the same to many areas. If you are adhering to these rules, your risk of having your email account to be compromised has greatly reduced or even not possible.

Do you really need a NAS?

The last few days, I’m debating on do I really need a NAS? I have asked myself many questions, and until now it hasn’t come to a conclusion. Basically, I have a few SATA hard drives lying around and as a gadget guy, I’m thinking what can I do with those drives? The idea of NAS strikes. But the question is do I really need one?

Here’s my analysis. A NAS can be something off the shelf or you can build one. The primary purpose is to upload, download and share files within your LAN network with many devices. A NAS is installed 2 drives minimum for redundancy. In case, one drive has failed, your data is safe. When you have 2 drives 2Tb or slightly lesser. Here comes the question? What do you store in a NAS for 2TB space? Isn’t it is cheaper to buy an external USB hard drive?

Actually, a USB 3,0 external hard drive writes and read faster than a NAS. An external hard drive is attached to your computer. For sharing, you need to physically transport the drive to someone. During the transport, if the drive is damaged, you can lose everything has stored. For NAS, you do not need to transport them when you are sharing data. They can be either shared on a LAN or WAN. The answer may not apply to some. If your network router has a USB port for file sharing, it is still possible to share data using an external hard drive.

The shortcoming for an external hard drive is 5Tb for 2,5 or you can maximum 8Tb for 3.5″. If you need a larger capacity device, you still need a NAS and USB drives do not have redundancy. So your current cut off point is 8Tb.

Today, NAS is more than a NAS. A NAS is like a mini server. There are a lot of applications the manufacturers package them into their NAS software. If you got enough RAM, you can use the NAS as your web server, a database server, a mail server etc. Manufacturers are smart, consumers can find many reasons to buy themselves a NAS device. Again, what you are doing probably there is another option. You can use the Google drive to store and share files. NAS will work in the LAN if there is no internet.

I personally think it boiled down what exactly need. If you do not need the large disk space, NAS is not your choice because of the upfront cost will cost more per Gb ratio.

How to backup your WordPress website

There are a few ways to backup a WordPress website. Easy, complicated, paid and free version. But you will not store the backup at the same place unless you are using it as temporary rollback. Storing backups on the same server will not serve its purpose.

Who’s do that? It is a common mistake many made. The backups were stored on the same server. Ask you a straightforward question? If the server has stopped working, how do you retrieve the backups for restoration? Now, you noticed what was done in the past isn’t correct. Like our VPS you can take snapshot daily in rotate basis. They are stored in a remote storage. You can use it to restore the entire machine even you need to build a new server. If you do not use our VPS, there are methods to back up your WordPress website.

Firstly, we need to identify on where do you want to store your backups? If you have another server elsewhere, and traffic is not a major issue to you, the other server can be your backup repo. If you do not have a backups repo, there are other options. Let us see the available options. If you are Sucuri Firewall Pro users, you can subscribe to their backup service. Uo to 100Gb that you can subscribe from USD 5 a month. It actually backup the entire websites, not solely for WordPress.  You can consider VaultPress in JetPack if you are a premium user. It backups your WordPress website regularly. You will be informed if there is error backing up your WordPress site. By the way, you will find many plugins offer a similar backup solution. You can use the search plugin function in your WordPress.

There are a few scenarios to use your own repo if you have a control panel like Plesk or cPanel. You can setup backup repo on another server using FTP, and upload the compressed backup files. If you have access to WHM, you can even set up a secondary location on S3 block storage example. Some hosting providers offer NAS storage. You can subscribe to NAS storage and mount them as a drive, and do the backup.

Using, backup agent is common practice by your hosting providers, however, they are optional. Whether they are CDP, black or files backup. Remember WordPress is a database driven CMS. Backing up your files in web root is not enough. The most important is the database and we use MySQL most times. So make sure you make a database dump regularly so the backup agent picks up these files. It is almost impossible to restore a database using their files, especially for InnoDB storage engine database. Alternatively, some backup agents backup database instance, just enter the administrative or a credential with sufficient rights to backup databases.

Whichever which backup method you are using, it’s always a good idea to have a copy of backup of your website. Things can go wrong. If you have the latest backup copy, your website downtime is minimised.


If you are given root or administrator access

If you are given root or administrator access, you likely have a dedicated hosting like our VPS and dedicated server. This is an important credential.  Anyone with the credential can access the server to update, delete or append without restriction.

It is important to restrict the access to these users. But how? Basically, there are ways to protect these accounts from unauthorized usages.

  • If you have a Linux server you can use TCP wrapper. The TCP wrapper can restrict access using IP addresses for certain service. For example, SSH is sshd. But in order to do this. The IP must have belonged to you permanently.  Most do not have static IP internet access. An alternative, you can use a VPN with dedicated IP.
  • On a Linux server, you can also use the iptables. But this is less friendly to an end user. I recommend the option above.  The firewall method can use on a Windows Server, just add the permitted remote IP in the scope to allow access for remote desktop.
  • For Windows or Linux server, you can also use 3rd party 2FA. 2FA stands for two factors authentication. A program installed on your smartphone provides you with a secret code randomly to access your server.

If you are control panels like Plesk onyx or WHM/cPanel. We recommend they should be protected too. In tools and settings in Plesk, you can restrict Plesk admin access. For WHM/ cPanel, you can usee the host access to restrict access, The hot access in the WHM is TCP wrapper in GUI.

I want to say, the extra layer of protection will bring you inconveniences. Think this way, the added security made intrusion difficult especially good to against the cybercrime today.