Security Best Practices for DirectAdmin Hosting

Keeping your hosting account secure protects your website, data, and visitors. This guide covers essential security measures you should implement on your DirectAdmin hosting account.

1. Use Strong Passwords

• Use at least 12 characters with a mix of uppercase, lowercase, numbers, and symbols
• Never reuse passwords across different accounts
• Use a password manager to generate and store passwords
• Change your DirectAdmin, email, and database passwords regularly

2. Enable Two-Factor Authentication (2FA)

1. Log in to your {{COMPANY_NAME}} Client Portal
2. Go to Account Settings > Security
3. Enable Two-Factor Authentication
4. Scan the QR code with an authenticator app (Google Authenticator, Authy)
5. Enter the verification code to confirm

3. Keep Software Updated

WordPress and CMS

• Update WordPress core, themes, and plugins regularly
• Remove unused themes and plugins
• Enable auto-updates for minor releases

Custom Applications

• Keep your PHP, Node.js, or Python frameworks updated
• Monitor security advisories for your dependencies
• Run npm audit or equivalent for known vulnerabilities

4. Secure File Permissions

Set correct permissions on your files:

Warning: Never set permissions to 777. This allows anyone to read, write, and execute files.

5. SSL Certificate

Always use HTTPS for your website:

1. Install an SSL certificate (free Let's Encrypt is available)
2. Force HTTPS redirect via .htaccess:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

6. Protect Sensitive Files

Block access to sensitive files via .htaccess:

# Block access to configuration files
<FilesMatch "(wp-config\.php|\.htaccess|\.env|composer\.json|package\.json)$">
  Order Allow,Deny
  Deny from all
</FilesMatch>

7. Prevent Directory Listing

Add this to your .htaccess:

Options -Indexes

8. Regular Backups

• Use JetBackup to create regular backups
• Store backup copies off-server (download to your local machine)
• Test your backups periodically by restoring to a test environment

9. Monitor Access Logs

Regularly review your access and error logs:

1. Go to Site Summary / Statistics in DirectAdmin
2. Check for suspicious patterns:

- Repeated failed login attempts

- Unusual file access patterns

- Requests to non-existent admin pages

10. Protect Against Common Attacks

Brute Force Protection

• Limit login attempts with a security plugin
• Change default admin URLs if possible
• Use strong, unique usernames (never "admin")

SQL Injection

• Use parameterized queries in your application code
• Never trust user input
• Keep your CMS and plugins updated

Cross-Site Scripting (XSS)

• Sanitize all user inputs
• Use Content Security Policy headers
• Keep software updated

Security Checklist

• Strong passwords on all accounts
• 2FA enabled on client portal
• SSL certificate installed and HTTPS enforced
• Software and plugins up to date
• Correct file permissions set
• Directory listing disabled
• Sensitive files protected
• Regular backups configured
• Unused themes and plugins removed
• Access logs monitored

Related Articles

• Installing Free SSL in DirectAdmin
• Creating Backups in DirectAdmin

Need help? Contact our support team at {{SUPPORT_EMAIL}} or open a ticket at {{SUPPORT_URL}}.