Securing and maintaining cPanel accounts
cPanel is a public-facing, shared web hosting service. cPanel sites, therefore, like any site on the public internet, are routinely subject to attacks from malicious hackers.
As a cPanel account owner, you are responsible for ensuring that your site is well-maintained and secure. The nature of this responsibility will vary depending on the nature of your site. Guidance for some common scenarios is given below. If you are unsure, please contact us for advice.
- My site contains only static web pages and files
- My site uses software that I wrote myself
- My site uses software written by someone else, which I installed
- Someone else (e.g. an agency) set up my site
- I've been given responsibility for a site, but I don't understand any of this!
My site contains only static web pages and files
A site with only 'static' web pages (files with .html or .htm extensions) and file resources - such as images, PDFs or Office documents - is unlikely to present any security risk and does not need any specific maintenance.
My site uses software that I wrote myself
When writing your own software you need to be aware that any bugs in your code could potentially lead to the exploitation and compromise of not only your site and its data, but other accounts and their data - and possibly other University systems.
If you are processing or storing personal data, consider whether cPanel is a suitable platform. If you are not confident in your ability to write secure PHP code, there are many resources available online. A few examples are:
- PHP Manual - security section
- Seven habits for writing secure PHP applications (IBM)
- PHP The Right Way (particularly the sections on coding practices and security)
- The Open Web Application Security Project
My site uses software written by someone else, which I installed
Many popular web applications can be installed on cPanel, such as WordPress or MediaWiki. Web application software - just like software on your desktop PC - needs to be regularly updated.
When installing a web application, you must:
- follow the software's documentation to ensure a secure installation. E.g. be careful about things such as default passwords or settings controlling who can post content or comments.
- commit to updating the software promptly as new versions are released, especially security patches
You should not install software on cPanel for someone else who does not have the skills to maintain it - unless you intend to also do the maintenance yourself.
Someone else (e.g. an agency) set up my site
If you're responsible for a site that someone else created for you (e.g. a site commissioned from an an external agency), then you are still responsible for ensuring that it is well-maintained. For example, you may:
- have a maintenance contract with your supplier to cover regular software updates
- have received training from the supplier so that you or someone in your Department is able to update the software
Do not assume that procuring a web site can be a one-off cost: anything other than a very basic static site will need some level of maintenance during its lifetime.
I've been given responsibility for a site, but I don't understand any of this!
Unfortunately, it's common for people to be given responsibility for a web site even though they do not have the necessary technical skills to look after it.
If you're in this position, please contact us for advice and we can help you evaluate what kind of site you have.
If your site does have software that needs maintaining, and you or someone else in your Department is not able to do this, we are likely to recommend alternative options for your content. For example, services such as the Content Management System and the Google Apps suite (Sites, Docs, Blogger, Groups) don't require such technical skills and there is more training and support available.