The hosting environment is very easy to fill up with plugins, themes, test scripts and unused files. This can not only slow down the performance of the site, but also make it vulnerable to infection. In this article, we'll show you how to clean up your server environment to create order, optimize performance, and secure your website.
1. Back up
A backup copy of the site serves as a safety net in case of an unforeseen situation. It is a critical site security measure and makes it easy to revert your environment to the last good configuration in the event of a problem.
The backup must meet several requirements:
Stored securely off site and in multiple locations;
Created automatically;
Thoroughly tested to ensure you're safe.
You must ensure that you have a reliable backup of all files, folders, and database before making any major changes.
2. Remove unused files
When you add a lot of files, components, and other data to the environment, it can increase the size of your site, and therefore increase load and response times. Moreover, it can complicate site management.
Therefore, periodic cleaning is necessary. This will not require much effort and will significantly increase the performance of the site.
The more files, test scripts, or plugins you have, the larger the attack surface for attackers. You need to get rid of everything that is not used and takes up unnecessary space on your server.
Remove unused files, themes and plugins
To figure out exactly what to delete, you first need to understand what files are required for your site.
If you're using WordPress, changes to the Core Files can be found by running a core file integrity check - these core files make up the core functionality of the platform and consist of PHP and related source files.
If you haven't made changes to the core files, the contents of the "/wp-admin/" and "/wp-includes/" pages should be identical to the original software from WordPress.org or from the official "https://core" repository . svn.wordpress.org/".
To find out how important a particular file is, add "test. ' to the filename to see the level of influence it has on your website (eg ' test.wp-config.php'). This step can be easily done through the cPanel file manager or via FTP (File Transfer Protocol).
As a result, you should remove everything that you do not use from your server environment, including:
Files and folders marked "dev", "backup", "old" and "temp";
Deactivated themes or plugins;
Incorrectly or accidentally named folders;
Unfamiliar files of size 0 bytes *;
Old error logs;
Old cached files.
*Some 0-byte files may be placed in certain directories for security purposes. For example, empty "index.html" files are protected from directory listing. Since the "index.html" file is the first file called by the server, this will prevent the files for those folders from being listed.
3. Update software
Any software needs to be kept up to date with the latest patches and security updates. This will keep the site running smoothly and fix vulnerabilities that are one of the main causes of website hacks. Make sure all themes, plugins and components on your site are up to date, starting with the CMS itself.
If you are using an outdated version of PHP, this gives more opportunities for cybercriminals. Since PHP is the backbone of most hosts, it should also be updated.
4. Clean up your website database
Database cleanup is important because tables become less efficient as data is added. For example, when you save a new page in WordPress, a revision is created that grows the database tables, adding a significant amount of rarely used data.
In most cases, database cleanup can be done using the CMS. Here is a list of what to remove first:
unused media files;
old draft messages and revisions;
unapproved comments;
outdated data.
Remove spam comments
Spam not only poses a security risk (for example, when a bot uses spam messages to add malicious links to your site), but it can also clutter your site and slow down its performance. Some of the more common types of spam comments advertise:
Microloan;
Services for writing student papers;
Dating websites;
Online casino;
Pirated software;
Materials for adults.
If your site is infected with spam comments, you can run a SQL command to remove posts from your database that contain keywords that are not related to your website. First you need to create a backup copy of the database.
For example, if your site is filled with dating spam, you can use the following SQL command to remove all messages that contain the keyword "dating" in their title :
DELETE FR OM `wp_posts` WH ERE `post_title` LIKE '%dating%';
Be sure to exercise caution when executing SQL commands and always take a backup before making any changes. You need to make sure legitimate comments don't have spam words in their titles so you don't delete them by mistake.
Remove old users
Audit users of your site and block access for those who no longer need it. This includes accounts of former developers, editors, or accounts of untrusted users.
Always follow the principle of least privilege . It is based on the fact that each user should have access only to the resources necessary to perform the required duties. For example, a sales manager should not have access to financial reports, and a labeling employee account should not have administrative privileges. It also reduces the attack surface by making it harder for attackers to perform unauthorized actions.
With this concept in mind, follow the best practices for managing access:
Create new user accounts with the lowest level of permissions;
Grant temporary permissions and revoke access when they are no longer needed;
Delete accounts that are no longer in use;
Make sure the default user account is configured with minimal permissions.
5. Scan your site for malware and backdoors
Remote website scanners can help you detect malware, vulnerabilities, injections, and other malicious code. However, they cannot scan at the server level, so results are not always guaranteed.
It is best to use a site scanner and a monitoring system together, which will help you scan and check all files on the server for signs of malware. These services will help detect backdoors, SEO spam, phishing pages, DDoS scripts, and hack kits.
6. Use a firewall with CDN (Content Delivery Network)
If you want to prevent malicious traffic from reaching your site, use a firewall. It filters malicious traffic in real time to protect your site from malicious code and cyberattacks.
7. Prevent cross-contamination
Even if the site owner takes all the necessary security measures, the site can still be infected. Most often, this occurs because an attacker uses site vulnerabilities to move sideways in a compromised environment. This is observed in cross-site infection (cross-site infection, Cross-Site Contamination), when a hacked site infects others using the same server environment.
Poor isolation and weak account settings are the main causes of cross-infection. Therefore, it is important to exercise caution when hosting multiple sites on a single server. To avoid cross-site infection, isolate each site on a separate virtual machine or hosting environment or firewall for each individual website.