? Security Settings
Security Best Practices
Password Protection
- Use strong passwords (12+ characters)
- Include uppercase, lowercase, numbers, and symbols
- Enable two-factor authentication (2FA) when available
- Regular password updates (every 90 days)
- Different passwords for different services
- Use password manager for secure storage
Directory Protection
Protect sensitive directories with password:
- Navigate to Websites & Domains
- Click "Password-Protected Directories"
- Select directory to protect
- Set protection title
- Add authorized users with passwords
Web Application Firewall (WAF)
ModSecurity rules protect against:
- SQL Injection attacks
- Cross-Site Scripting (XSS)
- Remote File Inclusion
- Session hijacking
- Buffer overflow attacks
- Malicious bot traffic
Hotlink Protection
Prevent bandwidth theft by blocking direct linking to your files:
<system.webServer>
<rewrite>
<rules>
<rule name="Prevent hotlinking">
<match url=".*.(jpg|jpeg|png|gif|bmp)$"/>
<conditions>
<add input="{HTTP_REFERER}" pattern="^$" negate="true" />
<add input="{HTTP_REFERER}" pattern="^https?://(www.)?yourdomain.com/.*$" negate="true" />
</conditions>
<action type="Rewrite" url="/images/hotlink-protected.png" />
</rule>
</rules>
</rewrite>
</system.webServer>File Upload Security
- Restrict file types allowed for upload
- Scan uploaded files for malware
- Store uploads outside web root when possible
- Validate file extensions and MIME types
- Limit upload file size
IP Access Restrictions
- Go to Websites & Domains
- Click "IP Access Restriction"
- Add rules to allow or deny specific IPs
- Configure for entire site or specific directories
Security Headers
Add security headers to web.config:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
<add name="X-Content-Type-Options" value="nosniff" />
<add name="X-XSS-Protection" value="1; mode=block" />
<add name="Strict-Transport-Security" value="max-age=31536000" />
</customHeaders>
</httpProtocol>
</system.webServer>
