Prevent website hacks

If you read tech news articles, you’ll note that website hacking has become commonplace, such that only large hacks and data breaches are newsworthy.

The latest hack occurred last week.  As reported on, a provider of free web hosting was hacked, resulting in 13 million plain-text passwords being posted online. Lithuanian-based 000WebHost acknowledged a hacker obtained access to their customer database because it was hosted using an outdated version of PHP, a popular website scripting language.

If you’ve ever gotten updates from Canvas Host about security updates throughout our network, this is why we do it. Keeping hosting infrastructures patched against these types of threats is a constant challenge but necessary to maintain security of all our systems. Our primary goal is to keep you, your information, and your website online and safe.

While our primary mission is to provide consistent, stable service for your website, on occasion, our security patches and updates to software and services can “break” websites running old code. This is expected, and can be a good thing, as it can highlight websites that may contain unsafe code or plugins vulnerable to attack.

What can you do to prevent website hacks?

1. Keep your website and code updated. If you use a popular content management system (CMS) such as WordPress, updates are as simple as a few clicks. Most contemporary CMS systems will notify you if updates are available, not only for the CMS itself, but any extensions or plugins.

WordPress is a perfect example: With continuous updates, and more than 100,000 plugins available for use, the platform has been designed to pro-actively notify you if an update is called for. Whenever you log in, you will see updates highlighted in red in the lefthand navigation bar, with announcements along the top of your browser window:


If you happen to use Canvas Host’s managed WordPress service (WP Hosting), our systems will automatically update your core installation of WordPress for you.

2. Avoid using stock usernames. Usernames, such as “admin”, “administrator”, or your personal name (“Bob”, “james”, etc.) are all commonly exploited by random “dictionary” hacks. These are automated attacks that try sets of random, common words as usernames. Sadly, dictionary attacks are frequently successful.

Additionally, you may notice that on standard WordPress installations, the website’s main administrator username may be publicly displayed on articles or comments! One very helpful WordPress plugin is “Show/Hide Author”, which will prevent the username from being publicly displayed.

3. Avoid simple or single-word passwords. As with 2), passwords such as “hamburger” or “oregon” are commonly used with dictionary hacks. Using letters, numers, and characters, while a challenge to remember, can make passwords difficult to hack.

4. Of the passwords you create, remember to change them often. Many third-party services, such as online banking, merchant services, or other accounts will automatically prompt you to choose a new password after a set amount of time. For your own hosted content management system, you may need to set a reminder to update your passwords.

5. Avoid when working on your website using public wi-fi. This is by far one of the simplest ways hackers can obtain your information. Many public wi-fi hotspots are wide open, no login required, no security, nothing. Hackers can simply sit in the corner of the coffee shop and eavesdrop in on the information being sent from your browser to your online accounts. If you absolutely must work in a public wi-fi area, ensure that any systems you connect through are encrypted with SSL (look for “https://” at the start of the website address you are accessing). If this is not available, wait until you are connected via a secure, known wi-fi network that you trust.

What Canvas Host Does To Protect You

Beyond these tips, I want to offer assurance that Canvas Host uses a range of security protocols, firewall rules, and other methods — which I won’t go into further detail about as that could expose our own security protocols — to secure our network and services from attacks. If you are ever contacted by our Support team because your website is showing strange behavior, sending out spam without your knowledge, or something suspicious has turned up from a security scan, it’s to let you know there is a problem and it needs addressing.

If you ever have questions or concerns, contact our Support team at 800.574.4299 x2, or by logging into Support at


13 million plaintext passwords stolen from free webhost go public

David Anderson

This blog is published by David Anderson, Principal and owner of Canvas Host.