Securing Your Website Hosting: The Logins You Need to Know
At some point in your company’s website management, you’ll probably find that you need to edit your website’s hosting access passwords. Whether this is for security when you change developers, you got hacked, or for other reasons, there are quite a few access points into your website that you should know about.
The Basic Logins
The first two passwords that will spring to most people’s minds are your hosting password and your domain name registrar password.
Domain Registrar Login
The domain registrar is the company that actually registers your domain. This is like your car registration, but instead of having to go through one company (DMV), there are lots of options. If you’re unsure who your domain registrar is, you can look up the information, if it’s public, on Whois.
You pay your domain registrar a yearly fee, usually between $10 – $15. Some common registrars include Network Solutions, Godaddy, Namecheap, HostGator, and Bluehost. In return, you get a unique domain name or URL (ie. WhiteFoxCreative.com), and a login so you can tell them where your domain goes or, in technology vernacular, where your domain “points”.
Hosting Login
The company that hosts your website is where your domain “points”. The hosting company literally “hosts” your website. In other words, the files that contain the coding of your website live on their computers or servers.
Your website is your house, and hosting is the plot of land your house is built on.
This login might be the same as your domain registrar. Many people buy domains and hosting through companies like Godaddy, HostGator, or Bluehost. You can pay anywhere from $3 a month to thousands of dollars a month for hosting, but an average cost for most small to medium sized businesses falls between $10 and $200 a month.
The Hidden Logins
We’ve dealt with the two most obvious logins, but there are quite a few additional logins associated with your website.
Email Logins
While you might think this is separate from your website, emails can, at times, be used to reset other passwords. At the very least, they can often be used to reset a website login.
Website Login
If you are using a website that has a backend interface, like WordPress or Drupal or similar CMS, these are the first passwords you’ll want to change. WordPress also has additional “hashes” that allow it to store passwords as encrypted strings. If you’ve been hacked, these should also be reset.
The Cpanel Login
If your hosting includes a cpanel (many do), these have an additional login. The cpanel is a software installed on your hosting account that allows you to edit things like emails or FTP logins (see below). It’s like a master user interface for your website. You were most likely sent an email with your login when you signed up, but if you don’t have that email anymore, you can get to your cpanel by logging into your hosting account.
The FTP/SFTP Login
FTP or SFTP are ways for a separate computer to connect to the computer your website’s files are on and make edits to the files including uploading, downloading, deleting, editing, and adding. Any web developer will most likely have a FTP/SFTP password.
Your cpanel username and password usually doubles as the first FTP login on your account. By changing your cpanel login information, you change at least the main FTP user’s information. You can view any other FTP/SFTP users under the cpanel.
SSH Access
While not common on smaller sites, SSH access allows someone with these credentials to log into your site and adjust almost anything. This is more advanced access than FTP/SFTP, and may not be allowed or turned on within your hosting account. If this can be used with your hosting account, it will say so in the Hosting or Cpanel.
Is keeping track of your logins getting difficult? Try 1Password, an Apple password manager app.
Database Password
Your website most likely has a database associated with it. Within WordPress, the database login information is stored in wp-config.php in the root of the website. For other CMSs or websites, they’ll be stored in other places.
You can edit the database passwords or users by going to your cpanel. After changing the database users and passwords within your cpanel, make sure you also change them in the file on your website so your website can still connect to your database.
The Outside Passwords
Cloudflare/CDN Login
Do you have a CDN for your website? If you have something like Cloudflare, this directly controls where your domain name “points”. In other words, someone with this login could take your domain name and point it to a different website.
The Google Logins
You might have multiple logins sections for Google including Analytics, Business, or Gsuite. If you have these, the users with access are listed underneath each service. You also have a master password to log into these.
Additional Access Grants
This can include logins like delegate access (if your hosting is through Godaddy) – access granted to another Godaddy customer and controlled within your Godaddy account. Ideally, you’ll want to keep track of these as you go, but if you didn’t, calling your hosting company can help you sort out any additional access that you want to revoke.
Summary
Any website will have multiple ways of accessing the content, some of which you might not even know exist! Making sure you know what logins can provide what access is vital for the security of your website.
Start keeping track before you need them to save yourself time and energy in the future!
Login Checklist
- Domain
- Hosting
- Website CMS (ie. WordPress)
- Cpanel
- FTP/SFTP
- SSH
- Database
- Cloudflare/CDN
- Hosting Delegate Access
