Best practices for server and app security

When considering security for your servers and apps, it is useful to remember three core aspects of information security known as the “CIA triad” due to the first letter of each word.

• Confidentiality: Sensitive information is not disclosed.
• Integrity: Code and data does not get corrupted or improperly changed.
• Availability: Servers and apps are online and working.

Security is not just about preventing compromises. It is also important to have backups for disaster recovery (Integrity and Availability) and to avoid downtime (Availability).

Backups and disaster recovery

Ensure you have backups of all code and data so you will be able to recover your data and get your apps online again if a major problem does happen.

Enable scheduled snapshots

Enable scheduled backups at your server provider. If your cloud provider does not offer scheduled snapshots, you may want to choose a different cloud provider.

Create a snapshot before running commands as root

Before performing server customizations, upgrading Ubuntu, or modifying files while logged into a server as root, create a snapshot of your server at your cloud provider.

Test out restoring from a snapshot

If you have never restored a server from a snapshot at your cloud provider, try it out with a test server so you are familiar with how it works in case you ever need it.

Use version control

For any source code you write for your app, use git for version control and push your changes to a repository on GitHub or a similar service.

Note

Do not store sensitive information such as API keys in version control.

Server security

Use a current Ubuntu release

Understand the Ubuntu release cycle and upgrade Ubuntu before a server’s Ubuntu release reaches its end of life.

Limit use of third-party package repositories

Avoid customizing your server to add third-party APT repositories except when necessary. Installing packages that are inappropriate for your server can break your server. If a third-party repository is broken or offline, your server cannot install automated security updates.

Avoid scripts and commands from untrusted sources

Only run commands on your server that you understand or that come from trusted sources. Avoid AI-generated commands as they can be incorrect or dangerous.

App security

Run apps under separate system users

Note

By default, every app you create runs under a separate system user.

Avoid creating multiple apps that belong to the same system user. There is no isolation between apps that belong to the same system user.

Use current PHP versions

Avoid using old versions of PHP that no longer receive security updates. See the currently maintained PHP versions to determine if a PHP version has reached its end of life.

Keep app code updated

For WordPress apps, update plugins regularly. For apps that use a library package manager such as composer or npm to manage dependencies, regularly update dependency versions. For apps using frameworks, subscribe to the framework’s security mailing list.

Use trusted plugins and libraries

When developing apps, choose plugins, themes, libraries, and frameworks that have a large number of users, are increasing in popularity, and are actively maintained.

Passwords and credentials

Use secure communication

Only transmit credentials and sensitive data over encrypted protocols. Encrypted protocols include HTTPS, SSH, and SFTP.

Use a modern password manager

Modern password managers such as 1Password will help you do the following:

• Use strong passwords. Password managers will generate strong passwords for you.
• Do not reuse passwords. Password managers will warn you if you use the same password on multiple sites.
• Use Two-Factor Authentication (2FA). Modern password managers have built-in support for managing 2FA and auto-filling 2FA codes just like they do for passwords.
• Store credentials securely. Ensure you will not lose your passwords and 2FA credentials even if you lose your device.
• Share credentials securely. Do not share credentials over email or through messaging apps. Modern password managers allow you to securely share access to credentials with your team members or clients.

Note

When using a modern password manager that stores encrypted copies of your credentials in the cloud, a secret key will be required to install the password manager on a new device. Print and store a copy of this secret key in a safe location.