Most people would agree — living in a house full of accumulated debris and unnecessary objects can create a chaotic environment, and even cause health problems. This scenario is easily applicable to your website, too. You can think of your hosting environment as the home where your website lives.
It’s extremely easy for hosting accounts to get cluttered with plugins, themes, test scripts, and unused files. Unfortunately, this can not only slow down your website’s performance but also leave it open to infection.
In this article I am going to give tips on how to clean your server environment so that you can reduce clutter, optimize performance, and protect your website.
Website backups serve as a safety net in the event of a disaster. They are a critical facet of website security and make it easy to revert your environment back to its last known good configuration in the event of a problem.
The best kind of backups are the ones that are:
- Securely stored off-site
- Automated so you don’t forget to make them
- Redundant and accessible from multiple locations
- Rigorously tested so you can be sure that they will work if you end up needing them
And on that note! Before we go any further with our list, you’ll want to make sure you have a good backup of all your files, folders, and database prior to making any major changes. This can be done manually or by using an automated system like Sucuri Website Backups.
When you first build a website, it will be pretty lightweight. However, over time you will likely add a lot of files, extensible components, and other data to the environment which can cause your site to grow in size — which can sometimes result in a bloated website with slow load times and decreased user experience. It can even make managing your website more challenging.
You’ll want to periodically audit your website and perform basic clean-up tasks. It shouldn’t be much effort — and can significantly improve your site’s performance.
And from a website security perspective, less is always more. The more files, test scripts, plugins, or themes you have, the larger the attack surface will be for bad actors who are always looking for opportunities to exploit vulnerable software and components. It’s always worth getting rid of anything that’s just hanging out and taking up unnecessary space on your server.
Delete unused files, themes, and plugins
To figure out which files to delete, you first need a basic understanding of which files are essential to your website.
If you are using a CMS like WordPress, changes to essential files can usually be found by searching for Core Files by performing a core integrity file check — these core files make up the platform’s key functionality and are composed of PHP and related source files. You’ll find these important core files included with every WordPress installation.
Unless you’ve intentionally made changes to core files, the contents of the contents /wp-admin/ and /wp-includes/ should be identical to the original software found on WordPress.org or on the official repository https://core.svn.wordpress.org/.
In the event that you come across files that you’re not sure you need in your environment, you can always prepend “test.” to the file name to check and see what effects it has on your website (ie. test.wp-config.php or test.dancing-cat.gif). This step can easily be performed through your cPanel file manager or via FTP (File Transfer Protocol).
Ideally, you should remove anything from your server environment that you’re not actively using, including:
- Files and folders labeled dev, backup, old, and temp
- Deactivated themes or plugins
- Incorrectly or randomly named folders
- Unfamiliar 0 byte files*
- Old error logs
- Old cached files
*Some 0 byte files may be placed in certain directories for security purposes. For example, empty index.html files protect from directory listings. Since the index.html file is usually the first file that is called by the server, it will prevent file listing for these folders.
Any remaining software should be updated with the latest patches and security updates. This is key to ensuring that your website runs smoothly and is patched against known software vulnerabilities, which happen to be one of the leading causes of website hacks.
Make sure everything on your site is up to date, starting with your CMS itself.
Next, check and make sure that any existing themes, plugins, or other extensible components are also up to date.
If you’re using WordPress, follow our instructions below to update any out-of-date plugins and themes to the latest version.
How to check for WordPress plugin updates:
- Navigate to the WordPress dashboard.
- Go to Plugins > Installed Plugins.
- Click Update Now on any plugins that are not at their latest version.
How to check for WordPress theme updates:
- Navigate to the WordPress dashboard.
- Go to Appearance > Themes.
- Click Update Now on any themes that are not at their latest version.
If you need help, WPScan can help you track and identify any known WordPress theme and plugin vulnerabilities on your website.
You should also consider whether you’re using an outdated version of PHP, which could provide more opportunities for bad actors. Since PHP is the backbone of most web hosting environments, it should be maintained and updated just like all other website software.
Tip: WordPress users can check their current PHP version by navigating to the WordPress Dashboard > Tools > Site Health > Info and clicking on the Server tab to expand the details.
A substantial portion of the clutter found on a site stays behind the scenes and stored away in your website’s database. While this type of bloat might not be initially noticeable to you, it can have a significant impact on your website’s performance.
Cleaning up your database is important because over time, the tables in your database become increasingly inefficient as data is added. For example, in WordPress every time you save a new page or post a revision is created which can bloat your database tables by adding a significant amount of rarely used data.
In most cases, cleaning up your database can be done through your CMS. Delete any media files that aren’t in use, remove old draft posts and revisions, and clear out any unnecessary data like trashed or unapproved comments, or stale data.
Delete spam comments
Regardless of whether you’re using WordPress or not, spam is a real problem for webmasters. It not only poses security risks (for example, when a bot uses spam posts to add malicious links to your website) but can also clutter up your site and bog down performance.
Deleting spam comments is a crucial step to cleaning out your website database. Some of the most common types of spam comments include:
- Payday Loans
- Essay Writing Services
- Dating Sites
- Mail Order Brides
- Casino & Gambling Posts
- Bootleg Software
- Adult Material
If your site is infected with spam comments, they’ll most likely fall into one or more of the categories listed above. Once you have backed up your database, you can run a SQL command removing posts from your database containing any keywords not related to your website.
For example, if your site is infected with dating spam, you can use the following SQL command to remove any posts that contains the keyword dating in its title:
DELETE FROM `wp_posts` WHERE `post_title` LIKE '%dating%';
Only run this if you want to remove the entire comment.
Make sure to exercise caution when running SQL commands and always backup before you make any changes. You’ll want to verify that legitimate comments do not have spam words injected into their titles as they may be removed by mistake.
Delete old users
Audit your website for CMS users and remove access for those that no longer require it. That includes admin accounts for former developers, authors, or any unrecognized accounts.
And remember – always practice the principle of least privilege!
The principle of least privilege is composed of two very simple steps:
- Use the minimal set of privileges on a system in order to perform an action.
- Grant privileges only for the exact duration that an action is necessary.
It’s important because it reduces the attack surface, making it more difficult for attackers to perform unauthorized actions.
With this concept in mind, follow access control recommendations:
- Create new user accounts at the lowest level of permission.
- Grant temporary permissions and revoke access when they are no longer needed.
- Delete accounts that are no longer being used.
- Ensure that the default user role is set with minimal permissions.
Regularly scan your website for indicators of compromise to ensure that your website is clean, fast, and protected from hackers.
Remote website scanners can help you detect malware, website errors, injections and other malicious code – but since they aren’t able to scan at the server level, results aren’t always guaranteed. Your best bet is to leverage a comprehensive website scanner and monitoring system that can help you scan and check all files on the server for signs of malware. These services will help you identify backdoors, SEO spam, phishing pages, DDoS scripts, and hack kits.
If you want to ensure that malicious traffic doesn’t land on your website in the first place, a website firewall is always the way to go. The firewall is able to filter out malicious traffic in real-time to protect your site against malicious code and attacks, making it easy to protect your website from hack attempts.
Check out our Website Security and WordPress Security guides for more comprehensive security tips and step-by-step instructions.
One of the most frustrating things for website owners is when they employ all recommended security controls but still get infected. This most commonly occurs because of internal attacks, where an attacker exploits internal weaknesses to move laterally within a compromised environment. This is seen with cross-site contamination, when a hacked site infects others that share the same server environment.
Poor isolation and weak account configurations are the leading causes of cross-site contamination. So, it’s important to exercise caution when hosting many sites on the same server.