Havenoro CP
Log In
Home/ Introduction/ Best Practices

Best Practices

Security tips and operational guidelines to keep your server and websites safe, fast, and reliable.

On This Page

Following these best practices will help keep your server secure, your data safe, and your websites running smoothly. Think of this as your maintenance checklist — review it regularly.

Use Strong Passwords

A strong password is your first line of defense against unauthorized access. A weak password (like password123 or admin) can be guessed in seconds by automated tools.

What makes a password strong?

  • At least 12 characters long (longer is better)
  • Uppercase and lowercase letters, numbers, and symbols
  • No dictionary words, names, or common patterns (qwerty, 123456)
  • Not reused across different accounts

Use a password manager (like Bitwarden, 1Password, or KeePass) to generate and store strong, unique passwords for every account. A password manager remembers them for you so you only need to remember one master password.

Why this matters If someone gains access to your control panel, they can delete your websites, steal your data, or use your server to send spam. A strong password is a simple but critical protection.

Enable Two-Factor Authentication

Two-factor authentication (2FA) adds a second layer of security to your login. Even if someone steals your password, they cannot log in without the second factor — typically a temporary code from an authenticator app on your phone.

How it works:

  1. You enter your username and password (something you know).
  2. You open your authenticator app (like Google Authenticator, Authy, or a built-in password manager) and enter the 6-digit code (something you have).
  3. Only then are you logged in.

Enable 2FA in the Account section of the control panel. Keep a backup of your recovery codes in a safe place — if you lose your phone, those codes are the only way to get back in.

Regular Backups

Backups are like an insurance policy for your data. You hope you never need them, but when something goes wrong — a broken update, accidental deletion, or a security issue — you will be glad you have them.

What to back up:

  • Website files (all the files in your web directories)
  • Databases (MySQL/MariaDB)
  • Email accounts and mail data
  • DNS zone files
  • System configuration files

Havenoro CP includes a built-in backup system. You can:

  • Create manual backups — on-demand snapshots of your data
  • Schedule automatic backups — daily, weekly, or monthly
  • Restore from a backup — with a few clicks
Tip Store backups off-server if possible (remote FTP, S3, or download them to your computer). If the server itself fails, on-server backups go with it.

Keep Software Updated

Outdated software is one of the most common ways servers get compromised. Hackers actively scan for known vulnerabilities in old versions of web servers, PHP, databases, and content management systems (like WordPress).

What to update:

  • The control panel itself — updates are announced through the Notifications section
  • Operating system packages — security patches for the underlying Linux system
  • PHP versions — older PHP versions no longer receive security fixes
  • Your applications — WordPress, Laravel, and other installed software should be kept current

Check the Notifications section regularly and apply updates as soon as they are available. When possible, test updates on a staging copy of your site before applying them to production.

Monitor Resource Usage

Keep an eye on your server's resource consumption to catch problems before they become emergencies. The control panel's Statistics section shows you:

  • Disk space — how much storage your files and databases are using. Running out of disk space can cause websites to crash and email to stop working.
  • Bandwidth — how much data your server has transferred to visitors. Exceeding your limit may result in overage charges or throttling.
  • Inodes — the number of files and directories on your account. Even if your disk space is fine, you can hit an inode limit if you have millions of tiny files (common with cached content or email attachments).
  • Memory and CPU usage — helps you identify if a website or script is using too many resources.
What is an inode? An inode is a data structure that stores metadata about a file (owner, permissions, size, location). Each file you upload uses one inode. The limit is on the total number of files, not their size. If you run out of inodes, you cannot create new files even if you have free disk space.

Use SSL Certificates for All Sites

SSL (Secure Sockets Layer) encrypts the connection between your visitors' browsers and your server. Without SSL, data sent over the internet — including passwords, credit card numbers, and personal information — can be intercepted by anyone on the same network.

Sites with SSL show a padlock icon in the browser's address bar and use https:// instead of http://. Modern browsers also mark sites without SSL as "Not Secure," which scares away visitors.

Havenoro CP supports Let's Encrypt, a free and automated certificate authority. You can enable SSL for any domain with a single click. The certificate renews automatically, so you never have to worry about expired certificates.

Set Up Email Authentication

Email authentication records (SPF, DKIM, and DMARC) prove to receiving mail servers that emails from your domain are legitimate. Without them, your emails are more likely to land in spam folders — or be rejected entirely.

  • SPF (Sender Policy Framework) — publishes a list of servers authorized to send email for your domain. This prevents spammers from forging your domain in the "From" address.
  • DKIM (DomainKeys Identified Mail) — adds a digital signature to every outgoing email. The receiving server checks the signature against a public key published in your DNS. If the signature is valid, the email has not been tampered with.
  • DMARC (Domain-based Message Authentication, Reporting & Conformance) — tells receiving servers what to do when an email fails SPF or DKIM checks (e.g., quarantine or reject). It also sends you reports about who is sending email using your domain.

Havenoro CP can automatically configure SPF and DKIM records for your mail domains. See the Setting Up Mail Domains tutorial for detailed steps.

Principle of Least Privilege

The principle of least privilege means giving each user account only the permissions it needs — nothing more. If you create additional user accounts for developers, clients, or employees, limit their access to only the features they require.

For example:

  • A content editor may only need access to the File Manager and Database sections.
  • A developer may need access to Web, DNS, Mail, and Databases — but not Users or Packages.
  • Only the primary administrator should have full access to all sections.

Using packages (defined in the Packages section) makes this easy — create a package with the appropriate limits and assign it to the user. If a user's role changes, you can switch them to a different package.

Next Steps

Put these best practices into action today:

  • Change any weak passwords and enable 2FA.
  • Configure automatic backups.
  • Check for pending updates in the Notifications section.
  • Enable SSL on all your domains.
  • Review your user accounts and their permissions.
Previous ← Getting Started Next Account →