Another system security issue is the actual software that makes up the system. This software may have bugs and security holes that permit access even without a password. System software should be kept current with security patches and updates.
Web servers are complicated programs and frequently contain bugs which may, under certain conditions, allow hackers access to your system even if they cannot get a password.
If you use a Web hosting provider, then it is their responsibility to ensure that software is kept updated (but you should check they actually do this). If you run your own server then you must be very careful to secure it.
Keeping software current
Security problems are often discovered in Web servers. Sometimes these problems are relatively minor, only allowing an attacker to disable your server until you can fix the problem (a 'denial of service attack'). Frequently, though, security holes will allow hackers significant or full access to the machine and its files.
Server manufacturers issue patches (updates) to their software when a problem is found. You must ensure that your server, and other key software such as the operating system, is kept current. This also applies to any other critical machines. For example, if you get a virus on your home machine, which you use to log into the server, then your password might be stolen; so it is important that you keep your email software updated.
Do not fall into the trap of thinking that a particular server is 'secure' because it says so or because it is developed by a large company. For example, Microsoft's Internet Information Server is frequently hacked.
Using minimal software
Configure software (especially servers) so that all unnecessary features are disabled. Some software ships with many unnecessary features active, which means that if a hole is found in any of those features, your system could be vulnerable even if you do not use the features.
'Firewall' software prevents access to your server except via specific 'ports'. Though firewall software can be helpful in reducing security risks, it is not an overall solution because you are still vulnerable to attacks that might occur via your Web server or other ports that you really have to allow.