How your web hosting impacts security

(Image credit: Image Credit: Geralt / Pixabay)

Web hosting has a much bigger impact on your website than you might expect, so much so, in fact, that the type of hosting you choose could leave your site open to exploit and downtime. Here’s what you need to know about web hosting and security, and how shared hosting could be putting your site at risk.

Shared hosting becomes a shared responsibility

Shared hosting is a popular choice for many businesses because it can keep costs low, but it comes with several drawbacks in relation to security. Shared hosting works by having multiple sites share the same infrastructure, and that’s where problems can begin. One of the biggest drawbacks of shared hosting, from a security perspective, is the fact that your site may become exploited by something from the other sites with which it shares a server if file and directory permissions are weak.

On a practical level, shared hosting means you can be affected by someone else’s mess. If other sites on your server choose to use weak security measures or fail to regularly update their plugins, your site will suffer the consequences of slowdowns, downtime and even injected code and added attack files. This lack of isolation can undo your best efforts to keep your site online and it’s security strong.

Exploited sites could mean offline suspension

If your site gets exploited, the shared host may decide to simply suspend your site until it’s cleaned of the malicious content. A responsible host can’t risk it affecting other customer that share the same server.

This can happen very quickly at a responsible host. There’s a big incentive for the hosting provider to shut down your site before it adversely affects others or spreads malware to site viewers. No hosting provider wants to harm their own reputation or contribute to an even bigger mess, so it’s better for them to cut off your site and quarantine it. That means that your site is offline as if you no longer exist on the web. For businesses with a big e-commerce component or reliant on an online presence, that will be lost revenue.

Don't get suspended

At that point, your website could be stuck in limbo until you use your own time and resources to cleanse your files and mitigate further exploit. That’s your responsibility with unmanaged hosting. There’s no one else to manage security for you, so a breach or infection becomes a much bigger hassle. It can mean extended downtime for your site and added costs for you.

With managed private server hosting, the hosting provider generally manages all of the server’s security and would be responsible for getting an exploited server to work properly again. It’s very hands-off for the organization that owns the site.

Dealing with exploited servers can mean much more work on your part. Which leads to my next point …

Your hosting provider dictates how time consuming security is for you

The time and effort website security takes largely depends on who your hosting provider is and what type of hosting plan you have.

The worst shared hosting providers can make your security a nightmare, while great private hosting providers can make security a dream. Most website hosting is somewhere in between these two extremes.

How to find the right hosting provider

Finding the right host and the best type of hosting for your website is often the difference between having to task some portion of your in-house IT staff to focus almost solely on security and being able to assign your in-house team to other projects.

This is why it’s important for website owners to put some real thought into how they want to manage their website security. Even if you do ultimately decide that shared hosting makes the most sense for your business, you may be able to find a plan and a vendor that works best for your needs.

The key here is asking the right questions and giving hosting providers the opportunity to share their knowledge with you. Try to find a host and hosting plan that prioritizes your security and also frees up as much of your team’s time as possible.

Here are a few questions to ask a potential hosting provider: 

  • How will you help me secure my website? 
  • If my site’s exploited or defaced, how do you respond? 
  • Do you offer DOS (Denial of Service) protection? Do you offer an uptime guarantee? 
  • Do you handle backups? What’s your policy? How easy are they to restore?

With answers to those simple questions, you can get a better idea of how a potential host manages security and how they respond to incidents. At the end of the day, that’s how you find the best provider and keep your site as secure as possible. 

Security best practices

It’s good to find a host that takes your security seriously. However security is one aspect of hosting a website that you have to take an active interest in. Web hosts can ensure they provide with the building blocks for constructing a secure website. But using the tools at your disposal effectively is your prerogative. 

These are some of the things you should consider to ensure you are running a tight ship:

1. Create multiple users with different levels of access.

2. Use strong passwords and implement a password rotation policy.

3. Encrypt traffic with a SSL certificate.

4. Vet all plugins and extensions to ensure they are from trustworthy sources and have an active community. 

5. Ensure your host applies security updates as soon as they are available.

6. Activate malware detection and removal if you regularly correspond through your website.

7. Use secure means like SFTP to upload files to your host, instead of plain FTP.

8. Use the available monitoring tools to look for suspicious activity and network traffic.

9. Keep offsite backups.

  • Glen Jackson, Head of Security Engineering and Trust at DreamHost.
Glen Jackson
Glen Jackson is head of security engineering and trust at DreamHost, a company offering web hosting and managed WordPress services.