11 Aug

2011

SiteGround Security Ins and Outs

SiteGround SecurityI’ve always wanted to express how I feel about security in the shared web space, where dozens of users divide the same resources and at the same time require dramatically different technologies to be enabled on a single host server (such as different PHP engines with different options enabled, Perl, Python, an FTP service, an email service, a Database service, etc;). In case you’re an admin, you’ll know how difficult it is to provide all of that on a shared hosting server while allowing access to practically everybody on the Internet and at the same time maintaining a very good level of security. Believe me, it’s a tough job. I know it as I’ve been dealing with that for more than 8 years in a row now, on a daily basis.

There are two main types of security precautions a website owner should be concerned about that I would like to discuss.

1)   The first and most important is not so much related to the server, but to the website itself and to be precise – whether the website is secure enough. It all starts with the design and development of the site and what security practices are followed. Good security practices include a well-written, tested and non-exploitable code of the site; using SSL on sensitive pages especially those, on which you transmit data from and to the user; not using lame passwords; protecting your forms with captcha and other applicable secure mechanisms; etc. In case you run a third party software, such as Joomla or WordPress – always make sure you run the latest stable version of your software and all your modules. If you don’t know how to do that – ask your favorite SiteGround Support team :)

2)   Even in the case you run a very well written and secure web software, there is still a high chance you get hacked and stumble upon all the negative consequences of that. Whether you get hacked also highly depends on your hosting environment – on the server security and on the rest of the users hosted on the same server spot as you.

Looking at most hosting companies’ websites, they either don’t say anything about security or just say they run “secured servers”. However, from my 8 years of experience in the hosting business I know for a fact that running the so-called “secured servers” does not help in the event a website gets compromised. Furthermore, it won’t make you happier that your website lies on a secured server if it gets compromised because another client hosted on the same server got hacked through an outdated application (this happens all the time) and from their account the rest of the server got hacked too. So you might wonder what does exactly “a secured server” mean then? It usually means the following:

  • Frequently updated server kernel
  • Frequently updated control panel
  • Frequently updated services (apache + PHP, MySQL, Exim, etc)
  • A firewall
  • A Spam filtering service

where ”frequently run stock CentOS kernels (primarily because they are old) like most of the other hosting providers. We patch Vanilla kernels with popular security patches (like GRsec) and with some in-house written security and performance patches too.

  • We isolate accounts on the server – with the in-house started and developed product Hive, which later grew into its own brand called 1H.com, we brought down the chances of a single account compromising the whole server close to zero! In reality every account on SiteGround shared hosting environment (including Hosting Plus and Business hosting accounts) is live on something similar to an isolated VPS environment within an OS called BaseOS.  All the accounts have read-and-write access only within its home directory, which means that even if hacked through let’s say a Joomla module vulnerability, the attacker cannot go outside the account. Also a lot of commands and tools from the Linux system are either changed or disabled in order to further minimize the risk of intrusion through the server. Sounds pretty much like a heavily configured VPS, right? Only much much cheaper J.
  • Even having the Hive account isolation technology in place and not having to worry about one account affecting another, we’ve also developed scripts to check for hacked content and very often notify website owners with hacked scripts or applications. Who else does that? The answer is Google – once your site gets hacked, Google will tell everybody about it and you will lose visitors, clients, trust! We advise our clients how to solve the problems and even help them if they don’t have the knowledge to do so theirselves, before Google finds out. We have also recently launched a very cool extra service called HackAllert that monitors your website on a daily basis and emails you about malicious code or website security issues.
  • We run a powerful Intrusion Prevention System called 1H Hawk, which will identify if someone is trying to bruteforce any of your passwords – like FTP, Email or other, and will disable access to the attackers IP address IN REAL TIME.
  • We monitor! Most of the times while there’s an attack on the server, there are many signs on the server about it. Most hosting companies monitor their servers (and by servers I mean server load only) every five minutes, while we do the same real time and catch threats instantly! And SG does not only monitor load, but also monitors for attacks – both network and hack attempts, spam activity, abnormal resource usage by users and irregularities on a server level. And that’s on every server 24/7/365!
  • We have very strict server login policies in place. Server login is not allowed to anybody outside our admin team, even to our DC Supervisors. We remind and advise clients to change passwords every 6 month as a good security practice, while we ourselves update every single login key every 3 months, or upon the occurrence of an event that triggers such a need, like an employee leaving the company. All server logs are preserved and all actions on all servers are recorded at all times.
  • Last, I should mention the top security maintained in our new advanced data center, which guarantees the most basic and very essential protection of the data hosted on all our machines. For more info see my other post about it here.

My list goes on, but this post is long enough already. Let me know if you’d like to hear more on how your server at SG runs and those small  things we do for you :)

Tenko
The SiteGround Mastermind

Author: Tenko Nikolov

The SiteGround Mastermind

For the last few years Tenko Nikolov has been one of the masterminds behind the success of SiteGround. He has come up with multiple successful strategies for overcoming technical problems and has achieved real business results for SiteGround. His vision and skills have made SiteGround a leading host in terms of technology and platform reliability.

Comments (10):

  1. Shannon Wagner says:

    Thanks for the info – I think posts like this are very important for building customer confidence. Plus, the security information would be interesting to me even if I were not a SiteGround customer.

    I’d love to see more of this type…

  2. Nick Gervin says:

    Great info, thanks for sharring.

  3. Kris Rooney says:

    I had an old Word Press blog that was outdated and inactive for over a year. I got hacked. The hacker used my SG e-mail accounts to send thousands of spam e-mails. SG was on top of the problem. long before I was aware of it, they took immediate steps to protect the other users. Very impressive work, guys. I chose to delete the outdated Word Press. Again, sorry, Thank you very much!

  4. Samuel says:

    This is awesome Tenko. Thanks for sharing this info. Now I feel a bit more secure :)

  5. Eiahb says:

    Hi Tenko,

    I think this entry is very valuable and raises many important aspects in regards to security. I have hosted several accounts with you and I must say I am very impressed with all you do. I am now looking to host a proper plan for my business which is E-Commerce; the Platform of Choice would be Magento.
    However I do have concerns, and the point you raised “Good security practices include a well-written, tested and non-exploitable code of the site” part of the hosting you offer packages such as Magento, Joomla! And others, some of these somewhat easy to hack by hackers due to the nature of them being open source. It is known before that with URL injections Magento can be hacked. Now my question to you is that do you utilise the actual instillation of products such as Magento to cover known security weak spots.

    I am looking to for Magento Go Mainly due to my security concerns. If you can elaborate more about security measures you do with Magento installiation for instance that would be great. And I rather do host with you because I use your service a lot.
    Thanks,

    • Tenko says:

      Hi Eiahb,

      First, sorry for the late reply, I’ve been out of the office for a week attending a conference. As I know that many people will have questions similar to the one you have I decided to share our latest experience with dealing with a WordPress related exploit. You can see how SiteGround reacted to a situation with a vulnerability in a popular plugin for WordPress in details here.

      In short, our philosophy for dealing with such security problems is to react quickly when they become known and apply a fix that is from our field of competence. And our primary field of competence is the server administration, and not the application code improvement. We believe that the secret for a successful global fight against security vulnerabilities is that everyone contribute quickly and wisely with what they can do best: the creators of the code should come with a security update, and the web hosts should minimize the chance of the vulnerability being exploited on their servers by coming up with and applying fast changes the severs setup that correspond to the situation.

      Security is a process and not a one time action. So instead of having a false believe that we can do something at the point an application is installed and live happily ever after, we rather apply an ongoing monitoring and thus we are ready to react fast to any major issues appearing.

  6. Avrohom Gershon says:

    Wow! I was not aware of the constant battle you are fighting on our behalf. I’m glad I’m with Siteground!

  7. Mike Pritchard says:

    You guys rock for sure. I Always recommend my clients go with siteground (in fact I have decided to start charging more if they don’t) because of the great service, easy to use features, but especially because of the security. (well, okay, the price you charge is really nice too).

    Of all the sites I have managed I have never once had a siteground account hacked. I have had several accounts hacked that were hosted elsewhere and it consumes a lot of my time when that happens.

    I have convinced some of my clients to move to siteground due to hacks at their old webhosts.

    Thank you guys for the great work.

    Mike Pritchard

  8. Stanley Draper says:

    Fascinating. As a prospective computer programmer, it’s always amazing to read about technology, and this is very interesting stuff. I’ve never realized how truly vulnerable a website can be. Thanks for allaying my hacker paranoia.

  9. Brian Hinkley says:

    I love what SiteGround is doing along the lines of security. I haven’t experienced any down time since I moved my sites. The real bonus is the hundreds of spam emails I received on a weekly basis at my old host have stopped completely.

    Keep up the great work and thanks for everything.

Favorite Tweets

Facebook

Archive