I’ve always wanted to express how I feel about security in the shared web space, where dozens of users divide the same resources and at the same time require dramatically different technologies to be enabled on a single host server (such as different PHP engines with different options enabled, Perl, Python, an FTP service, an email service, a Database service, etc;). In case you’re an admin, you’ll know how difficult it is to provide all of that on a shared hosting server while allowing access to practically everybody on the Internet and at the same time maintaining a very good level of security. Believe me, it’s a tough job. I know it as I’ve been dealing with that for more than 8 years in a row now, on a daily basis.
There are two main types of security precautions a website owner should be concerned about that I would like to discuss.
1) The first and most important is not so much related to the server, but to the website itself and to be precise – whether the website is secure enough. It all starts with the design and development of the site and what security practices are followed. Good security practices include a well-written, tested and non-exploitable code of the site; using SSL on sensitive pages especially those, on which you transmit data from and to the user; not using lame passwords; protecting your forms with captcha and other applicable secure mechanisms; etc. In case you run a third party software, such as Joomla or WordPress – always make sure you run the latest stable version of your software and all your modules. If you don’t know how to do that – ask your favorite SiteGround Support team
2) Even in the case you run a very well written and secure web software, there is still a high chance you get hacked and stumble upon all the negative consequences of that. Whether you get hacked also highly depends on your hosting environment – on the server security and on the rest of the users hosted on the same server spot as you.
Looking at most hosting companies’ websites, they either don’t say anything about security or just say they run “secured servers”. However, from my 8 years of experience in the hosting business I know for a fact that running the so-called “secured servers” does not help in the event a website gets compromised. Furthermore, it won’t make you happier that your website lies on a secured server if it gets compromised because another client hosted on the same server got hacked through an outdated application (this happens all the time) and from their account the rest of the server got hacked too. So you might wonder what does exactly “a secured server” mean then? It usually means the following:
- Frequently updated server kernel
- Frequently updated control panel
- Frequently updated services (apache + PHP, MySQL, Exim, etc)
- A firewall
- A Spam filtering service
where ”frequently run stock CentOS kernels (primarily because they are old) like most of the other hosting providers. We patch Vanilla kernels with popular security patches (like GRsec) and with some in-house written security and performance patches too.
- We isolate accounts on the server – with the in-house started and developed product Hive, which later grew into its own brand called 1H.com, we brought down the chances of a single account compromising the whole server close to zero! In reality every account on SiteGround shared hosting environment (including Hosting Plus and Business hosting accounts) is live on something similar to an isolated VPS environment within an OS called BaseOS. All the accounts have read-and-write access only within its home directory, which means that even if hacked through let’s say a Joomla module vulnerability, the attacker cannot go outside the account. Also a lot of commands and tools from the Linux system are either changed or disabled in order to further minimize the risk of intrusion through the server. Sounds pretty much like a heavily configured VPS, right? Only much much cheaper J.
- Even having the Hive account isolation technology in place and not having to worry about one account affecting another, we’ve also developed scripts to check for hacked content and very often notify website owners with hacked scripts or applications. Who else does that? The answer is Google – once your site gets hacked, Google will tell everybody about it and you will lose visitors, clients, trust! We advise our clients how to solve the problems and even help them if they don’t have the knowledge to do so theirselves, before Google finds out. We have also recently launched a very cool extra service called HackAllert that monitors your website on a daily basis and emails you about malicious code or website security issues.
- We run a powerful Intrusion Prevention System called 1H Hawk, which will identify if someone is trying to bruteforce any of your passwords – like FTP, Email or other, and will disable access to the attackers IP address IN REAL TIME.
- We monitor! Most of the times while there’s an attack on the server, there are many signs on the server about it. Most hosting companies monitor their servers (and by servers I mean server load only) every five minutes, while we do the same real time and catch threats instantly! And SG does not only monitor load, but also monitors for attacks – both network and hack attempts, spam activity, abnormal resource usage by users and irregularities on a server level. And that’s on every server 24/7/365!
- We have very strict server login policies in place. Server login is not allowed to anybody outside our admin team, even to our DC Supervisors. We remind and advise clients to change passwords every 6 month as a good security practice, while we ourselves update every single login key every 3 months, or upon the occurrence of an event that triggers such a need, like an employee leaving the company. All server logs are preserved and all actions on all servers are recorded at all times.
- Last, I should mention the top security maintained in our new advanced data center, which guarantees the most basic and very essential protection of the data hosted on all our machines. For more info see my other post about it here.
My list goes on, but this post is long enough already. Let me know if you’d like to hear more on how your server at SG runs and those small things we do for you