How To Find a Secure Web Host
Being a webmaster isn’t all about web design and content creation. While both design and content creation are very important and easily make up majority of the duties of a webmaster, there is one other responsibility that is usually neglected yet important enough to a website that its neglect could ruin everything: Web Hosting Security.
Hackers these days have more tools at their disposal and more unpatched exploits and soon to be discovered vulnerabilities at their disposal, and now that the Internet has become an important aspect of businesses, the profit-oriented motivation has also solidified, which means your website getting hacked is no longer a matter of IF, but WHEN.
Granted that the web hosting companies are already doing their able best in order to ensure the security of their servers, and that security is technically their responsibility, but it’s still important to remember that webmasters themselves need to take precautions on their end. After all, it is their personal info and precious data that’s at risk.
The Risks Involved
Both VPS accounts and shared hosting servers are extremely vulnerable to hackers whose M.O. is to upload malicious code on their own or other people’s sites. This is made worse by the fact that an infected server acts as carrier of the malware as well, further infecting visitors who are unprotected or didn’t know any better.
Purposes of Malware
These malware can serve a multitude of purposes, none of them good:
- Distributed Denial of Service Attacks
- Stealing credit card data
- Serving as backdoor programs that let hackers hijack the host’s servers
- Other system destruction such as spam
Is Spamming Harmless?
Some of these unauthorized uses are done clandestinely, without the host knowing until it’s too late. Sometimes it’s just to serve as a server for spam, but even those are destructive to the hosting company and its clients as it can bog down their servers, resulting in slow speeds for everyone. Additionally, spamming from their servers could result in every single IP and e-mail account from the host being blacklisted by major service providers.
How Can Web Hosting Companies Protect Themselves?
Hosts Should “Know” Their Clients
One of the first principles that a hosting company must follow, if they want to avoid being compromised by hackers, is that they need to know who their customers really are. Hosts should not base everything on stereotypes – for instance, an account that was registered from a location that is known as a hotbed of hackers and scammers might be from a legitimate business or person who simply wants to get a reliable hosting solution outside of their own location in order to avoid security or credibility issues.
On the other hand, just about anybody registering from a seemingly innocuous location might be planning to use it as a front end for illegal activities. It is therefore imperative that hosts carefully screen customers before actually activating their accounts. Hackers are very meticulous about their information and will stay away from hosts that have these precautions, so all the extra work will be worth it.
Caution: Free Ad-Supported Services Hosting With Paid Hosting
Hosting companies should also be careful about implementing free ad-supported hosting services on the same server network as their paid hosting packages as hackers are drawn to these free servers like bees to honey, and being within the same cluster of networks as the paid users is a recipe for a very volatile situation. Hosts that wish to offer free hosting should ensure that they only offer it to trusted and verified clients, or to at least keep it separate from the network that hosts paid users.
Strong Firewall
A reliable firewall is also a given. No hosting company should ever go into business if they don’t place any importance in the use of a firewall. A perfectly configured firewall will block most threats to the server and the sites that are hosted on it, particularly threats coming from novice hackers who rely on automated tools and scripts to do their work, which make up a large number of cyber criminals that are at large these days.
Software
While there’s no foolproof and 100% effective way to prevent DDoS attacks instantly, there are software solutions that still work well to prevent majority of the attacks. These software should be a standard feature on any server, particularly co-located dedicated hosting servers.
Limit the Use of Executable Commands
One thing that a lot of shared hosting providers forget to do is limit the use of executable commands on sensitive platforms like PHP. These can be useful for account holders as it lets them access files throughout the servers but it’s usually not worth the risk as the damage can be irreparable. The minor inconvenience that comes with the alternatives is better when compared to the amount of inconvenience caused by a compromised server.
Monitoring
Hosts also need to be extremely vigilant when it comes to monitoring activity on their servers. This is not the kind of task that is assigned to a single person who will only check from time to time and will only be available during office hours. Monitoring should be the responsibility of an entire team of professionals, who can work in shifts and are authorized to work remotely, in order to ensure that they will always be on top of things and will be able to respond to attacks before they spiral out of control. Lack of monitoring is unconscionable these days as various tools and technologies have already been made throughout the years, all of them designed to further alleviate the weight of monitoring and to give administrators the ability to respond and react immediately wherever they are.
Backups
Backups are also a must, and not just a simple backup but both on-site and off-site backups, because on-site backups are still at danger from accidents or accidents that are considered as “acts of nature.” The backups should also be done frequently because outdated backups are not as useful, as they will cause the site owners to lose precious data now that self-publishing has increased the amount of content that websites pump out on a daily basis.
Default Security Protection
Web hosting providers should also avoid offering security protection as a premium feature reserved for people willing to shell out extra cash. For one thing, it won’t do their reputation any good and they’ll come off as greedy – but more importantly, refusing to provide equal protection to all of their subscribers may end up as a case of shooting themselves in the foot as every single site that is hacked on their servers can serve as a backdoor to their network, and will also affect their credibility as a hosting company.
Password Security
As scary as hackers who use powerful software tools and exploit vulnerabilities in code and hardware are, the truth is that majority of successful hijacking and hacking attempts are only successful because of something that has nothing to do with technology: poor password security.
Both the host and the users should follow best practices when it comes to password, starting from the use of strong passwords instead of short, common dictionary words (which hackers can easily get through brute force dictionary attempts or through social engineering.)
Change Passwords Regularly
Aside from the use of strong passwords, users and administrators should also make it a point to regularly change their passwords. This is much more secure as it makes them moving targets for hackers, which are usually not worth the time when there are far easier victims all over the net. Hosts, in particular, should be vigilant and should make it a point to remind their users about the importance of changing passwords regularly.
Don’t be Dumb
They also need to avoid making dumb mistakes in their password security features, such as the use of security questions that are easily solved like “mother’s maiden name,” or “city of birth,” as the answers to these types of questions are easily acquired these days, thanks to social networking and people’s naïveté in the handling of their personal information.
User Precautions
Despite security being a big responsibility of web hosts, there are also some security issues that are out of their hands and can only be prevented or avoided from the user’s end. One of these is the aforementioned password security contingencies outlined above, but also common sense and awareness when it comes to their behavior online.
For instance, users should avoid controversy for controversy’s sake – such as picking fights and offending people through their website, as there’s no telling if one of the people they antagonize is actually a hacker or a friend of one. They also need to know how to spot and avoid phishing attempts, or not to click on suspicious links or download illegal files from shady locations. All of these may seem like outside of the responsibility of the host, but the repercussions can reach them if the user has a website or in the case of the controversy-addicted customer, might make them a huge target for various cyber criminals and hackers looking to settle a score.
A Securely Managed Server
At the end of the day, a web host should make it a point to ensure that their business relies on a securely managed server, which will include not just hardware and software-related contingencies, but also streamlining of their operations and proper dissemination of information about what to do and what not to do – this all culminates in a hosting ecosystem with users who are not prone to attacks on their end, robust servers that have no easy exploits, and a team of administrators who are keeping close watch and able to react immediately when problems do occur.
Tags: data security, web hosting tips
May 29th, 2014 at 6:46 am
[…] Server vs. CDNCDNs are essentially designed to address problems with global availability, bandwidth constraints, and latency. If the server that hosts your website’s files are located in the US while the user browsing them […]
September 5th, 2014 at 6:22 am
[…] but most of them were created out of mischief and at worst could only render a computer inoperable. The really dangerous hackers at that time had no real reason to go after the common user. However, these days cyber crime is financially motivated, with syndicates employing hackers and […]