Web Hosting Security Guide

Section 1

Web Hosting Security Overview

Why You Need a Secure Website

web hosting security guide

As most contemporary web hosting companies operate under a managed cloud approach, online businesses & web publishers are increasingly reliant on the technical expertise of strangers in a remote environment to keep their data safe, maintain website code integrity, and provide continual network uptime without loss of critical services. Hackers may target an individual website to steal financial data, user passwords, or simply to vandalize and take a website offline. Many hackers employ script bots to run code remotely in an automated fashion, where entire data centers or networks are at risk, particularly when "zero day" or previously unknown exploits are launched.

Due to the complexity of web hosting and the common use of shared web servers, there are an incredibly large number of attack vectors for hackers to target all across a data center's hardware, software, & network facilities. A hacked website can lead to extended downtime, loss of ecommerce business, brand reputation tarnishing, theft of the personal/financial information of customers (including passwords), and the use of web hosting resources to launch email spam, mine bitcoin, or hack other websites in DDoS attacks. Some hackers are also able to penetrate web servers on hosting accounts to use the disk space to host files, images, warez, viruses, & malware, or to run malicious scripts with available CPU resources.

"Due to the complexity of web hosting and the common use of shared web servers, there are an incredibly large number of attack vectors for hackers to target all across a data center's hardware, software, & network facilities."

Inexperienced web developers, programmers, and systems administrators can inadvertently create security holes in a website by uploading untested code, failing to regularly maintain existing websites with required platform updates, or neglecting to apply security patches to web server software. Even highly tested and monitored cloud hosting environments with experienced security professionals running a data center can be put at risk in these ways. The lack of isolation for client accounts on shared hardware resources in a data center also means that "bad neighbors" can target other websites on the same server with different attack vectors that network firewalls cannot always detect. Shared hosting plans, VPS accounts, cloud data centers, and dedicated hardware all have unique security risks that must be carefully addressed in a systematic manner by web professionals with a focus on data integrity, network monitoring, and packet encryption.

Find the Best Web Hosting Companies

What Are the Risks?

Data Theft

Data theft is one of the most serious of the security risks inherent to web hosting, where even an entire database can be stolen and downloaded in seconds through a CMS script using a MySQL injection attack. The injection of malware, viruses, and worms into a web server through script bots is another major problem, where millions of known exploits have been cataloged online by security researchers. Anti-virus utilities need to be continually updated to guard against the ever changing and constantly increasing methods that hackers use to penetrate networks, web servers, & hosted websites. Data centers even need to guard against physical intrusions with security techniques that prevent unauthorized access to a facility.

"Cross-site scripting & MySQL injection attacks are some of the most common attack vectors for websites hosted online. "

Cross-site scripting & MySQL injection attacks are some of the most common attack vectors for websites hosted online. Brute force attacks can be used to break the password of FTP, SSH, cPanel, or email connections, potentially giving hackers full access to user data and web server configuration settings. Path transversal hacks permit access to folders on a server that are not normally made public in web hosting. Packet sniffing can be used to read data in transit that has not been properly encrypted. Distributed Denial of Service or DDoS attacks can take a website, server, or entire data center offline by overloading the network with requests for hosted web pages. IP spoofing can be used to mask the identity of a malicious user through proxy tools, while spammers can make a website unreadable by filling forums, blogs, & comment forms with unwanted content or advertisements.

Section 2

Web Hosting Security Essentials

One of the most important ways to maintain website security is to keep regular backups of site files and the database that can be stored in case of a critical emergency that corrupts the codebase or takes a website offline. RAID storage is used by web hosting companies in various configurations in order to keep two or more copies of website files and information stored on separate devices in case of single-unit hardware failure. SSL/TLS certificates permit data to be encrypted when sent in transmission to other computer devices across publicly accessible or shared data lines. Firewalls are used to prevent unauthorized users to gain access to the hardware in a data center or to secure an internal network. Anti-virus and anti-malware utilities scan uploaded files for known exploits with the ability to quarantine or remove unwanted scripts entirely. A cloud data center must build a multi-level program which includes all of these features at a minimum in order to provide a basic level of security for the websites that clients host on the network hardware facilities.

Hosting Security Essentials 1 - Backups

backup lifeguard buoy

Website and database backup services are becoming increasingly common even on shared hosting plans, either through cPanel integration or third-party utility software. Many web hosting companies still charge extra for these services or offer them as bonus features on higher tier accounts. Website and database backup utilities allow users to schedule regular snapshots of data that can be stored, usually in zip archives, in folders or servers separate from the main files and then used to restore services in case of any system failure, codebase corruption, or data loss. For example, if a website becomes hacked, the owner can simply choose the most recent version of the database and website files that were working before the attack, then restore the website to the previous state through the utilities. In these instances, a website can be back up and running in a few minutes, with limited downtime or loss of critical files and information.

In addition to the backup facilities provided by WHM and cPanel, some of the more popular third-party utilities are: Site Backup Pro, Carbonite, Backup Machine, XCloner, & CodeGuard. Numerous plugins for WordPress, Drupal, Joomla, and other CMS scripts are available to provide this functionality through the website, such as Backup Buddy or the Backup & Migrate module suite. Website owners can schedule database backups on an hourly, daily, or weekly basis, as well as deciding how many total backup copies of data to keep in the archives before deletion. Some web hosting companies offer off-site file backup services for greater security, while other third-party utilities will automatically send copies of website data to AWS, Dropbox, or NodeSquirrel. The ability to use website file and database backup archives to migrate a website to a new server or web hosting company is also common among developers.

"For example, if a website becomes hacked, the owner can simply choose the most recent version of the database and website files that were working before the attack, then restore the website to the previous state through the utilities. In these instances, a website can be back up and running in a few minutes, with limited downtime or loss of critical files and information."

Hosting Security Essentials 2 - RAID

The use of RAID storage arrays in web hosting, an abbreviation for "Redundant Array of Independent Disks," is ubiquitous although there is significant difference in the quality of the hardware or overall backup format each webhost uses in practice. RAID levels, usually 0-10, evolved out of computer science research and peer review to establish a set of agreed upon criteria for establishing the "reliability, availability, performance, and capacity" of network storage devices. In simplest terms, RAID storage arrays backup or mirror website data in multiple copies so that if one hard drive or SSD storage unit fails, a copy of the same data is available in another source so that no actual data loss occurs. The different levels used with RAID standards reflect whether multiple mirrors of the data is available on 2, 3, or more different storage drives, where some even recommend the use of multiple data centers for maximum reliability.

"In simplest terms, RAID storage arrays backup or mirror website data in multiple copies so that if one hard drive or SSD storage unit fails, a copy of the same data is available in another source so that no actual data loss occurs."

For retail web hosting accounts, all aspects of RAID storage are already installed and configured in the cloud by experienced technicians. This is a major requirement for data center management as it insures that customers will not experience any data loss when an inevitable storage drive failure or malfunction occurs in production. A variety of third-party networking software is available for data centers to choose for the function of synchronizing all client data in multiple copies at scale. Advancements in this field have led to the use of similar constructs in cloud hosting, particularly in load balancing, where multiple copies of the website data are hosted simultaneously on different machines and web traffic routed to the hardware which has the most system resources available in real-time. Users of dedicated servers must be cautious, however, because the "single box" web server model is not always configured to independently support data mirroring through RAID storage arrays on these hosting plans at all.

Hosting Security Essentials 3 - SSL and Firewall

SSL/TLS certificates are available in a variety of different types & validation levels from multiple third-party service providers, used primarily to install encryption keys on a web server for secure data transmissions. Some SSL/TLS certificates also verify the identity of a domain owner or business to browsers of a website. Although SSL/TLS certificates previously required a unique IP address to install and operate, even on shared hosting, many web hosting companies are now offering free versions for every domain name registered on a server without the need for a dedicated IP address. Wildcard and multi-domain certificates are also available both with and without extended validation. SSL/TLS certificates with extended validation include a green address bar in the browser with the business or domain name owner prominently displayed, intended to induce a higher level of trust in the website users.

"A Web Application Firewall (WAF) is recommended particularly to protect production websites from cross-site scripting (XSS) and MySQL injection attacks, where a CDN service can also be installed on a website to reroute traffic from DDoS attacks."

Firewalls can be installed to protect an entire data center network from unauthorized usage or malware infection, as well as being installed on a single web server or at the application level. Network firewalls can be used to protect against DDoS attacks, to blacklist IP addresses from known spammers or hackers, as well as to implement packet filters on  web server I/O transfers. Stateful inspection firewalls can also sniff for known malware, viruses, and worms in transit or guard against script bot attacks. A Web Application Firewall (WAF) operates on the domain level and will add an extra layer of protection to the codebase of an installed website. A Web Application Firewall (WAF) is recommended particularly to protect production websites from cross-site scripting (XSS) and MySQL injection attacks, where a CDN service can also be installed on a website to reroute traffic from DDoS attacks. Apache ModSecurity is one of the best known open source WAFs and is commonly run as an extension on Apache, Windows, & Nginx web servers.

Hosting Security Essentials 4 - Anti-Virus and Anti-Malware

Anti-virus and anti-malware utilities are available from third-party vendors specifically to run on web servers, although many web hosts have the services integrated at a meta level in the software management systems of a data center. The main principle of these utilities is the same as desktop computing anti-virus applications where the software automatically scans files on a storage drive to search for matches to known exploits, malware, or worms. Many hackers are able to tunnel into a web server and create a "backdoor" which can be used to execute scripts remotely. After the backdoor is installed, a web server can be used to host files like spam, pr0n, or warez that can be both illegal and damaging to the reputation of the domain. Other backdoor scripts can lead to a pwned server being used as part of a botnet, where hundreds of thousands of hacked servers can be linked together to build DDoS attacks or mine bitcoin. On shared hosting, the data center company will be responsible for installing anti-virus and anti-malware utilities as part of their platform security regime, although VPS and dedicated server users may need to install their own solutions. Anti-virus software can sometimes lead to decreased performance on a web server due to the processing power required by the system scans.

"The main principle of these utilities is the same as desktop computing anti-virus applications where the software automatically scans files on a storage drive to search for matches to known exploits, malware, or worms."

Hosting Security Essentials 5 - Software Updates

Regular software updates are one of the most important and frequently neglected aspects of data security, leading to the most problems with compromised hardware. A web server has an installed operating system, normally Linux or Windows, as well as a software stack comprised of the server platform, programming languages, database, & extensions. Many web servers also run additional software for the control panel administration, FTP connections, email accounts, etc. Each of the installed software programs can be used as an attack vector by hackers and the developing company or open source community behind the programming must regularly issue security patches that close the holes or bugs discovered by security researchers. Many of these programs can be set to automatically download and apply the required security patches, but if these processes are neglected or misconfigured, the attack vector will put the hardware at risk. The same is true for the blog, CMS, CRM, or ecommerce scripts that run websites, where these platforms also include modules, plugins, & themes with attack vectors that hackers can exploit. Because of this, web masters must pay close attention to updating installed web scripts on a regular basis. Script bots often have the ability to identify web servers or website codebases with outdated software and to target them specifically for attack.

"Each of the installed software programs can be used as an attack vector by hackers and the developing company or open source community behind the programming must regularly issue security patches that close the holes or bugs discovered by security researchers."

Hosting Security Essentials 6 - Secure Data Center

The first level of security at a data center is the physical protection of a facility, which may included guarded entry, biometrics, security passes, and other forms of anti-intrusion protection on the ground. The next level of security involves the firewalls that prevent unauthorized users from gaining access to the network hardware and that can blacklist known spammers, hackers, or DDoS servers by IP address. Because it is relatively easy for these groups to use proxy tools to mask IP addresses, there are also third-party tools and utilities that can be installed for real-time network traffic monitoring as well as brute-force attack protection. Repeated attempts to login to a user account, cPanel, email, or FTP account can be limited if the monitoring software detects the usage as an attempt to break the password. Another aspect of data center security not directly related to hacking attacks is the preservation of data from system failure, i.e. in the case of server crashes or hardware malfunction. As this is common in rackmount computing facilities, most web hosting companies implement a system of data mirroring based on RAID 10 or RAID 5 standards with multiple redundancy. All of these factors are combined in the Uptime Institute's tier standards (I-IV) which serve to regulate the industry by providing a standard guide for consumers and businesses in evaluating web hosting companies.

"The first level of security at a data center is the physical protection of a facility, which may included guarded entry, biometrics, security passes, and other forms of anti-intrusion protection on the ground."
Section 3

Web Hosting OS and Hosting Security

Linux and Windows OS hosting security

Traditionally, Windows servers have been viewed as less secure than Linux servers primarily because more hackers were developing exploits to target the platform and the greater level of peer review available through open source software development. One of the main advances in the use of micro-operating systems with containers is the acknowledgement that the smaller and more scaled down an OS installation is on a web server, the less available attack vectors there are for hackers to target. Similarly, micro OS installations have the need for far fewer system patches and security upgrades over time. The other problem with Windows server usage has been that many outdated versions of the OS were installed without licensing internationally that could not be updated by contacting the Microsoft computers for patches. Hackers can easily identify which version of Windows is running on a web server and then use a wide array of known exploits to pwn the machines. Because of this, Linux usage grew to occupy over 90% of the consumer web server market previously, although this has changed in recent years by the advent of Nginx servers and advances in the Microsoft Azure cloud offerings. Platform-as-a-Service (PaaS) products guarantee that the remote cloud company technicians will keep the operating system patched and updated regularly, although users with unmanaged VPS and dedicated server plans need to be much more careful about systems administration.

"Hackers can easily identify which version of Windows is running on a web server and then use a wide array of known exploits to pwn the machines."
Section 4

Web Hosting Security Best Practices

Web masters have to be responsible primarily for the security of the codebase and database of a website, where the network security details are left to the cloud service provider. CMS websites need to be updated continually and this includes the installed modules and themes. Developers with original code have to test their work in a sandbox environment, although in practice it is difficult to imagine every possibility or exploit vector. PHP websites can be particularly vulnerable if users gain permission to run code on a web server without proper supervision. Backdoors are common on websites that remain online without security upgrades, leading to the remote execution of code or the hosting of unwanted files on storage space. It can be beneficial to search for a webhost which will regularly scan site files for viruses and malware, especially if a company offers these services as part of the monthly plan and not at an additional cost. Most of the popular CDN companies have anti-DDoS protection enabled as part of the service which enables the platform to immediately reroute bad traffic requests through isolation and quarantines.

Similarly, it is not always recommended for web masters to trust a web hosting company for backup & restore services but rather to configure these functions directly in the CMS platform on which a website is running. Popular sites may need an hourly database and file backup, while less frequently updated websites can schedule backups on a 24 hour basis. For the highest level of website security, it is recommended to save backup copies of the website and database on different servers than the actual code is running on. This can avoid the complete loss of data if hackers gain total access to a machine or the system fails unexpectedly. For the highest degree of guaranteed uptime, it is required to keep multiple copies of a website and database in different data center locations entirely. Normally this is only a requirement for the most highly trafficked enterprise and financial websites. Small business owners need to take particular care of customer financial data and passwords by using SSL/TLS encryption on logins, data transfers, and check-out procedures. Most of the credit card payment gateways have built-in security measures that will prohibit financial data from being stored directly on a shared web server.

Website owners put the majority of their trust in the web hosting service provider when signing up for a retail plan. As full data center management is out of the question for most web publishers, small businesses, and bloggers, it is important to review the web security measures offered by a company in detail before committing to a platform. Look for web hosting plans with an additional Web Application Firewall (WAF), CDN with anti-DDoS protection, and integrated data backup services for best value. It is absolutely essential to encrypt all user data in transit by installing a SSL/TLS certificate, although free options will work as well as expensive ones requiring a dedicated IP address for most websites. Real-time scanning for malware, anti-virus software, brute-force password hacking attempt protection, and anti-spam features on email accounts have become fairly standard on most web hosting plans. Make sure to keep the codebase and installed modules on CMS websites running WordPress, Drupal, Joomla, Magento, etc. continually updated, including third-party plugins, modules, & themes, for the best overall website security that can be managed independently.

Find the Best Web Hosting Companies