Much Ado about Hosting Security

Published: May 15, 2018 / Article by: Siarhei Kulich

There is always a lot of talk about website security, and while this particular topic may not be the first one to come into your mind while you are in search of a suitable hosting provider, you must have heard all sorts of stories about server failures, data loss and those scary DDoS attacks to take hosting security into consideration.

There is plenty of information on the Internet that describes the perils of security breaches and many resources that teach how to keep your website safe. However, if you are a small business owner with a website on a shared hosting plan, should you really be expecting (or be that scared of) a DDoS attack? Is your hosting provider really in charge of all the malware scans? Where is your responsibility for your website ends and the one of a hosting starts?

The tricky part is that while we can define security as the set of measures meant to keep your website safe from all sorts of danger, the nature of the danger does not allow making one party solely responsible. While a provider company bankruptcy, equipment failure and even downtime (in some cases) can be definitely counted as dangers, they are more related to a hosting stability in general terms rather than its safety.

For the sake of simplicity we will cover the problems that can be classified as immediate threats such as:

DDoS attacks,
malware and viruses,
data loss due to security breach.

We will also try to understand whether the issue of security really deserves such attention — especially in the context of a sharing hosting, and how much the latter is to do with it.

DDoS Attacks

Everyone has heard of DDoS attacks. Thus, there is no sense rewriting hundreds, or even thousands of explanations, here is a really good one from Deloitte:

What you should know is that the small size or relative insignificance of your website and your business does not automatically exclude you from the list of potential targets. In fact, it’s not just big and really famous websites that can be attacked — any can be.

Good news is that it’s not something new or unheard-of. DDoS attacks have become very popular (for lack of a better word) in the recent couple of years, their intensity increasing:

Bad news is that most industry experts expect the attacks to grow and become more sophisticated. All due to the Internet of Things we now have to deal not just with Mirai Botnet attack but also Leet Botnet attack, which is in itself an absolutely new level of threat.

There is no doubt that

DDoS attacks are bad, really bad (even if they don’t steal your data, they bring all sorts of harm);
there is no chance to put them to an end in the nearest future.

And for an average user it seems only natural that the task of DDoS attack mitigation lies on a hosting provider. After all, they should know better, shouldn’t they? However, there is a catch for you, if you are on a shared hosting plan. Here is why.

It costs money and effort to block an attack.

If it is your website that is targeted, it is YOUR WEBSITE under attack and NOT A HOSTING itself. Being one of many on a shared server you both make life harder for yourself as well as for your neighbors – this is how it looks like to your provider. If your website is attacked often and causes regular inconvenience, you are bound to lose your account. Or the situation can be reverse: you can suffer because one of your neighbors got on someone’s way and got attacked. Bad case scenario either way.

What you should remember is that if you are on a shared hosting plan you cannot rely on your provider’s diligence in the matter. Keep in mind that DDoS attack mitigation is costly and very few providers do it for free as a part of a package you choose to buy. That is why you should read your perspective provider’s SLA (Service Level Agreement) page carefully to understand what kind of support you can (will be entitled to) expect in case of signing up. And whether you’ll need to pay extra money.

Besides, luckily, a DDoS attack is not that hard to identify, if you pay attention to your website. It is characterized by the spikes in traffic if compared to your usual inbound traffic numbers. If you can notice it early and contact your provider for support, the entire problem can be handled fast and to everybody’s satisfaction.

Malware and Viruses

Here is what you have to remember about hacking threats and keeping malware from infecting your sites — they are YOUR SITES — and your responsibility in the first place. Here is why.

A hosting is responsible to provide you with the latest OS possible, the one that is next to invincible to any malware. But if you are negligent on your part and mess up with your PHP code and scripts, if you don’t check your WordPress or any other CMS for security holes, don’t make updates and forget about regular scans, then, you are the only one to blame. One day you may find that your website is ruined or inaccessible and you have to pay ransom to get it back. If you think “That’s unlikely, I’m good”, look at the following report on malware:

And there is no need to be enraged about your hosting provider negligence. Especially if your plan is a shared one. With hundreds of websites on each server a hosting is unable to babysit them all. It is impossible to make daily checks of all sites as it takes enormous amount of time, effort and money on behalf of a provider. They do make regular scans of their servers for viruses and malware, however, they are not responsible for every particular website. Especially if the owner of the latter allows it to be compromised by badly coded script and never updated plugins and software.

Surely, there are hosting providers with a knack for security. Yet again, this is not a regular case for a shared hosting plan. Even with VPS and managed hosting it will cost you extra cash to have someone else keeping an eye on this stuff – firewall, security monitoring, even backups – a sharing hosting it’s on you.

Besides, there is always risk of being infected by your neighbor. Yes, this is just the same as catching the flu on a bus. Just because someone else’s website is malware-friendly (due to their code’s vulnerability to JS or SQL injections or random file uploads) you can suffer, too.

So, here is what you have to understand. A hosting company is not ultimately responsible for your website protection from malware. It is responsible for providing you with a place on its server (or with a server) and an environment for your website. However, the type of software you choose to install there and its level of protection – it’s up to you. You keep it up-to-date and debug and take all sorts of care. You can use:

anti-malware scanning,
WAFs (web application firewalls),
blacklist monitoring.

But all these things are usually a part of premium packages; so, don’t expect them in an average shared hosting plan. You can check your options and you can also find it out whether your provider allows 3d party security apps installation.

It’s pretty much the same story we had about DDOS attacks – a hosting provider is not really much responsible for any sort of a cyberattack. That’s why you should check their SLA to make sure you problem will be attended in a due form (if not for free).

Data Loss due to Security Breach

Cyberattacks can be different in terms of their type and origin as well as the end result. We have already covered DDoS attacks and malware as the most common and expected security threats that may (or may not, depending on the objective) end up with data loss. Then, why single the latter out in a separate topic? Because it’s another point of perfect misconception about hosting security. Here is why.

Any case of data loss can be helped by… having a backup. And here is a conundrum. Who should take care of these things – a website owner or a hosting?

You might have or haven’t heard of RAID. It is a special data protection system employed by some (but not all!) hosting providers. If a hosting SLA reads that they have RAID pre-installed on their servers, it’s definitely a very good thing. But it’s also very expensive, and in case of your shared hosting plan – not very cost-effective for a provider. In case of data loss (due to any reason) you are again on your own.

Thus, keep your backups; and make sure you have at least some of them off-site and not in the cloud, do it on a regular basis. Because yet again, most hostings will provide you with a special backup option but not necessarily free of charge (on a shared plan).
One more thing is SSL (Secure Sockets Layer) – which always costs extra money, by the way; it will protect your website from sensitive data loss and is invaluable if you run an e-commerce site. Yet again, if for some reason or other you choose not to pay for it, and private data leaks from your site – it is your responsibility, not your hosting provider’s.

The idea of a hosting not to be exactly in charge of everything might not seem particularly pleasing to some website owners. However, if you choose a shared hosting plan, your provider's share of responsibility for your website security shrinks to a minimum. That's the truth you have to face, unfortunately. As well as the fact that if you go on being one among many website owners with excessive expectations for a hosting in regard to security, you will only have yourself to blame in case of a problem.

About Siarhei Kulich

Co-founder and CTO of HRank.com - a hosting uptime monitoring website. Siarhei has more than 20 years experience in web developing and web hosting.
Connect: Website, LinkedIn

No Comments

How Hosting Providers Make You Pay More

Why AI Is a Great Idea for Any Web Hosting