The Hostway Blog

Hosting and Hackers

When choosing Web hosting, it's easy to focus on the disk space and bandwidth, uptime guarantees and the extras on offer, and overlook one vital aspect: the security your hosting company offers from hackers.

Choose the wrong company, and that could turn out to be an expensive mistake. Hackers can exploit vulnerabilities in the server setup, or take advantage of programming flaws to hijack your Web site's content, or gain access to sensitive data. Recovering your site can cost valuable time. Worse, falling victim to hackers can cost your business both credibility and trust with your customers, and you could be held liable for losses they incur as a result of their information falling into the wrong hands.

Physical Security

Your server should be housed in a secure environment, to ensure that only authorized personnel have access to it. Although attacks are more likely to be made remotely, a host that fails to physically secure its servers is unlikely keep software up to date.

Software Security

  • Just as you wouldn't connect your home or business PC to the Internet without installing antivirus software, your host will have protection against viruses installed. Check what software it is running. Also check what kind of SPAM filtering it provides on your email service.
  • Your host will also have a firewall installed. It may be a hardware firewall, with all Internet traffic passing through and hacker attacks being filtered out, or a software firewall, or both.
  • Many standard server configurations leave ports open "listening" for Internet traffic that may not need to be. Every open port is a potential entry for hackers. Some hosts proactively close down all ports that are not in use, others will turn them off if you ask them to. For example, if your Web site is running a script that can be installed from the control panel, you may not need to have File Transfer Protocol (FTP) enabled. A good host will be able to turn this off for you.
  • Most hosts offer a suite of scripts that can be installed from the control panel with just a few clicks. Besides obviating the need for FTP access, this also lessens the chances of your inadvertently setting options that leave your server vulnerable. Some hosts will notify you when security patches or updates are available for the scripts you have installed, or even automatically install them for you.
  • Scripting languages that allow you or your users to enter, store and retrieve information may make your Web site more attractive. Some hosts will allow remote SQL and CGI access. This can make integration of site modules hosted on different computers possible. For example you might run a blog or forum on one machine and map it as a subdomain to your main site, then run a script that allows users to use a single user name and password to log in to all three. It's convenient, but opens up a major security risk. Unless you really need it, this option should be disabled, and if you do need it, you should be able to specify IP addresses that are able to connect to your server.

A good host will also routinely monitor server logs for intrusion attempts and close possible security holes.