Shared Hosting Security Guide for 2021
Shared hosting is beneficial for small hobby sites and personal blogs, but businesses might find that shared hosting limits growth. To start out, however, many site owners begin with shared hosting until their business grows and makes enough to justify paying for virtual private servers or dedicated hosting. For web hosting providers, it’s critical that servers run at optimal speeds and don’t harbor any malware. Security can be complex when hundreds of site owners with little knowledge of performance tuning and cybersecurity install applications on the shared server. With the right tools, site owners and administrators can keep their servers running at peak performance and keep them secure from common exploits. Keep on reading to find the answers to the following questions:
- What is Shared Hosting?
- Can Shared Hosting Be Hacked?
- What are Potential Problems with Shared Hosting?
- How to Stay on Top of Shared Hosting Security
- Recommended Articles
What is Shared Hosting?
After site owners buy their domain, they need a place to host the site. The most affordable option is shared hosting. It costs a few dollars every month, and the site owner gets resources on the provider’s server. For small sites with little traffic, it’s the obvious choice. For businesses, it can be limiting, but before choosing the right hosting plan, it’s important to know the choice that you’re making.
Shared Hosting vs. Dedicated Hosting
For enterprise sites, dedicated hosting is usually preferred. A dedicated server is a physical machine that customers lease from the provider. The customer has full control over the machine and often uses it along with other servers on the site owner's small co-located network. It can be integrated with the internal corporate network or accessible over the internet. For example, an enterprise might use dedicated hosting to run public-facing eCommerce applications.
Small site owners may find dedicated hosting too expensive, especially at the start when the business isn’t making any revenue. It’s the most optimal for businesses that need full control of their server without sharing resources with other provider customers.
Shared Hosting vs. VPS
A virtual private server (VPS) is the next best thing to dedicated hosting. The business has access to a virtual machine (VM) with dedicated resources without the expense of leasing the entire server. VPS looks and feels like a dedicated server, but customers still share resources from a physical machine.
VPS costs are between shared hosting and dedicated hosting, so it’s usually the next step after shared hosting may not offer the resources necessary to grow a business website. It’s also an issue of compliance for some businesses that store financial or healthcare information. The host can define the VM, or the customer can configure their sites in any way that they want. Discover how to make VPS hosting secure in our new guide.
Shared Hosting vs. Cloud Hosting
Hybrid cloud hosting has become more popular because it allows businesses to control costs while leveraging the latest technology. Cloud infrastructure can also integrate with the local network using a virtual VPN.
Cloud hosting is beneficial for lowering costs and building a hybrid environment. Still, some users are unfamiliar with the technology and prefer simple shared hosting over the complexity of configurations and security necessary for a hybrid cloud. Enterprise corporations often take advantage of cloud hosting for virtually endless computing resources, but small businesses might struggle with the ways newer technology works.
WordPress Hosting vs. Shared Hosting
WordPress powers a large portion of the internet, so it’s no surprise that many small businesses and new site owners choose to install it. A content management system (CMS) like WordPress makes it easier to work with content and traffic analysis. Permitting a web interface to create users and publish content. WordPress core also allows users to install plugins that perform custom actions or themes.
Some hosts offer managed WordPress hosting, which means that administrators take care of the updates, performance tuning, as well as monitoring of customer sites. This hosting option takes away much of the overhead necessary to run a WordPress site. The site must be regularly updated to avoid being exploited, and the wrong configurations may slow the site. Managed WordPress hosting lets customers focus on website content, and host administrators worry about the technical concerns.
Can Shared Hosting Be Hacked?
Yes, a general rule is that anything hosted on the internet can (and will) be hacked. Internal resources can also be attacked or exposed. Publicly hosted applications are exposed to anyone with an internet connection, and they have a higher risk of being exploited. All applications have at least one bug, and even just one bug could be exploited and used to steal data or install malware on the server. Shared hosting has additional risks since hundreds of sites hosted on the server increase risk of a compromise.
WordPress is commonly installed on shared hosting websites, making the server a target for vulnerability scans and exploits. The primary difference between VPS, dedicated servers, and shared hosting is the way sites are hosted. Should an attacker compromise a VPS or dedicated server, it’s unlikely any other customers would be affected by the exploit. For example, if an attacker uploads malware to a VPS or a dedicated server, only sites hosted on the VPS or dedicated server would be affected. In a shared hosting environment, sites share server resources. The same malware could affect the server, affecting hundreds of customer sites hosted on the server.
What are Potential Problems with Shared Hosting?
Shared hosting is affordable, but it may come at the price of security and separation from other site owners. Since you cannot control what happens on other sites, including security and content, using shared hosting can affect your site. You should consider these issues when you look for shared hosting, but every hosting provider has its way of managing the websites on its servers.
Shared Directory with Other Site Owners
When a host provider sets up storage space for customer sites, a directory is created to store site files and data. While this might not seem like a serious issue, it leaves all sites potentially vulnerable if an attacker can compromise the directory where all sites are stored. But permissions must remain open enough to run the website applications. If the main directory on the server is compromised, then the attacker has access to any files uploaded to your own site, including your configuration files.
Issues with Load Time
Performance is an essential factor in website success. Search engines use site performance as a ranking factor, and users expect sites to load instantly. Site owners can tune sites for performance, but they cannot control server resources. Other site owners use the same server resources, so any poorly coded and poorly secured sites can affect the speed on other sites hosted on the server.
DDoS Attacks
Distributed denial-of-service (DDoS) attacks affect site performance and uptime by flooding traffic to a specific server. The site might be targeted for one particular reason, or an attacker might target a site indiscriminately. When one site is targeted, the DDoS exhausts resources on the server and all sites hosted on it could potentially crash or stop delivering website content. Because site owners do not have access to any statistics for other sites or the server itself, they will be unable to detect it and will not know why their sites are slow and crashing.
Shared IP Addresses
Most websites hosted on the server share an IP address, which means that any negative content that affects search engine ranking, blocklists, and other penalties will also affect your site. If the shared server hosts sites that could be considered “bad neighborhoods,” it could affect your site even if it contains safe and legitimate content.
Security Issues
Security is one of the most significant disadvantages related to shared hosting. Compromised sites could affect the security of your site. For example, an attacker that exploits another website and uploads malware could use that malware to steal data from all sites stored on the server. A compromised server affects all hosted sites, so shared hosting adds risk to your own data security and customer privacy.
Possibility of Data Loss
Every site owner should have backups stored off the server, but small site owners might use a backup system where they are stored on the local server. If the server suffers from a compromise or crashes, all sites hosted on the server could lose data. Backups stored on the server would also be lost, so it’s important for site owners to keep at least one backup copy offsite.
Lack of Security Protection
Because site owners are limited in what they can do on the server, they don’t have the same security protections as a VPS/dedicated admin who can configure server settings and install applications. Limitations on how a site owner can configure a server leave the trust in the provider to secure the server properly.
How to Stay on Top of Shared Hosting Security
Shared hosting has its benefits, and even with its limitations, site owners can still take advantage of the service provided as long as they understand what is needed to secure their sites. Site owners who choose shared hosting can take a few steps to ensure that their sites are secure and protected from compromise.
Choose a Reputable Hosting Provider
Several providers offer shared hosting, but site owners must take the time to find a host that takes security seriously. You could search the internet for providers that offer advanced security, but the Imunify360 directory has a list of reputable hosters that provide secure services using effective monitoring and threat detection.
Configure Directory Permissions Properly
When a shared host provider gives you a directory on the server, it’s up to the site owner to configure permissions properly. If a portion of the site should only be visible to authenticated users, the site owner must set that directory permissions correctly. Any mistakes in user permissions could lead to exposure, data theft, or even a target for malware to be uploaded to the site.
Control PHP Execution
Allowing anyone to upload and execute scripts could compromise the site and allow an attacker to elevate privileges. Scripts (e.g., Perl, shell scripts, PHP, etc.) should also be limited permissions set, and any custom user scripts should be heavily monitored and seldom given permissions to execute. It’s unlikely that uploaded content should ever be executable such as PHP, so features that allow users to upload files should have filters blocking known malicious scripts.
Choose Your Operating System Wisely
The operating system used on a shared host has an impact on performance and security. Outdated operating systems no longer supported by developers are at high risk of compromise since they no longer receive critical security patches. CloudLinux OS Shared is optimized for shared hosting servers and keeps control of CPU consumption across all sites. CageFS and LVE by CloudLinux isolate each customer site into a different environment and allocates limited resources, including CPU, network connections, and memory. A new option is CloudLinux OS Solo, which can be used as a single-user operating system setup that includes monitoring, performance detection, and optimization tools.
Install a Security Solution
A security solution protects from the many threats targeting shared host servers and their sites. For administrators responsible for shared hosted websites, Imunify360 tools can make an administrator’s life much easier and proactively defends and removes malware with its server malware scanner and Proactive Defense technologies. Imunify360 can be used as an advanced threat monitoring tool. Imunify360 reduces administrative overhead and protects customer data automatically.
Recommended Articles
- 17 ways to improve your cPanel security
- WordPress Security Fundamentals: Ultimate Guide 2021
- What are Antivirus False Positives and What to Do About Them?
- Proactive vs. Reactive Security: 5 Tips for Proactive Cyber Security
- 15 security tips for Linux VPS Hosting
- ModSecurity Rules: How to Guide
- Top 15 Plesk Server Security Best Practices to Protect Your Website
- Top 10 Web Hosting Security Best Practices
- What Are Your First Three Steps When Securing a Linux Server?
- What are steps to secure a Linux server?
- How to keep your website secure in 2021
- Ultimate Guide for DirectAdmin Security from Security Experts
- Security made easy with Imunify360