As those of you who know me, I take website security very seriously so that my clients don’t have to. For those of you who aren’t hosting with me, however, I want to call attention this post by Wordfence (a popular WordPress security plugin) outlining the security concerns every website owner should be asking their hosting company.
For those of you who don’t quite understand the lingo used in the article, however … I’m going to do a 5-part series tackling each of these questions in detail so that you can know enough about these things to make the right decisions for your business. Here’s part 2:
Are you completely isolating hosting accounts from each other? Or is it possible for one hosting account to read files in another account on the same server?
I’ve described this to past clients as "thin walls" — like living in a crowded apartment where you can hear every sound and feel every movement from the apartments around you. This concept becomes important with a WordPress website, because most site-based security is focused on protecting your site from a front-end attack from the outside world. These attacks can come in the form of exploiting security holes in plugins, brute-forcing your admin login, or flooding your hosting account with so many requests that it gets shut down.
But what happens when the attack comes from within?
What happens if your server has a mole — a double agent lurking deep within that attacks all the sites on a server from the inside?
What most people don’t realize is that shared hosting can have thousands or even millions of sites on a single server. Servers can also be connected in a group, forming an interconnected server cloud. This means that any malware running between accounts can access all sites on a server at once, compromising all sites at the same time without detection.
When people come to me with a site that has these "thin walls", no matter what I do to clean and secure the site, I can not guarantee that the site will stay clean. Without the host’s cooperation and proper security configuration, there is no way to keep a site safe from the others on the same server. Sure, you can do everything you’re supposed to be doing to keep your site safe " scanning, using a firewall, keeping your site updated and so on " but if every single site on that server isn’t doing the same, you are at risk.
On some hosting companies, the attack doesn’t even come through the site files or the account walls. The database that runs your site gets attacked through the database server itself, as hackers gain access to every site through one single method. (Database hacks, by the way, are the worst type as they often involve having to manually clean and/or recreate large amounts of data.)
The problem with hosting companies that have these types of security holes is that are not going to admit to it. A good hosting company will tell you that you are protected from such things. A bad hosting company will stay silent on that subject. If you are ever in doubt, try asking someone who knows or searching for information about that company on Google. I’m always happy to help when it comes to questions of WordPress web hosting. For my own premium hosting services, I’ve developed a custom hosting system that balances security with flexibility and efficiency for my hosting clients. As I both maintain the sites on the server and know the configuration it runs on, I can ensure a greater amount of security than that which is offered on typical shared hosting.
Ready for more?
In the next part of this series, I’ll be talking about server logs and why you need them. If you don’t want to miss it, you should sign up for Super Alerts!