Of all the types of web hosting available, shared hosting is the most common and the most vulnerable to security issues.
Learn how to safeguard yours.
Let’s face it: when it comes to the topic of web security, most of us prefer to live in denial. “I’m too small to be hacked,” “I know I’m not that unlucky,” “We’ll see about it when I have more time” — there’s no end to the excuses we can cook up to evade the drudged, tedious toil of hardening your website security.
Yes, even the thought of creating backups is enough to send us to sleep.
So, what can motivate us to take security more seriously?
Maybe paste details of the world’s most devasting hacks on our walls? But then, the I’m-too-small-to-be-hacked thoughts will take over. One idea I think can work as a counter running somewhere — a counter that shows the total number of hours you’ve put into this business or website of yours. If it’s been five years (let’s assume you put an average of 15 hours a day into the business), it will be 15 x 30 x 12 x 5 = 27,000 hours of effort that will go down the drain in an instant if your website was hacked and all the data destroyed!
Although this post is not about habits and motivation, I thought a quick discussion was in order. If that doesn’t scare you and motivate you, I don’t know what will. 🙂
Anyway, for those who were sufficiently scared, or are concerned about their security in general, let’s move on to what you can do to make your shared hosting account more secure.
Please note: it’s a shared hosting account, we’re talking about here, not a virtual or physical server (or even a collection of them). Independent servers are a whole different ball game, whereas in this post I’m targeting the majority, not-so-technical folks whose income relies on digital properties.
Create (ensure) regular backups
It’s hard to believe that backups can be connected to security, but they are.
Often, the hacks are so bad that they wipe out your data; sometimes, the malicious code buries itself deep within the foundations and keeps reappearing (I can’t even begin to explain how many times it’s happened to me on clients’ WordPress site!) despite the best professional cleanup.
On such occasions, there’s nothing better to do than hit the restore button: go to a backup that used to work for you, wipe the slate clean, set up everything again, and import the data back. What do you lose? The data collected since the backup. What do you gain? The whole business!
That said, there are a few things to keep in mind about backups.
Backups mean nothing if there’s no provision for quick and predictable restoration. It’s likely that your shared hosting provider has a restore option, but are you sure it works?
And if there’s no restore button, do you know how to set everything back up?
There are bound to be surprised, as over time you collect enormous amounts of data, which can be a pain in restoration. And then there are other things to consider: database version, software version, PHP version (if you’re running a PHP website, that is), compatibility of these versions, and so on. More than likely, you don’t have the skillset or the energy to get into all of this.
If you don’t, I highly recommend you go for a management service that will take care of everything for you, even if it seems pricey. On the other hand, if you feel confident that you can pull it off, I must ask you to do regular rehearsals (say, every six months) — believe me, no matter how much of an expert one is, there’s always something to trip up on.
If you are looking for a reliable shared hosting to build WordPress, Joomla, Magento site, who offer daily backup then give a try to SiteGround.
How often should you back up? There are two things to consider here: the size of your collected data, and the criticality of your business.
Let’s say you have a total of 40 GB of data needed to run the business. If you schedule daily backups, you’ll use 40 x 30 = 1200 GB or 1.2 TB of data within the first month.
By the end of the first quarter, it would have grown to 3.6 TB — no matter where you choose to store this amount of data, a hole in your pocket is guaranteed.
Discard data older than a specific duration. Now what this duration is, depends on your business entirely, though in most cases twice-a-week backups held for the last month or two is more than enough.
Even then, the bills for backups will be non-trivial, and you’ll need to make sure that it’s the useful data getting backed up, and that too in a reusable form. Otherwise, well, you know the risks . . . 🙂
Embrace Two-factor Authentication
For those not aware of the idea, two-factor authentication means using a two-step process for verifying users before logging them in and handing over the reins (more details here).
Only because if someone happens to guess or otherwise steal your password and tries to log in from their computer, they will be challenged to prove their identity.
The system might ask them to answer a secret question, type in an OTP sent over SMS or email, ask them to select a favorite image or use some other method to enforce identity. Honestly, given how poorly some people choose passwords (no,
s1mpled00d is not a strong password), and how easy it is for browser-based hacks to retrieve your passwords, it’s best to put a two-factor authentication in place.
For WordPress websites, there are several plugins that you can choose, making the task very easy and fast.
Avoid Untrusted Sources
This is another point that should be as obvious as the color of the sky (it is obvious, isn’t it? ?), but as happens in the human world, emotions take over rather quickly.
You want to roll out a feature fast, and you come across a source that is offering exactly what you need — maybe even for free. The demos are amazing, the UX mind-blowing — what else do you need?!
Not so fast, little one! Third-party sources can be a source for several nasty problems (and more often than not, they are) — they can contain malicious code that steals your saved passwords or credit card info (on a mobile app, the malicious damage code can do is scary!), or they might be poorly coded, thus becoming a weak link in your website’s security once embedded.
And please don’t listen to your developer if they say that they’ve gone through the code and approve it — the world of security is extremely twisted, with incredibly crafty attacks being revealed every day (here’s an example of how the humble
unserialize() functions in PHP can be manipulated to allow remote code execution).
Always, always take plugins, themes, libraries, etc., from trusted sources. For WordPress users, this means sticking to the officially available plugins (because they are brutal, strictly checked for code quality and safety), and the same goes for other platforms out there.
Once again, before you feel the uncontrollable urge to grab that plugin and race away, think of the total number of hours you’re putting at risk.
The problem with the “strong” passwords we come up with is that they are anything but secure.
With a little knowledge of your personal life and the aid of a Dictionary Attack, the chances of cracking the shell open are very high.
I recommend using a free and reliable service like LastPass’s password generator that allows you to choose how complicated and lengthy the password should be. Please don’t go easy on the tool — make it stretch its muscles to the maximum.
Forget about having a password that you can remember — no, those days are long gone. Passwords that can be remembered are easy to crack. Instead, give the password generator a spin a few times and settle on something that makes your stomach turn.
Here are some suggestions that I received (with the password length set to 20 characters):
Ugly? Very. Secure? Very!
Finally, if you have a website where others are allowed to create an account, please make sure you enforce password validation and refuse to accept anything that is not horrible to look at. Yes, the new contributor means well, but as they say, the road to hell is paved with good intentions. ??
Update Software Regularly
If your shared hosting account gives you an administration panel that allows you to upgrade the installed software, I highly recommend doing so.
Why? Not because it feels elite to do so, but because new software is released to largely patch security loopholes discovered in the previous releases (Aha! Now you know why your Windows so desperately wants you to keep updating).
Please don’t take this lightly (or actually, any suggestion in this article :D). There’s no telling how many installations, apps, servers, and devices are sitting timebombs because they’re running old software.
If you’re rolling your eyes at this, I’m with you — there’s nothing more painful than having to constantly check, test, update and discard stuff that doesn’t work. But this is the “tax” we pay on digital infrastructure — our digital properties are much more sensitive and much more powerful than the other stuff we’re used to, and so they demand special attention.
Once again, if you can afford it, go for a managed offering.
Choose a Safer Hosting Provider
Not all hosting providers are created equal, and in this world of aggressive advertising and affiliate marketing, it can be hard to tell the good ones from the bad ones.
So, how do you decide which hosting provider is “better”?
Well, I wish I had a magical yardstick, but I don’t.
Hosting infrastructures are complex beasts, and there’s no way ratings, reviews, website design, or customer friendliness can provide a good indicator. But I will say this: if you’re having problems, don’t be shy from trying out something new. If anything, I’d advise you to stay away from very old, very large companies selling domains and hosting (you know who I’m pointing at, don’t you?! ;-)) and instead give a chance to some younger, hungrier companies.
I can’t oversell it enough.
Switching to a more secure, a better-performing service provider can save hours of a headache and sleepless nights every month.
I have several friends who run content-driven WordPress sites, whose website woes vanished as soon as they took the bold (and painful) step to switch, and there hasn’t been a single issue in years. They say petty things like slow website and downtimes are not worth their time, and I think they’re right. 🙂
Use DDoS Protection
The thing with the Web is that it’s the “World Wide” Web. Anyone from anywhere can access your website, or try to break in.
Now, if out of the several thousand visits your website gets every hour, 99% are bots trying to find a way in, you have a problem at your hands — not only will these useless requests eat up system resources, they’ll also consume bandwidth from your quota.
I know shared hosting websites claim “unlimited” bandwidth, but believe me, nothing is unlimited.
Even if we assume for a second that they offer unlimited data transfer every month, let’s not forget that the physical networks that connect everything have a limited capacity. In other words, the number of users your website can serve at the same time is limited, so even though you might have infinite monthly usage, your site will always be very slow or down for users.
And who wants to visit a website like that, right?
More often than not, such an attack is orchestrated by an attacker by controlling several computers and making them visit the target website (for all you know, your computer is already an unwilling participant in an attack like this).
The scenario I just described is what’s known technically as the Distributed Denial of Service (DDoS) attack (more details here), and it remains one of the most frustrating forms of attacks as it’s virtually indistinguishable from a large number of users making requests to your website.
That said, certain companies like Cloudflare, SUCURI have built excellent defense systems around it, which can analyze intelligently and block DDoS attacks based on past patterns of traffic.
Again, this will come across as expensive for many, but then, you have to decide for yourself if risking losing all your business is worth it.
For those not aware, a firewall is just a piece of software running on your computer and network that blocks or allows traffic based on specific rules. It should now be obvious what a “cloud” firewall is, but here’s a picture that’s definitely worth a thousand words. 🙂
If you ask me, a properly configured firewall does more to protect your digital properties than all the other measures combined. If the networks of tech giants are impenetrable, the credit goes to their fearsome firewalls aggressively filtering all incoming and outgoing traffic. If an attacker even tries to probe for openings, the result is instantly blacklisting, making it very, very hard to break in or take the network down.
Here’s our recommendation of the best firewalls out there. Again, if you think it’s expensive, remember the counter!
There are many other things you can do to make things “more secure,” but I think that if you take this article seriously, you’ll be saved from 99.9% of potentially embarrassing attacks and hacks.
This goes especially for WordPress users, as it’s not a very secure platform by design. Even if you have a plain HTML website, remember that DDoS attacks can spoil the flavor for your users, your hosting provider, and you at the same time.
In other words, only the paranoid survive (there’s also a lovely book by that name, in case it interests you)! 🙂