Table of Contents
While the internet has many advantages, one drawback is the more we do business online, the more vulnerable our information is to bad actors who want to access our data through malicious attacks and scams. Billions of individuals have had information compromised through attacks on high-profile companies such as Microsoft, LinkedIn, and Facebook.
Small business owners may think because their businesses are more low profile, their websites are not attractive targets for cybercriminals and hackers. Still, according to StrongDM, small businesses account for 46% of data breach victims. Website security must be taken seriously, as data breaches can have severe and long-lasting consequences.
Choosing the Right Web Host
Malicious attacks can cause your website to be temporarily or permanently disabled. They can also cost your business hundreds of thousands of dollars and erode customers’ trust if their personal information is exposed through your site.
Choosing a web host that takes your website’s security seriously is key to protecting your business, website, and customers. Below, we outline the best web hosting security practices to look for when choosing a host and some steps you can take to protect your website.
What Is Secure Hosting?
Security is important for a web hosting plan. No feature makes one hosting platform more secure than any other, but a constellation of individual factors contributes to overall web hosting security.
Most web hosting companies engage in at least a few standard security practices, but that doesn’t tell you how secure they are compared to competitors. It’s important to consider the many security measures you and your hosting company might take to keep your site secure.
What Security Features Should a Web Host Offer?
Hardware security
When you purchase web hosting services, the main thing you get is server space to host the files that make up your website. Ensuring the physical servers are protected against threats is the first step in feeling confident the data saved on those servers is secure.
The data centers where the servers are physically located should be secure, with access granted only to the web hosting company personnel responsible for installing and maintaining the hardware. Best practices include controlled access points, security cameras, motion detectors, and secure cabinet racks that prevent bad actors from physically compromising the servers.
Natural disaster protection
Server rooms are also vulnerable to natural and man-made disasters, such as power outages, fires, floods, and more. To mitigate these problems, server rooms should be water- and fire-proofed and equipped with backup generators, and hardware racks should be bolted to the floor, ceilings, or walls.
Companies with data backed up at off-site locations add an extra layer of protection. Also, consider where a company’s data centers are located, and avoid areas prone to natural disasters like earthquakes, hurricanes, and tornadoes.
Ask your web hosting provider:
- Where are the servers located?
- What security measures are in place to protect physical servers?
- How are servers protected during power outages or natural disasters?
Network monitoring
Consistent threat monitoring is crucial to quickly identifying and resolving issues before they become more serious attacks and breaches. If you are contracting with a web hosting company to manage your server, you trust someone is monitoring the physical hardware and website traffic to prevent attacks.
Ask your web hosting provider:
- How are networks monitored for security threats and attacks?
- How are customers notified about security threats and attacks?
Secure access
Just as web hosts should restrict who has physical access to servers, they should also limit who gets virtual access. Carelessness about who can log into a server and what information they can see can easily lead to compromised data.
Web hosts should use the Secure Socket Shell (SSH) network protocol, or an equivalent, for log-in access. Many web hosts will clearly state if they allow SSH access. SSH uses:
- Strong password authentication
- Public key authentication
- Encrypted data communications to facilitate systems and applications management remotely and securely.
Secure Sockets Layer (SSL) encryption ensures that if anyone tries to intercept data as it’s being transmitted across the web, they will only see garbled, incomprehensible characters. This encryption is such an integral part of website security, especially for e-commerce sites, that many web hosts now include a complimentary SSL certificate in their hosting packages.
If not, it is important to obtain an SSL certificate separately. Not only does this help protect your business and your customers, but search engines are increasingly labeling websites without SSL certificates as insecure, which could drive away visitors.
Web Application Firewalls (WAF) provide additional protection for web applications by filtering and monitoring HTTP traffic, and defending web applications against attacks. Look for web hosting service providers that offer host-level or cloud-level WAFs.
Ask your web hosting provider:
- Does the company use the SSH network protocol or an equivalent?
- Is an SSL certificate included?
- Does it offer host-level or cloud-level WAFs?
Backups
Backups are important because if your website crashes or is compromised, it would be difficult to lose all your data and rebuild your website from scratch.
There are two types of back-ups web hosts should provide. First, a physical backup should be on a server in another location in case one server location is compromised. You also need a digital backup of your files, so if something goes wrong, you can restore a previous version of your website.
Ask your web hosting provider:
- Are automatic backups included in your hosting plan?
- If so, how often do backups occur?
- How long are backups kept, or how many versions of your website can you store?
Distributed denial-of-service prevention and content delivery network support
Distributed denial-of-service (DDoS) attacks are, unfortunately, a common tool in the hackers’ arsenal — they flood a website with so much traffic that it becomes overwhelmed and inaccessible to legitimate users, thus denying them service.
Since DDoS attacks can be hard to resolve, preventing them from happening is key. Most web hosts use a tool like a content delivery network (CDN), a geographically distributed group of servers where cached content is stored, so it can be delivered quickly to visitors to your website. Utilizing this type of caching helps reduce hosting bandwidth and makes it harder for attackers to disrupt service with DDoS attacks.
Many CDNs are available, and most web hosting service providers include their services in hosting packages to help protect their customers from DDoS attacks. However, if your chosen web host does not include CDN support, it is possible (and advisable) to add it to your website separately.
Ask your web hosting provider:
- Does it include CDN support?
- What DDoS prevention measures are in place?
- What mitigation and recovery actions does the company take during and after a DDoS attack?
Malware detection and removal
Perhaps one of the best-known threats to website security, malware is any harmful software, program, or code that attackers use to invade your device. They also steal, damage, encrypt your data — or spy on your online activity.
Protection against malware is critical. Not only can malware cause irrevocable damage to your website by stealing information from your business, including customers’ data, but you can unintentionally pass a virus or malware on to your customers, destroying valuable trust and loyalty.
Ask your web hosting provider:
- Does it offer automated malware and antivirus scanning?
- What procedures are used for removing malware and viruses?
Are Certain Types of Hosting More Secure Than Others?
When looking for the perfect secure hosting environment, you’ve undoubtedly come across a variety of options: dedicated, managed hosting, virtual private server (VPS), shared hosting, WordPress hosting, and e-commerce hosting. The hosting environment you choose will have a direct impact on your overall security.
Shared versus dedicated hosting
Shared hosting is probably the least secure since you share a server with dozens or hundreds of other sites. But this depends on the security protocols of your shared host.
For example, some shared hosts employ 24/7 server monitoring, encryption, and spam protection, and even offer integrated CDNs. All of this will help improve your site’s security without much additional effort on your end.
Virtual private servers or dedicated servers
Using shared hosting opens up your site to a possible security risk because an attack on any other sites on the same server could have repercussions for your site. Hosting companies go to a lot of trouble to make sure this does not happen, but it is still inherently safer to use a VPS or a dedicated server than sharing a server with dozens or hundreds of other websites.
As a bonus, going with a VPS or dedicated server will often offer much more disk space and other server resources, so you can grow your site as you see fit.
Managed hosting
Managed hosting environments tend to have a higher level of security as there are fewer sites using server resources, and site-specific security measures can be put in place. For example, if you’re using a WordPress-managed host, your server environment will be uniquely configured to protect the WordPress content management system (CMS).
Also, the support team behind you will have in-depth technical knowledge related to the platform you’re using. With managed hosting, some hosts also take responsibility for keeping your site up to date, which can plug common security risks.
Security for e-commerce sites
Generally, an e-commerce host environment should have higher security standards as you’ll need additional levels of protection for collecting and storing sensitive customer data, like credit card information.
Some security features of e-commerce hosts include:
- Bundled SSL certificate
- Payment card industry (PCI)-compliant payment processor
- DDoS protection
- Regular backups
- Server and site-wide firewalls
Best security practices for website hosts
While your web hosting service provider is responsible for a lot of the security of your website, there are a few key steps you, as the website owner, must take as well.
Install safe themes, plug-ins, and applications
If you are using a CMS to build your website, you will use themes, plug-ins, and other software applications to customize your website. Install safe software that doesn’t contain any malicious code or exploitable vulnerabilities.
This means ensuring your themes, plug-ins, and applications always come from trustworthy sources, such as WordPress’ directory, and vetted third-party providers. If you’re unsure whether a plug-in or application is safe, err on caution, and investigate before installing it. Also, make sure any software you install is active and regularly updated, as this decreases the potential it will have security vulnerabilities.
Once you install any software, immediately change any default settings, including passwords, to protect against hacking attempts.
Perform updates regularly
Although installing software updates can be a hassle, this is an important part of website security. Software updates often include protections against new threats, and not installing updates can leave your software vulnerable to those who want to exploit its weaknesses.
Only give access to trusted admins
Only allow people you trust access to the back end of your website. From your admin panel, you may be able to create different user categories with varying privileges and levels of access. Carefully consider who needs access to what and assign credentials accordingly.
Everyone should have strong passwords, but it’s especially critical for site admins to have hard-to-hack passwords. If their access is compromised, it can mean severe impacts for your website.
Practice good password hygiene
Anyone who has access to your website should have a strong, hard-to-guess password. Be sure admins change their passwords regularly, especially after suspected (or confirmed) hacking attempts.
Install an SSL certificate
Make sure your website has an SSL certificate. The easiest way is to select a web host that includes an SSL certificate with your hosting package, which is increasingly common.
If you choose a web host that doesn’t include an SSL certificate, you can purchase and install it separately. The cost of a basic SSL certificate, which is sufficient for most small businesses, ranges greatly from about $10 to nearly $1,000.
Frequently Asked Questions About Web Hosting Security
What is a dedicated firewall?
How do I find a secure web hosting service provider?
Is shared hosting secure?
Is Linux or Windows more secure?
Both operating systems (OS) have their advantages and disadvantages, and users have their own preferences. In general, Linux-based web servers face fewer threats because it is not as widely used as an OS as Windows is. Additionally, because it is open-source software, anyone in the Linux community can quickly resolve security issues as soon as they are detected.
One of the security advantages of Windows is that, as a license-based OS, access is limited by default, creating some inherent protection against hackers.