You might not realise the extent, but web hosting is a minefield.
Though great web hosts will go to great lengths to protect your website and data from hackers, using a web host with a casual attitude towards security is like leaving the door to your house open: thieves will see it as an opportunity to steal your stuff, and plenty of other people will just wander in out of curiosity.
So, to help you spot the kind of host you can do without, let’s go through what the best do in terms of security. Keep in mind, though, that choosing a web host is only the first step in protecting your website. You need to follow that up with recommended best cybersecurity practices in order to make sure you’re doing your part to keep hackers out.
Here are nine reasons you might need to re-evaluate your web host.
A quality web host – one that takes security seriously – should clearly explain the restrictions they have in place for access to your site. Ideally, they should limit connections to those using the SSL protocol.
They should also allow you a high level of control. You should be able to black and whitelist individual IPs from the control panel of your content management system in order to limit access to your site to the fewest number of users possible.
You should also, as a matter of course, prevent root logins. If your site gets hacked, this will significantly limit the amount of damage that a hacker can do.
A good web host will also include network monitoring tools as part of your package. You can use these tools to spot suspicious activity on your site and get prior warning that an attack is imminent.
Web hosts that take security seriously will also perform their own monitoring on the sites they host, and will alert you if they see anything that looks fishy.
SSL and firewall
SSL and a firewall are two of the most important features to look for when choosing a web host. SSL is an encryption system that will hide all of the data passing between your site’s server and a visitor’s browser. Thanks to a recent push from Google, visitors have come to look for that green padlock in the URL that indicates SSL is enabled.
Firewalls are also a necessity. A Web Application Firewall (WAF) will allow you to monitor all of the https traffic flowing through your site and applications. It will block data that doesn’t come from a trusted source and is effective against SQL injection, which leads many security vulnerability threat lists, when configured properly.
Distributed Denial of Service (DDoS) attacks, made famous by the Mirai incident in 2016, are another common form of cyberattack, and can paralyse your website. They work by flooding your server with millions of phony requests for data, slowing it to the point that it cannot respond to actual user queries.
Smart web host companies have systems designed to stop DDoS attacks before they can get started, and this should be one of the first things you look for when choosing a provider.
It’s a no-brainer. Your hosting plan should include malware scanning. Also, your web host should perform regular scans of all of your files and content, and report back on the results of these scans. A malware infection can be extremely difficult to get rid of once it is in place, but it’s even worse if you never figure out it’s there at all.
In addition to the malware scanning provided by your web host, you should give yourself extra protection by also using a plugin like ClamAV or rkhunter.
One of the most important decisions you make when you sign up for a hosting provider will be the operating system (OS) of the servers that host your content. Your choices will be either a Windows-based or a Linux-based server.
Which you choose will depend on your level of expertise. If you are not a pro, it makes sense to go with a Linux server, simply because there are fewer threats to them than their Windows counterparts. If you are not going to be doing much work on server-side, this should be your choice.
If, though, you want to get into server maintenance, go for the Windows server. The interface is more intuitive for beginners, and Windows servers also provide a good level of threat protection.
Most web hosts will provide a password management system (PMS) as standard. This will allow you to configure and change passwords for different users (using best practices, of course), and let you grant different users different levels of access.
Once you are up and running, you should frequently check back on your PMS. Make sure that users have only the minimum access they need to interact with your site, and delete any accounts that are not being used.
Plugins and apps
Most website builders offer a suite of plugins and apps that can extend the functionality of your site. You should exercise caution, though, when you choose them. Only install apps that are currently being maintained, because out-of-date apps are typically riddled with security holes.
A good web host offers guidance on how to use their hosting service in conjunction with the most popular website builders, and provides specific information on using plugins and apps on your site.
It almost goes without saying that any decent host will come with a backup service included, and that this backup will be encrypted. This is a critical part of cybersecurity that is too often overlooked or not given priority. This guide can level up your understanding of how it should work. If a web host doesn’t offer backup services, steer clear.
How big of a deal is website security? So big that information security analyst jobs are projected to grow by 18% over the decade from 2014-2019. That is a sure sign of increased demand that means a lot of website owners like you will be paying cybersecurity experts a lot of money to solve the kind of security problems we discuss in this article. Why not keep some of that money for yourself and get proactive with a smart web host choice? Choosing a security-minded host is the first step but is only the beginning. If you want to build security into every aspect of your site, you should also understand the serious and indefatigable threat hackers pose to every single site that goes live.
In other words, no matter how small or new your site is, a hacker somewhere in the world will likely be testing your defenses within moments of launch. Will your first full day as a website owner be occupied with mitigating the fallout from a successful malware insertion? Let’s hope not.