For every type of online project, security is essential. But in addition to the financial costs, security issues can lead to downtime that disrupts your project and compromises customer data. It can also impact sales/business plus your brand image and website credibility.
When getting started, there are various security threats for online businesses to remember. Here we look at the security challenges that shared hosting users may face, as well as how to prevent and resolve them.
Shared hosting security
Due to the nature of shared hosting and how it’s built, there are some areas that can be targeted. And while most security settings are managed by the hosting provider, users can proactively manage and mitigate some security risks. The areas of shared hosting that are most at risk come under the following categories:
- Hosting provider level
- Server-level (relating to the product and shared server)
- User control (relating to software installed, settings, and daily use)
Hosting provider-level security
It’s always best to select a hosting provider with the right security measures in place to mitigate potential issues with your account, hosting service, and data.
Some things to look out for:
- High account security and data privacy (multi-factor authentication & secure platform).
- Mitigation of DDoS attacks on the server level.
- Regular backups for software (with notifications).
Another thing to remember is that with shared hosting, you’re not isolated. So if one website uses weak security practices, like not encrypting sensitive data, it could pose a risk to other users. An attack that gains access to one site’s database might find connections or scripts that interact with other accounts on the server.
There is also the risk of malware propagation, when one site is infected and it spreads to other sites on the server through shared files, scripts, or database connections. After the malware infects multiple sites, it can lead to data breaches or further exploitation.
Be aware that shared hosting providers may not update server software and configurations as soon as updates are available by default. This can create vulnerabilities which can then be exploited. For example, cybercriminals often target outdated versions of PHP or MySQL.
This means you need to make sure that all updates on the server are made promptly. It’s also best to check if hosting providers support or offer the following:
- SSL certificates
- Firewalls
- Customer support
Under user control
Shared hosting software infrastructure
Hosting providers are responsible for the security of software infrastructure, but hosting users need to manage security for any additional software and custom codes.
Insecure plugins and themes
One security consideration is the choice of plugins, tools, and services. If these are not legitimate or safe, all shared hosting users on the server could be at risk from various attacks or malware infections.
It’s also possible that legitimate and official software is used but not updated, so it could become a security vulnerability. This may be the case with WordPress updates, which you need to look out for in emails and notifications because they are not always applied automatically.
When you need to apply updates actively, it’s easier to overlook them. This is something to remember when choosing your provider.
You can find out about hosting updates in these ways:
- Emails
- Alerts in the dashboard
- Release notes from content management system (CMS) providers
- Forums
Password management
When password management is not handled securely, it may enable unauthorized access in the hosting environment. Security breaches can be caused by weak or easy-to-guess passwords, or when security credentials are shared between different users.
Brute-force attacks
These involve malware that attempts a high number of password combinations until access is gained. When passwords are not sufficiently strong, access can be more easily achieved.
File permissions
Errors in file permissions can cause the leaking of sensitive information, such as database credentials. This kind of breach can also be a risk for other users on the server, not just the website targeted in the attack.
Server-level security
As already mentioned, users share server resources with other Shared Hosting users. When not managed correctly, shared environments can potentially present various security risks that should be taken into account.
DDoS attacks
Shared hosting accounts are vulnerable to distributed denial-of-service (DDoS) attacks, in which online systems, servers, or networks are inundated with connection requests (Internet traffic). These attacks are often carried out by a network of bots (botnet), and they prevent ordinary Internet users from accessing the website for a certain period of time.
Resource limitation and its impact
When a neighboring hosting account receives an attack, this account will take up more resources so they won’t be available to other users. The ultimate result is that websites will be slow or unavailable.
Hosting providers can apply monitoring measures, such as firewalls and automated traffic monitoring, and act on DDoS cases to stop other users from being affected when a neighbor is attacked.
Measures to prevent or reduce the effects of attacks on the same server include:
- High-capacity routers
- Anti-DDoS systems
- Isolation of accounts
- Firewalls
- Intrusion detection and prevention systems (IDPS)
- Traffic throttling
Even with security measures in place, web hosting in shared environments is slightly more vulnerable due to the structure of shared hosting accounts.
Shared IP address security
In some cases, shared hosting accounts that may include multiple plans and websites, all share the same IP address. This means that if this one IP address on the server is hit by a cyberattack, a whole range of hosting plans and websites can be affected — even those that were not the intended target.
Shared hosting data breaches
With shared hosting environments, if one website is compromised then attackers can potentially find ways to access the files or databases of other sites on the same server. This means that a server that isn’t well configured is more vulnerable to data breaches, enabling unauthorized access to other user accounts.
A particular website on the server may be under attack, such as a DDoS attack, SQL injection, or cross-site scripting. The resulting disruption of resources may make it easier for attackers to exploit other vulnerabilities on the server, which can mean compromised data for multiple sites.
Shared hosting security customization
With shared hosting products, you don’t need to manage your server security but you’re not able to configure as flexibly as with hosting options that provide root access.
Hosting providers usually offer a standard security configuration that controls the most important security features, which may not meet the specific needs of some users. If you need your security settings to be more configurable, it would probably be better to go for a dedicated server or Virtual Machine (VPS) hosting service.
Shared hosting security vs. other hosting types
Shared hosting vs. VPS and dedicated hosting
With shared hosting, you can follow best practices and ensure that you are at minimal risk. But if you have higher security requirements, maybe you should choose VPS or dedicated server hosting. With these options, you will likely have root access and the ability to manage and configure your security settings to meet your preferences.
Dedicated hosting security advantages
An additional security benefit offered by dedicated hosting is total isolation. While shared hosting users may be vulnerable to risks caused by other users on the same server, hosting users have an entire server to themselves and complete control over their own security. The same is true for owners of a virtual private server, but as the isolation is virtual, VPS users are not quite as independent as dedicated hosting users.
It should be remembered that the extra security customization and control of dedicated and VPS hosting brings with it extra responsibilities. If users don’t have the tech skills to customize and manage security settings themselves, they may need to hire an IT professional.
10 strategies for securing shared hosting
For shared hosting users, there are security risks to be mindful of, but there are also best practices to keep in mind that can minimize these risks.
1. Make regular backups
Regularly backing up website files and databases prevents data loss in the event of a data breach or issue with installed software. It also allows users to revert to normal operations more quickly by restoring a previous, uninfected website state.
It’s usually a good idea to use an autobackup service, as applying backups manually can be easily overlooked or not done regularly enough.
2. Avoid untrusted sources
Always be extra vigilant when using any plugins or software, so you can avoid untrusted sources and minimize security risks.
3. Use secure passwords and 2FA/MFA
It’s important to only use strong, unique passwords for your hosting account, CMS admin panels, and FTP/SFTP accounts. For an extra layer of security, enable two-factor authentication (2FA) or multi-factor authentication (MFA) whenever possible.
4. Regulate permissions, user roles, and access
To avoid anyone gaining unauthorized access, set appropriate user roles and permissions, and ensure you securely store and share the credentials with partners.
It’s good practice to limit the number of people with access to your hosting account and website. Regularly monitor your access logs and account activity for unusual or unauthorized behavior.
Remember to set the correct file and folder permissions to prevent unauthorized access. This includes 644 for files and 755 for directories. Avoid 777, which allows full read/write/execute permissions for all users — unless you’re sure it’s needed.
5. Use a web application firewall (WAF)
A WAF analyzes incoming website traffic, identifying and filtering out malicious requests before they reach web applications. This helps to prevent various types of attacks, such as SQL injection, cross-site scripting (XSS), and remote file inclusion.
WAFs can block known malicious IP addresses and sources of spam or DDoS attacks, preventing those requests from affecting the website's performance.
Use a WAF to filter and block malicious traffic to your site. Some hosting providers offer WAFs as part of their service, or you can use third-party solutions like Cloudflare or Sucuri.
6. Use SSL certificates for website security
For website security and protecting user data, SSL certificates are an essential measure. The HTTPS protocol secures communication between your website and visitors. Many hosting providers, like Let’s Encrypt, offer free SSL certificates for all websites.
7. Regularly update patches, CMSs, and plugins
Always keep your content management system (CMS) platforms, plugins, and themes regularly updated to minimize security vulnerabilities.
Ensure that your hosting provider keeps all server software, such as Apache, PHP, and MySQL, completely up to date.
8. Scan and monitor for suspicious activity
Regularly monitor for signs of suspicious activity to check for security threats. cPanel Virus Scanner is included with Spaceship Shared Hosting plans. There are also free monitoring services like ImunifyAV, and free online scanners, such as Sucuri.
Malware scanning tools detect and remove malware from websites, and many hosting providers offer built-in malware scanning. You can also easily install security plugins for popular CMS platforms like WordPress.
9. Use secure file transfer protocol (SFTP)
Implement SFTP for your file transfer protocol (FTP), to make transferring website files more secure. While FTP transmits data (including passwords) in clear text, SFTP encrypts data transmission. Another secure FTP alternative is file transfer protocol secure (FTPS).
10. Strong account isolation
It’s best to choose a hosting provider with strong user account isolation, such as CageFS from CloudLinux, to isolate each user's environment and prevent user accounts from affecting others.
Extra security considerations
Always check that your hosting provider follows sensible security policies and standards, and has technologies like CloudLinux and cageFS. Remember that the basic principles of security start with the user, so make sure you implement strong security measures, like automatic backups, SSL encryption, and automatically patching and updating server software.
Security products that you can consider purchasing include:
- Autoscan and cleaning tools for malware detection
- Secure shell (SSH) encrypted terminal access
- Attack protection against high-volume attacks
- WAF
- DDoS protection
- CDN (to reduce the impact of DDoS attacks)
Stay safe and secure
For both individuals and businesses of all sizes, cybersecurity should always be a high priority. As a shared hosting customer there are a few security issues to be mindful of, but by making the right decisions and following best practices, you can keep the risks under control.
Share your thoughts