Website Security - Web Hosting Security

Website security

Web developers often develop websites on a shared Linux hosting environment. Although shared web hosting can be less expensive, there are there are a number of security issues that should be considered.

Components of a shared Linux web hosting server.

 Linux shared web hosting provides some of the least expensive web hosting available. This is primarily due to the fact that many websites are hosted on a single server. Each website owner on a particular server has a user account which gives them access to the server. They have the ability to log in to a control panel and upload their website files via FTP. A single web hosting account will have it's own directory structure and files, but actual server space, hardware resources and core operating files are shared, this type of hosting can provide reliable service with quality features at a very low cost.

Some potential security problems with shared Linux web hosting.

 The shared Linux web hosting environment will typically have at least one instance of the Apache web server running on it and will usually enable the running of PHP and / or executable CGI scripts. The running instance of the Apache web server must maintain all incoming HTTP requests for each site on the server. Website applications, including WordPress and content management systems usually require write access to the directories of your website.

The Apache web server runs as the same user regardless of what website is being served. Each user account and the Apache server are essentially members of the same group. The user that Apache is running as, has read access to all the websites on a shared server. It will also more than likely have write access to all of these sites as well. Because of the Apache web server architecture on a shared web hosting environment, a malicious user only has to compromise one website on a shared server in order to have access to every website hosted on the same machine. This makes it trivial for a script kiddie or anybody to easily access your website's files and data.


It's not even something you can prevent by securing your own scripts, on shared hosting they can get in through the vulnerabilities in other peoples scripts or through their own fictitious web hosting account.


So, what is the solution?

 At the very least, you could set up an application or use a free remote website testing service that would test your website at a pre-defined interval and notify you by email if any of your files have been changed.

 Although Windows web servers do have their own vulnerabilities, Internet Information Services(IIS), the web server application that handles website requests on Windows servers, doesn't have the same issues as an Apache based system. Security is more thoroughly built-in to the system. As of IIS 6 a feature called "Web Service Extensions" was added that prevents IIS from launching any program without explicit permission from an administrator. In the current release, IIS 7, components are provided as modules, so that only the required components need to be installed, thereby further reducing the attack surface area. Additional security features include Request Filtering, which rejects suspicious URLs based on a user-defined set of rules.
You can also compile the source code of your Windows website into a DLL locally and cause it to error out rather than running any malicious files which could compromise your website or your customer's data, if your files were modified without your knowledge. In theory, someone could get your compiled DLL, de-compile it, even if it was obfuscated, rewrite your source code, recompile it and upload it to your server. However,  I have not seen one instance of this happening. In order to do this, they would need to be a Windows programmer, and Windows programmers typically have better things to do with their time. Hacking websites is usually the work of script kiddies or other troubled individuals, for fun or some reason only known to their psychiatrist.

 Another option would be a virtual dedicated or dedicated web server. Dedicated web servers are more expensive, but they do provide your website with it's own resources and insulation from any other sites that may be hosted on the same server. The number of other websites hosted on a virtual dedicated server are usually much more limited, which provides more available resources and better performance for your website. You also have the ability to run just about anything you would like and have a much greater degree of control over the configuration of your web server.

 If you are running any type of ecommerce site or care at all of about the security of your website and user's data, a Windows web server or dedicated server is something you should consider.

Sharing is caring:

web development web services website security

Dialogue & Discussion