All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Unsecurity
Question to hosting providers: how do you handle latest security threats? In environments such as shared hosting, it's hard to maintain decent amount of security.
If provider doesn't interfere, most sites run on insecure versions of popular site engines. USing FTP without any secure layer is also a warning to me - normally, provider should enable all bells and whistles to warn about this.
Or using HTTPS (either using shared certificate, or dedicated, owned one). Do all of you follow recent recommendations, such as from SSL Labs tests, to ensure sites are protected from well -known vulnerabilities?
So far, checks with several providers I use services of demonstrated poor results. There are possible insecure components, used for ages, but still available without any warnings. I do not mentioned names here, since I prefer, at the moment, to contact every one of them privately and express my concerns.
Do you customers massively use old style FTP? Do you offer Java applet-based controls of control panel? Does your HTTPS part protect from POODLE and other recently reported problems?
Comments
The majority of clients don't know the difference between FTP and sFTP. As far as ssl vulnerabilities, as long as you keep cPanel updated, it generally handles itself IMO. There's not that much we can do about insecure versions of popular CMS other than constantly run maldet in order to make sure there's nothing fishy in all the directories.
Finally, let's face it. I know I might get shot down here, but in a shared hosting environment, security is not the first thing you should be looking for. Shared hosting is ONLY good for small, useless sites and shouldn't be considered for anything critical anyways. If you have security concerns or requirements, it's better off to just pick up a leb/dedi.
Will you put that on front page of your site?
"You're buying shared hosting from us since your sites are just useless. We don't offer you any security, for the price you wish to pay".
And allow me to disagree. VPS/dedicated requires much more efforts to keep it secure; actually, you need an expert sysadmin to do and maintain everything. It costs 1.5-2 order of magnitude more than average shared hosting.
Also, sites aren't useless only because their owners can't afford the above managed hosting.
WebHosting, when done right, can be pretty secure as well. Even on a shared environment.
Speaking somewhat generically as... not currently being associated with any shared hosting company.
It is a very difficult balance. You have to weigh the impact of what you want to do against the impact of doing it. For example, an SSL vulnerability that requires a client machine to be infected and fixing it breaks hundreds of client's software. Now, it's not your fault if their machine is infected and it's not your fault that the software they use is outdated... but you're about to generate a ton of support tickets so you need to prepare for the event and you don't just execute it on the fly like it's nothing to think about. Clients, all of them, are something to think about. They are, after all, the reason you are doing what you're doing.
For application vulnerabilities like Wordpress, etc, you do your best to keep mod_security rules up to date and addressing the latest vulnerabilities. However, you can't rush on that either. You need to run it through extensive testing first because every positive rule is going to break someone's strange, yet legitimate usage of their application. This is, again, going to generate tickets and no matter how you spin it that requires time and man power. Some vulnerabilities you simply cannot protect them against without breaking things for a ton of clients, so you just have to let their website get compromised because it's ultimately their fault for not updating their scripts.
As for FTP, I think all of us would prefer that it simply disappear. That said, strong brute force security and strong password enforcement (which also generates pissed off tickets) on it is usually about the best you can do if you actually want clients.
No matter what you do as a shared hosting provider you're going to get slammed by clients for it. Either you do nothing and they blame you for their applications being compromised, or you work your butt off and take every precaution you can, followed by constantly being chewed out for breaking some weird usage scenario that someone had, and then you still get blamed for every time their application gets compromised.
Some of the above seems like it isn't true for small shared hosting providers, because most companies run things differently until they grow large enough that they simply cannot sustain that style of management for their prices (hint: new hires are not unlimited, eventually you stop finding capable people that want to do the job). This is mostly stated from the theoretical perspective of a larger web host.
All I can say is 50% of the industry don't give a flying fuck about security, if they did they wouldn't use WHMCS for starters or cPanel... the two products which are known to lack security. WHMCS is doing a cPanel and hiding them via bugcrowd but they show you the numbers unlike cPanel where you can't view the page and cPanel even bundle security fixes in monthly patches, so you have to wait a whole month to get it fixed.
Now if the providers who use them are taking security seriously I need to know what isn't.
Tons and tons of small business sites run just fine on shared hosting. Your local pizzeria, photography studio, dance instructor, etc. doesn't need a VPS and just turns to a local web designer to put up a brochure-type site. The sites may be small, but they aren't useless and are critical to those who own them.
Let's be real here. Any website that runs on shared hosting is not going to receive enough traffic to be critical to a local mom n pop shop. Most of their business is LOCAL. Again, I realize this is an unpopular opinion, but just pointing out some facts.
I've personally witnessed websites on shared hosting that worked in the environment and were critical to their owners, financially included. I think you're forgetting that critical is relative. It doesn't have to be owned by a Fortune 500 company to be of high value to it's owner.
Besides, it's not like you can say a VPS can't suffer from downtime. It's subject to the same things that cause most outages on shared hosting. Paying for more than you need, or adding unnecessary extra work, simply because you can, is not a good reason to have a VPS. Everything has a purpose and is designed to fit a set of needs.
+1
Well at shared host for example the CSF plugin help a lot about security for directadmin for example. Also Cloudlinux is a good way too , r1soft hourly backup is a bonus.
We got hundreads wordpress site- Do you think all of them up to date? Not really. When the user ask what is ftp? Then you should know his wordpress site is a magic if he could update. Maybe with softcalous.
Think outside the box. For example, for some high ticket items' sellers, losing their email/website for a few hours can be devastating. And high ticket items !== high web traffic. That's why the 10 or 20 visitors that could have entered their site in that hour are extremely valuable - yet they don't need a VPS for that kind of traffic.
Also, selling high ticket items !== earning lots of money, so they don't necessarily are capable of literally wasting hundreds or thousands of dollars in hosting.
Exactly. And the kind of sites hosted on shared hosting is just based on its traffic - not on its importance.
Wrong again. Samples from my experience:
Run from shared hosting. Receive much traffic. And they do care about their security.
Maybe on your hosting yes, but i have a sites on semi dedicated Lite Speed + Cache plans that push up to 200 000 unique visitors for the day and In the same time other big user push to 100 000, other to 30 000...
With cloud linux I can give user 2 CPU Cores 2 GB Ram, mysql governor working at ALL mode inside user allowance limits + access to cPanel & Lite Speed + Cache + shared sysadmin costs... and with php selector and 6 php versions most users which use hosting for serving webpages will not feel the difference between that plan and same size vps, except cost for software are shared... All this on prices a little bit higher than DO with the same size resources
cloud linux provide enough user isolation we use mode security and real time scanning of uploaded files for malware... our solution except it is cost effective (even on higher than LET price)
VPS we sell are for more custom solutions or when a client require 100% dedicates resources... for most website semi dedicated
That will not stop many things, and what has user isolation to do with compromised sites? Maybe in terms of resources usage, but phishing will still work, redirects, dont have to host anything there, so you wont find any malware.
Yes there no way to prevent everything
If client intentionally upload the phishing or his computer got infected and passwords was stolen we will deal with abuse we cannot prevent but that is valid for every case no mater vps or shared
I mention isolation cause it is important not to spread infection / intrusion between other users... Some panels relay on open base dir and list some php commands at disable_functions but cgi shells go trough and on some cron can allow users to run what they shouldn't so isolation by cagefs is important... also cloud linux have some parts from grsecuirty kernel and KernelCare cost which are also split time to time they introduce something nice thing trough it that is no main stream... http://cloudlinux.com/blog/clnews/kernelcare-protection-against-rowhammer-privilege-escallation.php
My idea behind malware real time scan on uploaded files is that in all cases where intrusion go trough unupdated site there is shell script found by malware scanner on that hosting account... so I introduce real time scans and think that if we stop uploading of the shell on first that will prevent many of the other nasty things to happened
P.S. Forget to mention our policy to upgrade then deal with customer sites that have problems ... most of them... came from ours forums so i can push them a lesson about security from time to time... and some of them got a problem before with a cheap kloxo host (which rebrand and go with cpanel after that incident) where there was a mass infection on most of the sites so they agree on that security is taken with most priority and then came speed and bigger resource allowance...
@hostsumo
i run a local web design business and i can assure you that businesses websites such as : dog groomers, private hire taxis, man and van, pest controllers, plumbers receive 10-30 visitors a day and converts 20 to 35% into leads.
3 dog groomer leads are worth £90, 3 airport runs are worth over £500 etc...
so maybe they look small and useless to you but they are vital to their owners.
just my 2 cents.