Website Security – Part 2 – Server Security
Hackers have many different ways to break in to your website. In this article, we discuss some basic server security issues and how they may or may not affect your website depending on your hosting configuration.
Website Hosting
There are 3 main hosting options available to website owners: shared, virtual dedicated and dedicated. We will touch on all 3 from a security point of view.
Shared Hosting
This is the most common hosting option for small and medium sized website owners. The idea is that you share a server with several other website owners. You share hard disk space, RAM, processor time and bandwidth into and out of the server. It’s the most economical approach with monthly costs sometimes under $5. Providers like Go-Daddy, Network Solutions and the like set up servers and typically provide an interface for the site owner to upload files, manage databases, email and more.
As a customer, you have very limited access to the server itself. The hosting provider assumes responsibility for the server security. Bigger names like Go Daddy and Network Solutions and most reputable hosting providers put a lot of time and resource into ensuring that their servers are secure.
The issue with Shared Hosting server security is that if a hacker can get access to the server through another website on your server, your site and data could be compromised. This is one of the inherent risks of shared hosting – your only defense is to make sure your data is backed up on a regular basis.
In particular, if your site is database driven (any CMS uses a database), you must ensure that the database gets backed up. Don’t assume the hosting provider does database backups for you – it’s not always the case.
Virtual Dedicated Hosting
Virtual Dedicated Hosting is cross between shared and dedicated hosting. Your share a server with other customers, but the server is configured to dedicate resources to your account. For example, you get a certain amount of RAM – if you don’t use it, it doesn’t get used.
Virtual Dedicated Hosting has some of the same risks as shared hosting in that another hacked website on the server could spell trouble for your site. What’s more is that the customers have more access to some server functions which could lead to more vulnerabilities. A rigorous backup policy is once again the way to go.
Dedicated Hosting
Dedicated Hosting comes in a couple of different flavors – you have the standalone server and cloud computing. From a user’s point of view, it all looks the same. The standalone server is just that – a server sitting in a rack somewhere with your name on it. Lose power and you’re down.
Cloud computing provides the same functionality, but uses resources from different servers. Lose power on one server and you just use resources from the others.
Dedicated hosting leaves server management up to the customer. If you know what you’re doing, you can set up your server to be very secure and you don’t run the risk of some other website compromising your security. The trick is to understand the applications that your are using and what the vulnerabilities are. Also, you want to get very familiar with the log files that the server generates. This gives you some insight into who is accessing your server and what they are trying to do.
If you chooses to use a dedicated server, server security becomes your problem and it must be taken seriously. If you are not comfortable with this role, you want to find a server administrator who is.