Best Web Hosting Security Practices

Disclosure: Your support helps keep the site running! We earn a referral fee for some of the services we recommend on this page. Learn more

While the internet has many advantages, one drawback is that the more we do business online, the more vulnerable our information is to bad actors who want to access our data through malicious attacks and scams. Within the last few years, billions of individuals had information compromised through attacks on high-profile companies like Yahoo, Equifax, and Uber.

Small business owners may think that because of the more low-profile nature of their businesses, their websites are not attractive targets for cybercriminals and hackers, but that’s not the case.

According to a 2020 Verizon report, small businesses account for 43% of data breach victims.

It’s essential that small businesses take their website security seriously, as data breaches can have severe and long-lasting consequences. Malicious attacks can cause your website to be temporarily or permanently disabled, cost your business hundreds of thousands of dollars, and erode customers’ trust if their personal information is exposed through your site.

Choosing a web host that takes your website’s security seriously is key to protecting your business, your website, and your customers. Below, we outline the best web hosting security practices that you should look for when choosing a host for your website, as well as some steps you can take to protect your website.

What Security Features Should a Web Host Offer?

Hardware Security

When you purchase web hosting services, the main thing you are getting is server space to host the files that make up your website. Ensuring that the physical servers are protected against threats is the first step in feeling confident that the data saved on those servers is secure.

The data centers where the servers are physically located should be secure, with access granted only to the web hosting company personnel who are responsible for installing and maintaining the hardware. Best practices include controlled access points, security cameras, motion detectors, and secure cabinet racks that prevent bad actors from physically compromising the servers.

Server rooms are also vulnerable to natural and man-made disasters, such as power outages, fires, floods, and more. To mitigate these problems, server rooms should be water- and fire-proofed, equipped with back-up generators, and hardware racks should be bolted to the floor, ceilings, or walls. Companies that have data backed up at off-site locations adds an extra layer of protection. You should also consider where a company’s data centers are located, and try to avoid areas that are prone to natural disasters like earthquakes, hurricanes, and tornadoes.

Ask your web hosting provider:

  • Where are servers located?
  • What security measures do they have in place to protect physical servers?
  • How are servers protected in the event of power outages or natural disasters?

Network monitoring

Consistent threat monitoring is crucial to quickly identifying and resolving issues, before they grow into more serious attacks and breaches. If you are contracting with a web hosting company to manage your server, you are trusting that someone is keeping an eye on the physical hardware, as well as website traffic, to prevent attacks.

Ask your web hosting provider:

  • How are networks monitored for security threats and attacks?
  • How are customers notified about security threats and attacks?

Secure access

Just as web hosts should restrict who has physical access to servers, they should also limit who gets virtual access. Carelessness about who can log into a server and what information they can see can easily lead to compromised data.

Web hosts should use the Secure Socket Shell (SSH) network protocol, or an equivalent, for log-in access. SSH uses strong password authentication, public key authentication, and encrypted data communications to facilitate systems and applications management remotely and securely. Many web hosts will clearly state if they allow SSH access.

Secure Sockets Layer (SSL) encryption ensures that if anyone tries to intercept data as it’s being transmitted across the web, they will only see garbled, incomprehensible characters. SSL encryption is such an integral part of website security, especially for e-commerce sites, that many web hosts now include a complimentary SSL certificate in their hosting packages. If not, you can (and should) obtain an SSL certificate separately. Not only does this help protect your business and your customers, but search engines are increasingly labeling websites without SSL certificates as “insecure,” which could drive away visitors.

Web Application Firewalls (WAF) provide additional protection for web applications by filtering and monitoring HTTP traffic, and defending web applications against attacks. Look for web hosting service providers that offer host-level or cloud-level WAFs.

Ask your web hosting provider:

  • Do they use the SSH network protocol, or an equivalent?
  • Is an SSL certificate included?
  • Do they offer host-level or cloud-level WAFs?

Back-ups

Back-ups are important because, in the event your website crashes or is compromised, you don’t want to lose all your data, and have to rebuild your website from scratch.

There are two types of back-ups that web hosts should provide. First, there should be a physical back-up on a server in another location, in case one server location is compromised. You also want a digital back-up of your files, so if something goes wrong, you can restore a previous version of your website.

Ask your web hosting provider:

  • Are automatic back-ups included in your hosting plan?
  • If so, how often do back-ups occur?
  • How long are back-ups kept, or how many versions of your website can you store?

DDOS prevention and CDN support

Distributed Denial-of-Service (DDoS) attacks are, unfortunately, a common tool in the hackers’ arsenal. In a DDoS attack, bad actors flood a website with so much traffic that it becomes overwhelmed and inaccessible to legitimate users, thus denying them service.

Since DDoS attacks can be hard to resolve, preventing them before they happen is key. Most web hosts do this by using a tool like a Content Distribution Network (CDN), which is a geographically distributed group of servers where cached content is stored, so it can be delivered quickly to visitors to your website. Utilizing this type of caching helps reduce hosting bandwidth, and makes it harder for attackers to disrupt service with DDoS attacks.

There are many CDNs available, and most web hosting service providers include their services in their hosting packages to help protect their customers from DDoS attacks. However, if your chosen web host does not include CDN support, it is possible (and advisable) to add it to your website separately.

Ask your web hosting provider:

  • Do they include CDN support?
  • What DDoS prevention measures do they have in place?
  • Are customers notified of DDoS attacks?
  • What mitigation and recovery actions do they take during and after a DDoS attack?

Malware detection and removal

Perhaps one of the best known threats to website security, malware is any type of harmful software, program, or code that attackers use to invade your device, and steal, damage, or encrypt your data or spy on your online activity.

Protection against malware is critical. Not only can malware cause irrevocable damage to your website, by stealing information from your business, including customers’ personal data, you can unintentionally pass a virus or malware on to your customers, destroying valuable trust and loyalty.

Ask your web hosting provider:

  • Do they offer automated malware and antivirus scanning?
  • What procedures do they have in place for removing malware and viruses?

Best security practices for website hosts

While your web hosting service provider is responsible for a lot of the security of your website, there are a few key steps you, as the website owner, should be sure to take as well.

Install safe themes, plug-ins, and applications

If you are using a content management system (CMS) to build your website, you will use themes, plug-ins and other software applications to customize your website. Take care to install safe software that doesn’t contain any malicious code or exploitable vulnerabilities.

This means that making sure that your themes, plug-ins, and applications always come from trustworthy sources, such as WordPress’ own directory, and vetted third-party providers. If you’re unsure whether a plug-in or application is safe, err on the side of caution, and do some investigating before you install it. Also, make sure that any software you install is active and regularly updated, as this decreases the potential that it will have security vulnerabilities.

Once you install any software, immediately change any default settings, including passwords, to protect against hacking attempts.

Perform updates regularly

Although installing software updates can be a hassle, this is an important part of website security. Software updates often include protections against new threats, and not installing updates can leave your software vulnerable to those who want to exploit its weaknesses.

Only give access to trusted admins

You should only give people you trust access to the back-end of your website.

From your admin panel, you may be able to create different user categories, with different privileges and levels of access. Carefully consider who needs access to what, and assign credentials accordingly. Everyone should have strong passwords, but it’s especially critical for site admins to have hard-to-hack passwords. If their access is compromised, it can mean severe impacts for your website.

Practice good password hygiene

Speaking of passwords, it’s worth repeating that anyone who has access to your website should have a strong, hard-to-guess password. You should also be sure that admins change their passwords regularly, and especially after suspected (or confirmed) hacking attempts.

Install an SSL certificate

This was mentioned in the previous section, but it also bears repeating. Make sure that your website has an SSL certificate. The easiest way to do this is to select a web host that includes an SSL certificate with your hosting package, which is increasingly common. If you choose a web host that doesn’t include an SSL certificate, you can purchase and install it separately. The cost of a basic SSL certificate, which is sufficient for most small businesses, starts at $100 per year.

Web Hosting Security FAQs

How do I find a secure web hosting service provider?

Because website security is so important to customers, most web hosts will be transparent about their top security features. If there is information you seek that is not available in their marketing, speak to a customer service representative. It’s also a good idea to read expert and customer reviews, to find out if they live up to their promises. If you know other small businesses owners with websites, ask them for their recommendations.

Is shared hosting secure?

Many small businesses, especially those that are new and still growing an audience, start out with shared hosting. While this type of hosting is more affordable and accessible than VPS or dedicated hosting, it does have a higher security risk potential because you are sharing your server resources with other users who might be more careless than you. That doesn’t mean shared hosting is a bad choice; you will just need to be aware of the risks, and take a few extra steps to mitigate them.

Is Linux or Windows more secure?

There is no “right or wrong” answer to this question. Both operating systems have their advantages and disadvantages, and users have their own preferences.

In general, Linux-based web servers face fewer threats, because it is not as widely used as an OS as Windows is. Additionally, because it is an open-source software, anyone in the Linux community can quickly jump in to resolve security issues as soon as they are detected.

One of the security advantages of Windows is that, as a license-based OS, access is limited by default, creating some inherent protection against bad actors.

Which web hosting providers are the most secure?

The web host that’s right for you depends on a variety of factors, and you’ll have to do some comparison shopping of your own to determine which one you trust most with your website security. Besides reviewing companies’ websites, you can also read expert reviews on which web hosting providers score highest for security.