While the internet has many advantages, one drawback is that the more we do business online, the more vulnerable our information is to bad actors who want to access our data through malicious attacks and scams. Within the last few years, billions of individuals had information compromised through attacks on high-profile companies like Yahoo, Equifax, and Uber.
Small business owners may think that because of the more low-profile nature of their businesses, their websites are not attractive targets for cybercriminals and hackers, but that’s not the case.
According to a 2020 Verizon report, small businesses account for 43% of data breach victims.
It’s essential that small businesses take their website security seriously, as data breaches can have severe and long-lasting consequences. Malicious attacks can cause your website to be temporarily or permanently disabled, cost your business hundreds of thousands of dollars, and erode customers’ trust if their personal information is exposed through your site.
Choosing a web host that takes your website’s security seriously is key to protecting your business, your website, and your customers. Below, we outline the best web hosting security practices that you should look for when choosing a host for your website, as well as some steps you can take to protect your website.
What Is Secure Hosting?
Security is an important concern when looking at a web hosting plan. But there’s no single feature that makes one hosting platform more secure than any other.
Rather, a constellation of individual factors contribute to overall web hosting security.
Most web hosting companies are engaging in at least a few of the standard security practices, but that doesn’t tell you how secure they are compared to competitors.
It’s important to look at a number of different security measures that you and your hosting company might take to keep your site secure.
What Security Features Should a Web Host Offer?
When you purchase web hosting services, the main thing you are getting is server space to host the files that make up your website. Ensuring that the physical servers are protected against threats is the first step in feeling confident that the data saved on those servers is secure.
The data centers where the servers are physically located should be secure, with access granted only to the web hosting company personnel who are responsible for installing and maintaining the hardware. Best practices include controlled access points, security cameras, motion detectors, and secure cabinet racks that prevent bad actors from physically compromising the servers.
Server rooms are also vulnerable to natural and man-made disasters, such as power outages, fires, floods, and more. To mitigate these problems, server rooms should be water- and fire-proofed, equipped with back-up generators, and hardware racks should be bolted to the floor, ceilings, or walls. Companies that have data backed up at off-site locations adds an extra layer of protection. You should also consider where a company’s data centers are located, and try to avoid areas that are prone to natural disasters like earthquakes, hurricanes, and tornadoes.
Ask your web hosting provider:
- Where are servers located?
- What security measures do they have in place to protect physical servers?
- How are servers protected in the event of power outages or natural disasters?
Consistent threat monitoring is crucial to quickly identifying and resolving issues, before they grow into more serious attacks and breaches. If you are contracting with a web hosting company to manage your server, you are trusting that someone is keeping an eye on the physical hardware, as well as website traffic, to prevent attacks.
Ask your web hosting provider:
- How are networks monitored for security threats and attacks?
- How are customers notified about security threats and attacks?
Just as web hosts should restrict who has physical access to servers, they should also limit who gets virtual access. Carelessness about who can log into a server and what information they can see can easily lead to compromised data.
Web hosts should use the Secure Socket Shell (SSH) network protocol, or an equivalent, for log-in access. SSH uses strong password authentication, public key authentication, and encrypted data communications to facilitate systems and applications management remotely and securely. Many web hosts will clearly state if they allow SSH access.
Secure Sockets Layer (SSL) encryption ensures that if anyone tries to intercept data as it’s being transmitted across the web, they will only see garbled, incomprehensible characters. SSL encryption is such an integral part of website security, especially for e-commerce sites, that many web hosts now include a complimentary SSL certificate in their hosting packages. If not, you can (and should) obtain an SSL certificate separately. Not only does this help protect your business and your customers, but search engines are increasingly labeling websites without SSL certificates as “insecure,” which could drive away visitors.
Web Application Firewalls (WAF) provide additional protection for web applications by filtering and monitoring HTTP traffic, and defending web applications against attacks. Look for web hosting service providers that offer host-level or cloud-level WAFs.
Ask your web hosting provider:
- Do they use the SSH network protocol, or an equivalent?
- Is an SSL certificate included?
- Do they offer host-level or cloud-level WAFs?
Back-ups are important because, in the event your website crashes or is compromised, you don’t want to lose all your data, and have to rebuild your website from scratch.
There are two types of back-ups that web hosts should provide. First, there should be a physical back-up on a server in another location, in case one server location is compromised. You also want a digital back-up of your files, so if something goes wrong, you can restore a previous version of your website.
Ask your web hosting provider:
- Are automatic back-ups included in your hosting plan?
- If so, how often do back-ups occur?
- How long are back-ups kept, or how many versions of your website can you store?
DDOS prevention and CDN support
Distributed Denial-of-Service (DDoS) attacks are, unfortunately, a common tool in the hackers’ arsenal. In a DDoS attack, bad actors flood a website with so much traffic that it becomes overwhelmed and inaccessible to legitimate users, thus denying them service.
Since DDoS attacks can be hard to resolve, preventing them before they happen is key. Most web hosts do this by using a tool like a Content Distribution Network (CDN), which is a geographically distributed group of servers where cached content is stored, so it can be delivered quickly to visitors to your website. Utilizing this type of caching helps reduce hosting bandwidth, and makes it harder for attackers to disrupt service with DDoS attacks.
There are many CDNs available, and most web hosting service providers include their services in their hosting packages to help protect their customers from DDoS attacks. However, if your chosen web host does not include CDN support, it is possible (and advisable) to add it to your website separately.
Ask your web hosting provider:
- Do they include CDN support?
- What DDoS prevention measures do they have in place?
- Are customers notified of DDoS attacks?
- What mitigation and recovery actions do they take during and after a DDoS attack?
Malware detection and removal
Perhaps one of the best known threats to website security, malware is any type of harmful software, program, or code that attackers use to invade your device, and steal, damage, or encrypt your data or spy on your online activity.
Protection against malware is critical. Not only can malware cause irrevocable damage to your website, by stealing information from your business, including customers’ personal data, you can unintentionally pass a virus or malware on to your customers, destroying valuable trust and loyalty.
Ask your web hosting provider:
- Do they offer automated malware and antivirus scanning?
- What procedures do they have in place for removing malware and viruses?
Are Certain Types of Hosting More Secure Than Others?
When looking for the perfect secure hosting environment, you’ve undoubtedly come across a variety of different options: dedicated, managed hosting, VPS, shared hosting, WordPress hosting, and e-commerce hosting. The hosting environment you choose will have a direct impact on your overall security.
Shared versus dedicated hosting
Shared hosting is probably the least secure type of hosting, since you’ll be sharing a server with dozens or hundreds of other sites. But, this depends on the security protocols of your shared host. For example, some shared hosts employ 24/7 server monitoring, encryption, spam protection, and even offer integrated CDNs.
All of this will help to improve the security of your site without much additional effort on your end.
VPS or dedicated servers
Using shared hosting opens up your site to a possible security risk, because an attack on any other sites on the same server could have repercussions for your site.
Hosting companies go to a lot of trouble to make sure this does not happen, but it is still inherently safer to use a VPS (Virtual Private Server) or a dedicated server than sharing a server with dozens or hundreds of other websites.
As an added bonus, going with a VPS or dedicated server will offer much more disk space, so you can grow your site as you see fit.
Managed hosting environments tend to have a higher level of security as there are fewer sites using server resources, and site-specific security measures can be put in place. For example, if you’re using a WordPress managed host then your server environment will be uniquely configured to protect the WordPress CMS, and the support team behind you will have in-depth technical knowledge related to the platform you’re using.
With managed hosting, some hosts also take responsibility for keeping your site up to date, which can plug common security risks.
Security for e-commerce sites
Generally, an e-commerce host environment should have higher security standards in place as you’ll need additional levels of protection for collecting and storing sensitive customer data, like credit card information.
Some security features of e-commerce hosts include:
- Bundled SSL certificate
- PCI-compliant payment processor
- DDoS protection
- Regular backups
- Server and sitewide firewalls
Best security practices for website hosts
While your web hosting service provider is responsible for a lot of the security of your website, there are a few key steps you, as the website owner, should be sure to take as well.
Install safe themes, plug-ins, and applications
If you are using a content management system (CMS) to build your website, you will use themes, plug-ins and other software applications to customize your website. Take care to install safe software that doesn’t contain any malicious code or exploitable vulnerabilities.
This means that making sure that your themes, plug-ins, and applications always come from trustworthy sources, such as WordPress’ own directory, and vetted third-party providers. If you’re unsure whether a plug-in or application is safe, err on the side of caution, and do some investigating before you install it. Also, make sure that any software you install is active and regularly updated, as this decreases the potential that it will have security vulnerabilities.
Once you install any software, immediately change any default settings, including passwords, to protect against hacking attempts.
Perform updates regularly
Although installing software updates can be a hassle, this is an important part of website security. Software updates often include protections against new threats, and not installing updates can leave your software vulnerable to those who want to exploit its weaknesses.
Only give access to trusted admins
You should only give people you trust access to the back-end of your website.
From your admin panel, you may be able to create different user categories, with different privileges and levels of access. Carefully consider who needs access to what, and assign credentials accordingly. Everyone should have strong passwords, but it’s especially critical for site admins to have hard-to-hack passwords. If their access is compromised, it can mean severe impacts for your website.
Practice good password hygiene
Speaking of passwords, it’s worth repeating that anyone who has access to your website should have a strong, hard-to-guess password. You should also be sure that admins change their passwords regularly, and especially after suspected (or confirmed) hacking attempts.
Install an SSL certificate
This was mentioned in the previous section, but it also bears repeating. Make sure that your website has an SSL certificate. The easiest way to do this is to select a web host that includes an SSL certificate with your hosting package, which is increasingly common. If you choose a web host that doesn’t include an SSL certificate, you can purchase and install it separately. The cost of a basic SSL certificate, which is sufficient for most small businesses, starts at $100 per year.
Web Hosting Security FAQs
What is a dedicated firewall?
Some hosting companies offer something called “Dedicated Firewall” as a service. This allows for specific rules to be made concerning who is (and isn’t) blocked from accessing your website. This is usually not needed, but it can be if you process especially sensitive information. For example, white lists from sites sharing the same firewall can be a potential attack vector.
How do I find a secure web hosting service provider?
Because website security is so important to customers, most web hosts will be transparent about their top security features. If there is information you seek that is not available in their marketing, speak to a customer service representative. It’s also a good idea to read expert and customer reviews, to find out if they live up to their promises. If you know other small businesses owners with websites, ask them for their recommendations.
Is shared hosting secure?
Many small businesses, especially those that are new and still growing an audience, start out with shared hosting. While this type of hosting is more affordable and accessible than VPS or dedicated hosting, it does have a higher security risk potential because you are sharing your server resources with other users who might be more careless than you. That doesn’t mean shared hosting is a bad choice; you will just need to be aware of the risks, and take a few extra steps to mitigate them.
Is Linux or Windows more secure?
There is no “right or wrong” answer to this question. Both operating systems have their advantages and disadvantages, and users have their own preferences.
In general, Linux-based web servers face fewer threats, because it is not as widely used as an OS as Windows is. Additionally, because it is an open-source software, anyone in the Linux community can quickly jump in to resolve security issues as soon as they are detected.
One of the security advantages of Windows is that, as a license-based OS, access is limited by default, creating some inherent protection against bad actors.
Which web hosting providers are the most secure?
The web host that’s right for you depends on a variety of factors, and you’ll have to do some comparison shopping of your own to determine which one you trust most with your website security. Besides reviewing companies’ websites, you can also read expert reviews on which web hosting providers score highest for security.