On This Page: [hide]
Even in 2023, Shared Hosting is a hot topic. Being cheap and accessible are some of the reasons why it remains popular and is a preferred choice among individuals and businesses that want a good hosting solution.
What about Security? We at HTH.guide will reveal what security risks lay behind Shared Hosting and what steps you can take to improve said security.
What Are the Security Risks of Shared Hosting?
Shared Hosting hides a few security risks that are critical in their nature in that they can bring your website down or you could lose access to it.
We will cover the most common and dangerous security risks about Shared Hosting in greater detail, so you could understand what the core of each problem is.
Shared Directory
Each website, especially a WordPress one, has a folder that contains its files, content, and more data. This folder is located inside what is dubbed a directory on your Web server.
Dedicated and private servers will not have that problem as each website has its own non-shared directory to store the website files in. That is why Shared Hosting Plan With a Dedicated IP Is Beneficial.
However, with shared hosting, one directory will contain multiple folders with the core files of all websites within.
By having a shared directory, your website will be linked in its core to all sites in your server space. Without disregarding the fact that your website has its own domain plus separate content, having shared directories inherently creates a security risk.
All this means that if you have a hacker who manages to breach the main directory that is shared, and accesses it, they can target all websites on the server.
Hackers could run programs to identify any vulnerability on every website inside said main directory.
Everything from an outdated plugin through a misconfigured firewall to an unnecessary script running could lead to that potential security risk. Once hackers find a vulnerability they will immediately exploit it to hack their way inside your website and perform malicious activity.
DDoS Attacks
DDoS attacks are distributed denial-of-service attacks. Their goal is to overload a server and its surrounding infrastructure and bring down your website.
Another undesired result of DDoS attacks is that the attackers behind them could make websites perform so slowly that they cannot be used in a proper manner, as intended.
A variety of attack vectors could help achieve the malicious actors’ goals, especially to be able to send attack traffic in a relatively short period of time.
When a server is no longer able to efficiently relay incoming requests, it begins to work exceptionally slow. Eventually your website will deny incoming requests of its service, regardless if the traffic is malicious or coming from legitimate users.
Properly configured web application firewall can prevent automated attacks, which frequently target small or less popular websites, and help fight against most DDoS attacks. Your firewall is usually the one protection layer that is imperative for you to keep in check.
A Shared IP Address
An IP address is a unique code identifying a device using the internet such as your computer, router, switch, etc. Servers are also computer systems connected to the internet and thus, each server is assigned its own IP address to be recognized.
A Shared server has only one IP address. As a result, all websites hosted on the server automatically share the same IP address by default.
Do you see how a shared IP address can be prone to a security risk?
Imagine that the neighbor websites conduct some sort of illegal activity or send spam messages to their customers. That creates a Shared Hosting Blacklisted IP Problem and marks said blacklisted IP as malicious.
All kinds of chaos could ensue from here on out. Firewalls could block users from accessing your site, as it will be marked as malicious for example.
Emails you send will go to the SPAM folder of your customers, while your site will be flagged as insecure.
Every IP address holds thousands of ports. If hackers simply know your IP address, they can try all those ports to brute-force their way in and connect to your device.
Taking over your device or website in this instance, they could tamper with files and steal information. Hackers could also install malware, and could expose your IP, so more malicious attacks to be performed.
Slow Loading Times
Having slow loading times could be the indication of another site on your shared server being hacked. The performance of your website will be impacted, but also all of the security problems we discussed above could happen.
When a website is compromised, hackers can utilize it to execute many malicious activities.
Some of those malicious activities involve:
- Storing illegal folders and files like WP-feed.php
- Sending Spam E-mails to your Customers and Fans
- Launching Attacks (like DDoS) on another Website
- Make Your Website Slow and Inaccessible to Visitors
In that way, a hacked website will overload and keep using more than the allowed shared server resources. Directly affecting your website, it will significantly slow it down and it is highly likely to make it unresponsive.
Review Your Shared Hosting Solution
From this point forward, having versed yourself in Shared Hosting security risks, you can start planning ahead on how to prevent attacks from ever happening.
We at HTH.guide recommend comparing different host providers and check all security measures they have set in place for their servers. Avoid hosting providers that do not provide that kind of information and do not have transparency about their server security.
Customers write so many reviews for different hosts that they are bound to give you an insight. A further step would be to contact the customer support team of a web hosting through chat or call them directly to ask for detailed information.
Well-renowned hosting providers should have preventative techniques and security solutions to counter all above-mentioned issues.
One crucial thing you need to ensure right off the bat, when creating your website is to keep it separated from all other websites on the shared server.
The whole hosting environment of a website should not be accessible to the environment of any other site and vice versa.
Protect Your Website
When it comes to the protection of your website, you need to understand that it is of utmost importance to ensure the security of everything surrounding your website, IP and server.
Below we will list a few things that you can do to have a better-protected website.
Block PHP Execution for Untrusted Folders
Let us explain why it is imperative to block the PHP execution for untrusted folders.
When hackers find vulnerabilities on your website, they will try to exploit them. Said hackers could be successful in the creation of their very own files and folders. Usually such files are well-hidden, but could also stand out a little from your genuine website files and containers.
Now, when hackers have access to your website and control over certain files, this will in turn allow them to execute malicious activities. Your websites might suffer redirects (as visitors are redirected to different pages) or customers getting sent SPAM messages and unwanted content.
PHP is the programming language that hackers utilize most commonly as it is rather easy to execute code with its help. Regardless of the fact that PHP execution is required for your website to run properly, only particular folders make use of it.
So, go ahead and prevent hackers from accessing your website to perform malicious tasks, by blocking PHP execution in any folder that you do not trust. Perform a rigorous check of the folder name on the Internet if it not custom created.
You can perform this task of disabling PHP execution manually, or you can use a plugin to easily implement it in an automatic manner with making only a few mouse clicks.
Set File Permissions
As previously stated in the above paragraphs of the article, a shared server could allow for hackers to gain access to your website and WordPress files.
To successfully prevent that security risk from becoming a reality, you have to set the right file permissions. In that way you will make certain that only you can access them as the true website owner.
Changing file permissions is extremely simple. All you have to do is to access the cPanel of your host account. Needless to say, each hosting provider has a different cPanel. However, most hosting companies make the experience easy with a user-friendly interface.
Shared Hosting Security Questions List
When you are ready to choose a hosting company that provides shared hosting plan. Here are a few important security risks questions you can ask in order to take your final decision.
- Server Isolation and Segmentation: How do you ensure isolation between different shared hosting accounts on the same server?
- Malware and Virus Protection: What measures do you have in place to detect and prevent malware or viruses from spreading across shared hosting accounts? How often do you perform malware scans and cleanups?
- Server Security Updates: How frequently are your servers updated with security patches and updates? Do you actively monitor and respond to emerging security vulnerabilities?
- Firewall and Intrusion Detection: What kind of firewall and intrusion detection systems do you have in place to protect shared hosting accounts? How do you handle and respond to potential security breaches or unauthorized access attempts?
- Backup and Recovery: How often are backups of shared hosting accounts performed, and how long are they retained? In the event of a data breach or loss, what is your disaster recovery process?
- Secure Protocols and Encryption: Do you support secure communication protocols such as SSL/TLS for data encryption?
How do you ensure the security of sensitive data transmitted between users and the server? - User Authentication and Access Control: What authentication mechanisms are in place to prevent unauthorized access to shared hosting accounts? Can users implement two-factor authentication for added security?
- Software and Script Vulnerabilities: How do you handle vulnerabilities in popular scripts and software used by shared hosting customers? Do you provide guidance on securing applications and keeping them up to date?
- Resource Allocation and Abuse Handling: What steps do you take to prevent resource abuse by one shared hosting account affecting others? How do you handle instances of abuse or excessive resource usage by a user?
- Support for Security Tools: Do you offer any security tools or features, such as mod_security or IP blocking? Can customers configure security settings tailored to their specific needs?
- Terms of Service and User Responsibilities: What security responsibilities do you expect from shared hosting customers in terms of software updates and practices? How do you enforce your terms of service to maintain a secure hosting environment?
- Incident Response and Communication: In the event of a security incident, how do you communicate with affected customers and provide updates? Can you provide examples of how you’ve responded to security incidents in the past?
These questions will help you assess the security measures and practices of potential shared hosting providers. Be sure to clarify any doubts and choose a host that prioritizes the safety of your website and data.
Conclusion
Shared Hosting has unique security risks along with some more common ones. It is up to you and the people that manage your website to constantly check for security risks, leaks, new vulnerabilities and make certain that your website is secure, patched and updated.
If you have read this entire post and have listened to our advice to implement all changes to your website environment, know that you have a more secure site prone to less Shared Hosting Security risks.
Check out the related articles of HTH.guide:
Could/would you please provide a list of the specific questions we should ask to potential host providers? Then we could compare the answers to this article which would make it easier for us non-techy gurus to ensure we know what we’re getting. This article contains helpful info, but I’m not sure what I need to specifically ask to get the info you say we are entitled to from a host provider.
Thank you!
Dear Andrea, Thank you you request, please find above our updates.