The wild wild west

After reading some of the articles out there about shared hosting you’d be forgiven for thinking it was like the wild west and the moment you upload your website it’s going to be overrun by hackers clinking their spurs as they mosey on down to your website.

We thought we’d take a look at the top 5 potential issues with shared hosting (we call it virtual hosting, for reasons that will become apparent) and how they really aren’t an issue with any company worth partnering with.  You don’t need to be John Wayne, Clint Eastwood, Marty McFly or Will Smith to use shared hosting for your websites.

1. If one website is hacked, all the sites on the server will get hacked

“Even though your website has a separate domain and separate content, by sharing this directory, it is intrinsically linked to the other websites on your server.

This means if a hacker is able to access this main directory, they can target all sites on the same server.”

Who wouldn’t worry about this one when there are websites with statements like this?  Sound pretty scary doesn’t it?  We’ll ignore for now that they’re trying to sell you a security plugin.

As you’ll know from your own computer, your storage consists of a lot of directories organised like a tree and at some point every directory shares a common parent by being at the “root” (/ on Mac & Linux or C:\, D:\ etc. on Windows) of the filesystem tree.  So whilst the above statement about sharing a directory is true, it massively simplifies things to make it sound a lot scarier than it is.

If a hacker gains access to this directory that forms the root of where all customer data is then of course there is going to be a problem. This is not a problem exclusive to shared hosting though, the same applies if you have a virtual server or a dedicated server as the chances are the hacker has root/administrator access to the server by this point and can do whatever they chose to do.  Hackers don’t stop just because you’ve got your own server.

Any hosting partner worth their salt has several layers of protection in place to guard against this happening:

  1. Users & Permissions – Every customer should have their own users on the server with appropriate access permissions meaning they can only access their own files and directories and all application code should run as this user.  Done correctly this means if someone uploads a malicious file to someone else’s website then it will run as their user and be stuck there, it won’t be able to get to your website files.
  2. CageFS – To further fortify the filesystem protections CageFS restricts each user on the server to their own virtual filesystem.  As a result of this each customer on the server can only see their own files and a restricted set of files in our allow list e.g. PHP composer, WP CLI etc.  As far as the users filesystem is concerned, no other customers exist on it.  Combined with the Linux Virtual Environments this is why we call our shared hosting virtual hosting instead, as we’re making use of advanced virtualisation to protect users.  The same technology is also used with our reseller hosting.
  3. Linux Virtual Environments (LVE) – As an extra precaution, all of a users’ code and system access is run inside their own virtualised environment, similar to how it would if you or they had your own virtual server.  This isolation is carried out at the heart of the server operating system, the kernel – this controls everything that happens on a server.
    • This LVE means that you can’t see what processes/applications other users are running and they can’t see yours.  As far as either of you are concerned, you don’t exist to each other.
  4. Web Application Firewall (WAF) – This is a usually part of the web server, checking each request made to your website to make sure there isn’t anything malicious going on such as SQL injection or Cross Site Scripting (XSS) attacks.
  5. Malware Scanner – Checks files when they are accessed and in the background to see if they match known malware.
  6. PHP Malware Checks – This checks to make sure the PHP code being executed isn’t techniques commonly used together by malware to try and prevent it running, used to catch previously unknown malware that has got past the normal malware scanner.

If we went back in time by 20+ years then things were a little bit different and all code on a server probably ran as the same system username which did present a potential problem with multiple websites on the same server.  Fortunately it isn’t 1999 any more and for most hosting providers things have moved on, it’s always worth checking with the providers on your shortlist to see what protections they have in place.

2. The server resources aren’t dedicated to you, which means sites will be slower

Once again, twenty years ago this might have been the case, or with providers who overload their servers, but there’s no reason we should tar all providers with the same brush when there’s technology available to prevent this.

We utilise Linux Virtual Environments (that’s why we call ours virtual hosting) that allows us to set limits on the amount of CPU and memory an individual user can use.  This means that no single user or small group of users can cause problems for everyone else hosted on the same server.  That means that if:

  • They do somehow get hacked
  • They get featured on TV
  • They get featured on Reddit

and end up using 100% of the CPU and memory we’ve allocated to them, your sites will be unaffected and will run just as fast as normal.

Just like when we first started twenty years ago, we keep a careful watch on our servers to make sure there’s plenty of unused CPU and memory to go around.  That’s why our busiest virtual hosting server peaked at 33.5% CPU and 40% in the 24 hour period whilst this post was being written.

A graph showing the last 24 hours of CPU, RAM and Disk usage on our busiest hosting server

We often see this comment paired with a recommendation to “Get a small Digital Ocean Droplet / Amazon Lightsail / AWS EC2 instance to host your site, it’ll be faster” and even though we provide similar services ourselves with our cloud servers, for most sites it really isn’t the best solution in our experience, for example:

  • £9.95/month – 2 vCPU, 4GB RAM, 25GB Disk Space (Zepto package)
    • All the CPU, RAM and disk space are just for your sites, none is used for the operating system or server software
    • You get the control panel, backups, security software and advanced web server all included in the price and there’s nothing to setup and manage other than your own sites, we take care of keeping the server and software secure and up to date
  • £7.41/month – 1 vCPU, 2GB RAM, 60GB Disk Space (Amazon Lightsail)
    • Some of your CPU, RAM and disk space will be used for the operating system and server software leaving less for your sites.
    • If you want the same features as virtual hosting you’ll need to buy software licenses, install the software, keep the operating system secure and up to date as well as your sites

How much is your time worth?  More than £2.54 per month?

Don’t forget to check with your shortlisted providers to see how they protect your sites against this, we all know what they say about making assumptions.

3. Sharing an IP address will get you blocklisted when another customer does something bad

We can’t deny it, it is certainly a possibility and the only situations where an IP address gets blocked are usually:

  1. For sending large amounts of spam email an IP address can end up on a blocklist and unable to send email to providers using the blocklist
  2. The server is hosting a large amount of malware/phishing/hacking sites in relation to the number of legitimate sites

We’ve also seen it said that if one website on a server ends up on the Google Safe Browsing list then the IP address will end up on the blocklist, although we’ve never seen that happen.  Google is more than clever enough to know the difference between a single website and an IP address with multiple unrelated domains using it.

Fortunately we have protections in place for both reasons why an IP address might end up on a blocklist:

  1. We set limits for the amount of emails customers can send in one period
  2. We do outbound spam filtering on emails, so if it looks like spam it’s not leaving the server
  3. All those protections against malware we mentioned earlier, they’re here to stop exactly that
  4. We respond to and deal with reports of abuse sent to us from other providers
  5. We monitor our IP reputation

It isn’t a 100% perfect system and on rare occasions an IP address will get on a blocklist and you have to ask the question, “Is this more or less likely to happen on a VPS where I have to look after everything myself?”.  If you haven’t got any experience of setting up or managing servers then experience tells us it’s more likely to happen, and that’s fine because we probably couldn’t do your job as well as you do either.

It’s worth asking your potential web hosting providers if you can have IP addresses for a couple of their hosting servers so you can check the IP reputation with various services (Search: ip reputation) to get an idea on how they deal with problems.

4. Due to our fair use policy…

…you’re not getting what you thought you were.

There’s lots of deals out there that look great on the surface, but then when you dig in to them you find that there’s a rather woolly “fair use” policy attached to them or limits hidden away.

Common things we see:

  • Unlimited disk space – Except you can’t use it to host video files, software downloads, images that are too big, backup files etc. and all of your files must be used as part of your normal website
  • Unlimited disk space – Except you can’t store more than X number of files and by-the-way, they each file can’t be too big either
  • Unlimited bandwidth/transfer – Except once again, no videos, no software downloads, no files over X size etc.
  • CPU/Memory limits hidden – Limits need to be set, but do they really need to be hidden away in a fair use policy somewhere?

Now of course shared/virtual hosting isn’t suitable for trying to host Instragram on, but we believe companies should set realistic expectations and limits upfront, that way you know where you stand and don’t have to worry you’ve missed something in 20 pages of terms and conditions and you don’t need years of hosting experience to know what’s what.  That’s why we don’t have plans with unlimited disk space or bandwidth/transfer, because it sets unrealistic expectations and ultimately at some point we’d end up having to make someone very unhappy and ask them to leave and no one wants that.

We often see this is countered with:

“but we have such large scale, we can afford to let some users use really large amounts”

if that’s the case then why have limits hidden away in terms and conditions?

As long as you’re sticking within the law, not causing anyone harm and sticking by any other content policy e.g. no adult material etc. then why should a web host care if you use your disk space and other resources for video, software downloads, pictures of your cats or to backup your documents from your PC?

Picking a provider that’s honest and upfront about their limits will lead to a much happier hosting experience in the long run.  If you’re really not sure what resources your site is going to need, then speak to the providers on your shortlist and ask them for advice, it’s a good way to gauge how good their support is as well.

5. Backup, backup, backup

If you’ve read any of our other articles, you’ll be spotting a theme, backups are a big thing.  They’re your insurance policy against losing your data – If you had a shop you’d insure it, if you’ve got a website you need to do the same.

Backups on shared/virtual hosting vary a lot between providers, some even use them to differentiate their packages and make you buy a more expensive package to get your critical backups more frequently:

  • Package A (£X) – Weekly backups taken
  • Package B (2 * £X) – Daily backups taken

If you’re running an online store, or a popular community where there’s lots of orders or comments and uploads then it’s even more critical to take your own backups if your site is only being backed up on a weekly or daily basis.

How many orders do you take in a day? a week?  How much new content is added in a day? a week?

Ideally you need to be backing up your data several times per day if you’ve got a busy site and as you can’t control this at a server level due to it being shared hosting that leaves you with three solutions:

  • Pick a web host that does backups more frequently e.g. hourly
  • Manually take backups several times per day, or write your own scripts to do it – but that will probably eat in to your resource usage
  • Pay a 3rd party to take backups for your site

Whatever you do, please don’t get caught without backups and remember that it isn’t a backup unless you’ve tested it to make sure it’s working.  We’d always recommend that even if your host takes regular backups or you use a 3rd party service that you also take your own as well just in case absolute disaster strikes.

 

Taming the west

Hopefully you’ve got enough information now to tame the west and make sure you have a great hosting experience with your sites, without having to worry about the clinking of spurs or a high-noon showdown with your web host.  If you take nothing else away from this article we hope that:

  • You backup your websites regularly and check any backups made on your behalf
  • You don’t make assumptions about your hosting provider, always ask questions

If you’re still not sure, then book a call with one of our hosting guides and we’ll do our best to round up all the facts and information you need (and we promise this is the last cowboy reference).