Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

5 Security Questions For Your Hosting Company

This entry was posted in General Security, WordPress Security on March 21, 2017 by Mark Maunder   71 Replies

In the past month, our forensic analysts ran into two situations where we saw a significant number of site cleaning customers, all from the same hosting companies, all with the same malware. In both cases the sites were infected due to a hosting company security issue.

We reached out to both of them and provided the relevant information and they were responsive. We won’t be mentioning them by name on the blog.

We have seen a third host this week that is not correctly isolating customer accounts on shared servers. They appear to have a filesystem permissions issue. They haven’t had any problems yet, but it is just a matter of time.

We decided to write a quick post that helps you determine whether your hosting company may be putting you at risk and whether that risk can be mitigated or whether you should consider moving to a new hosting company. We have a great article already on how to choose a WordPress hosting company, but what if you already have one?

The following are questions we think your hosting company should be able to answer.

Are you running up-to-date versions of the following products: CPanel, Operating System, Caching Technology, PHP, phpMyAdmin and MySQL?

In our Learning Center article on security hardening for WordPress sites, we have a great section and accompanying graphic on what your hosting provider is responsible for versus you, the site owner.

The important takeaway here is that the hosting company is actually responsible for a lot. Even if you are managing the security aspects of your website flawlessly, you could still be at risk if your hosting company isn’t holding up their side of the bargain.

One of the hosting companies we referred to earlier in the post was running a version of phpMyAdmin that is almost 2 years old and contains multiple known security vulnerabilities. It was no surprise to us that their customers were getting repeatedly hacked.

You should note that a host may be able to run an older version of software if they use ‘backported’ security fixes. That means they are using old software that has had new security fixes applied. If you do find that they are running an old version of something, ask them if they have applied the latest security fixes.

We are constantly reminding everyone to keep their themes, plugins and WordPress core up to date. Make sure that your hosting company is keeping the rest of your site software up to date as well.

Are you completely isolating hosting accounts from each other? Or is it possible for one hosting account to read files in another account on the same server?

We have seen hosting companies who were not correctly isolating user accounts from each other. That means that if an attacker gets a hosting account at one of these companies, perhaps by using a fraudulent card, they can access files in other hosting accounts.

In one case, an attacker was using an existing hosting account to read the wp-config.php file in other hosting accounts which contains the database server address, username and password. The attacker then simply used their database access to create an admin level user and they had full access to the compromised website in the target hosting account.

You should ask your hosting company if other users on the same server as you can access your account. Users on your server should not be able to access any files in your account. Accounts should be completely isolated. 

Are my server logs available and how long are they kept?

When a WordPress website is compromised by an attacker, one of the most important sources of information our forensic team has to determine how the site was hacked are the server logs. Unfortunately we often find that customers with entry-level hosting plans either don’t have access to server logs at all, or that they are retained for such a short amount of time that they aren’t helpful.

We recommend a WordPress hosting plan that gives you immediate access to log files going back at least 24 hours. Ideally you should also have the ability to archive log files that are older than 24 hours, for 30 days.

How are you backing up my site and how long are backups being retained?

The fastest way to recover from a hacked website is by restoring a good backup of your site. Having quick access to a backup of your site can save you time, money and a lot of work. Find out what your hosting company is backing up, how long they are retaining it and where they are storing it.

If you’re on an entry-level hosting plan it is very likely that you will need to augment what your hosting company is already doing. In many cases they may not be doing anything at all.

Does my current hosting plan allow me to enable HTTPS?

In the Introduction to WordPress Security article in our Learning Center we explain why it is crucial to only log into your website via a secure connection. If you aren’t currently logging into your site securely, drop everything you are doing and go fix that right away. An attacker who is listening to your network traffic can steal your username and password, taking control of your website.

There are additional benefits to running https. It will improve your SEO rankings and it will protect any other data you are capturing via forms and payment screens on the rest of your site. We strongly recommend that you run an https-only website if possible.

Conclusion

We hope this post helped bring awareness to some of the hosting-related security issues that you need to stay on top of. Your hosting company plays a critical role in securing your website. Unfortunately not all of them are created equal, so make sure that yours is providing a strong security foundation for your WordPress website.

Did you enjoy this post? Share it!


3.76 (33 votes) Your rating:

71 Comments on "5 Security Questions For Your Hosting Company"

James March 21, 2017 at 8:58 am • Reply

Would be nice to know if Godaddy was one of them. I use their linux hosting and have had repeated issues with hacking on my wordpress despite all the measures put in place. Somehow they find a way to change either my theme header or some other file and add base64 encoded includes from off-site. I was wondering if they have cross site file permission issues.

Mark Maunder March 21, 2017 at 9:06 am • Reply

GoDaddy was not one of them. I'd never heard of any of the three companies until our site cleaning team told me about the issues. Two out of the three have resolved the issue. The third was only discovered yesterday. We haven't discovered any hacked sites on the third provider yet, we just noticed their permissions are insecure across accounts, so we'll reach out and work with them.

Mark.

Jean Bertrand March 21, 2017 at 9:14 am • Reply

I also have concerns with Go Daddy. I was hacked in January shortly after transferring to their latest C Panel Hosting on one of my sites. Not even a week after, the transfer, it was hacked.

Lisa March 21, 2017 at 9:15 am • Reply

James, I use Godaddy and was just hacked two weeks ago. Cleaned it and got rehacked. I contacted Godaddy about it, and they told me I was on their "old" Linux hosting plan, which uses an old version of PHP that is susceptible to hacking. Would have been nice if they'd told me that BEFORE my site was hacked. They upgraded me to their new Linux hosting plan (which surprisingly costs me less), and my site has been clean since. The hackers are still trying to get in (I can see their failed login attempts with Wordfence), but so far they haven't been able to get in. I'm still working on getting all the bad search results off Google though. I'd suggest contacting Godaddy (I used their chat feature) to see if you're on the newest hosting plan.

Ron March 21, 2017 at 10:25 am • Reply

Yes, if you are on the classic GoDaddy hosting plan, then the latest PHP version available is 5.4. However, even with the new cPanel plans, the latest PHP version available is 5.6, even though Wordpress recommends PHP 7 as the minimum. I hope everyone who is a GoDaddy customer can encourage GoDaddy to offer PHP 7 either by sending support an email or posting on their community forum.
https://www.godaddy.com/community

Mark Maunder March 21, 2017 at 10:28 am • Reply

Just want to add: Running an older version of PHP is not necessarily insecure. They have almost certainly applied backported security fixes (as I noted in the post above). I'd also add that compatibility for large mega-hosts like godaddy is a huge issue. They can't just bump everyone up to PHP7. It would cause chaos and break a lot of legacy code. I'm all for moving forward and supporting PHP7, but risk mitigation is also something the larger hosts have to consider.

But by all means, make your voice heard and that way you'll get PHP 7 as an option on their hosting plans rather sooner than later.

Mark.

Luke Cavanagh March 22, 2017 at 3:14 pm • Reply

From what I know GD Managed WP plans will have PHP7 as default in a couple of months, along with free SSL.

Colleen Wright March 21, 2017 at 8:59 am • Reply

This happened to one of my clients. We moved to a different hosting company and the re-hacking finally stopped, but not before losing rankings.

Craig March 21, 2017 at 9:05 am • Reply

So true thats why i moved a certain gator company :) is still using outdated software.

cayugadan March 21, 2017 at 9:09 am • Reply

Can you please tell us which hosting companies you've identified?

I don't get to make the final decision on many of my client's hosting but I do have a voice.

Mark Maunder March 21, 2017 at 9:22 am • Reply

Hi,

We've chosen to not mention them by name on the blog. The two we worked with were responsive and have resolved the issue so we'd rather not throw them under the bus.

Mark.

Matt March 21, 2017 at 9:17 am • Reply

Is dreamhost one of the sites that is unsecure?

Mark Maunder March 21, 2017 at 9:21 am • Reply

No.

Burt March 21, 2017 at 9:24 am • Reply

Is SiteGround one of them? I'm concerned about cross-account access...

Mark Maunder March 21, 2017 at 9:27 am • Reply

No.

MF March 21, 2017 at 9:25 am • Reply

Would be nice to know if 1&1 was one of them(?).
Thanks for your excellent posts b.t.w. Brilliant.

Mark Maunder March 21, 2017 at 9:27 am • Reply

Nope.

Setzfehler March 21, 2017 at 9:47 am • Reply

That is good to know. Thanks for this post and the answer!

Jack Kennard March 21, 2017 at 1:25 pm • Reply

Thanks :~)

Shirley March 21, 2017 at 9:28 am • Reply

Is Hostmonster one of the sites that is unsecure please?

Mark Maunder March 21, 2017 at 9:32 am • Reply

It is not. Sorry folks, that's the last response I'm giving or we're going to be playing whackamole all day long. All three were small hosts that you've almost certainly never heard of.

Mark.
PS: I'll be deleting any questions asking who they are from now on. Thanks.

Eric March 21, 2017 at 11:20 am • Reply

Mark- you don't have to post this... I just thought your "whackamole" comment was great. :) We could change wackamole to whack-a-server. Whack-a-server - the game that let's you whack a hacker - coming soon to a server near you. :) Thanks for all the hard work you guys do.

Eric March 21, 2017 at 9:28 am • Reply

You should do a post on the hosting services that do keep up to date on all security updates. Once word gets out that certain hosting companies didn't make the list, it might get them to pay attention. You could also do a "best of the best" list.

I also noticed a comment on a certain gator company... that is worrisome.

Mark Maunder March 21, 2017 at 9:32 am • Reply

Will consider doing that. Thanks.

Mark Nordeen March 21, 2017 at 9:57 am • Reply

Yes, I would love to see how you rate hosting providers regarding their level of attention to security. Any chance you can tell us what hosting provider you use for this website?

Mark Maunder March 21, 2017 at 10:20 am • Reply

We host it ourselves in our own physical servers that we own. We have several server racks based in multiple geographic locations and we own and operate our own physical servers and network hardware.

Mark.

Mark Nordeen March 21, 2017 at 1:38 pm • Reply

Makes sense. Thanks for the work you and your team do.

Susan Marshall March 21, 2017 at 9:37 am • Reply

Great suggestion Eric. I'd definitely love to read a post like that. We wouldn't have to ask anything with that information.

rfrazier March 22, 2017 at 7:29 am • Reply

Hi Mark,

Great post. I realize you might not want to be in the ISP endorsing business, but elaborating on what Eric said, I'd love to see a list of sites that meet the following criteria, in more or less descending priority, but all important. I come from the point of view of an individual blogger, with a minimal budget for money and time.

a) Meets WordFence security criteria, including providing and SSL certificate.
b) At least partially specifically caters to WordPress hosting, with knowledgeable tech support.
c) Has 24 hr phone / ticket / email tech support (preferably all three). Good phone support is important in a crisis.
d) Offers managed mode where they update core files. Some may disagree but this is better for less technical users or those who want less hassle. Users should have the option to manage all their own files as well, but these two are usually mutually exclusive.
e) Does NOT require annual payment up front. This is important for smaller operators who find it difficult to come up with a $ 200 - $300 ish ISP payment lump sum once a year. Monthly payments are better. Notice I didn't say free. In my opinion, you won't get the type of support I'm describing for free.
f) Good reputation in the industry for customer service and reliability.

If this list was kept up to date, that would be even more fabulous. Since your security criteria are at the top of the list, you guys would be a great company to do this. (wink wink)

If I knew of a company with these attributes, I'd probably switch from the one I have now. No, I'm not stating their name. What I will say, though, is when they update the core files in managed mode, they put a "limit login attempts" plugin into the plugins-mu (I think) folder in the file system. This means "must use". You cannot see this plugin in the normal list and cannot disable or remove it. But, its settings are available in the WordPress settings menu. It's running, and it conflicts with WordFence login security settings. I've had to contact the ISP twice and have their tech people remove this item. Also, when they do updates, I end up with a number of unwanted inactive themes and plugins in the system that I have to go and delete.

Thanks for the good work.

Ron

Roger Poole March 21, 2017 at 9:34 am • Reply

I've had issues with GoDaddy. Definitely do not host WP sites there.

arthur March 21, 2017 at 9:37 am • Reply

I am on the verge of rebuilding the 3rd hacked website since 2015.. all our sites are hosted with hostgator. whether they are one of the three or not, i am in the market for reseller hosting that is super secure.

dave billings March 21, 2017 at 9:38 am • Reply

Must say majority don't update because customers have outdated WordPress, themes and plugins. Along with end of life dependencies no longer supported makes it difficult to keep the old legacy stuff going. ea56 is at end of life. Already messy and it's going to get ugly!

Maybe old school html was not so bad after all... Especially for those who never maintain their website.

And after 30 years in the commercial web business I must say all we are doing is keeping the honest honest. Service providers never take you eyes off the wheel and don't have a hart attack when you reboot.... Lord only knows what can happen!

Thomas Bacon March 21, 2017 at 9:39 am • Reply

Some other tips I think are worth checking:

1. Does my hosting company allow FTP connections or SFTP/SSH only? They shouldn't, in my opinion, allow FTP anymore.

2. How does my hosting account verify my identity when contacting them for support, and related, do they email passwords in plain text if I request one?

These two questions can tell you a lot about how a hosting company deals with security in general.

3. Do they support 2-factor authentication when logging in the their customer portal / hosting management portal?

Susan Marshall March 21, 2017 at 9:39 am • Reply

What are the most up-to-date versions of: CPanel, PHP, phpMyAdmin and MySQL?

Ron K. March 21, 2017 at 10:26 am • Reply

I am with 1&1 on a few pro accounts (shared) for 30 WP sites, and have been after them to upgrade their MySQL version for months now. They still have 5.5.54 as the installed version as of today, which is a constant concern.

Iain March 21, 2017 at 9:44 am • Reply

I am one of those that had my site hacked - and I'd never have known if it wasn't for Wordfence Premium alerting me to a new Admin User. I was so grateful that the team at Wordfence were able to clean and repair the site. Visually the web site was fine but a hacker had inserted code into numerous pages and it looked as if they were getting free web hosting on the back of my account. I tackled my web host about security as it seemed the hacker could gain ftp access at will and upload anything they liked. They said, "please be advised that the security and management provided with the xxxxx Hosting is related to the server, and the website's security is still the duty of the customers, so we can't advise or prevent attacks targeting the website files and databases itself." This leaves me feeling vulnerable. I had got so used to doing everything via the Wordpress Dashboard I never checked the server files using ftp - but there were lots I'd never uploaded. I'm off to find a host that offers tighter security and https.
Thanks for all your help.
Iain

Conny March 21, 2017 at 9:50 am • Reply

One of the greatest provider in Germany did write emails to some of my clients that there was a hack on wflogs/attack-data.php. The provider told me then that he want talk with you about it and they want find a solution with you - is that right?

Mark Maunder March 21, 2017 at 10:19 am • Reply

I think you're referring to an incident yesterday where 1&1 hosting flaggd attack-data.php as a false positive. From our internal discussion: "1&1 Sent out a false positive warning and locked down attack-data.php in wflogs. It sounds like they have corrected it at this point but it may take a few hours before their fix comes in effect."

So a hosting company accidentally detected a Wordfence file as malicious and fixed it in a few hours after working with us. It's unrelated to the post above.

Mark.

Mark Maunder March 21, 2017 at 10:25 am • Reply

FYI, This is what they sent out:

Please excuse this error and any inconvenience caused by this false alarm.
We confirm that your file /wp-content/wflogs/attack-data.php does not contain any malicious code. The scanner made a mistake in the previous scan.
The database for the 1&1 Safety Scanner has now been corrected.
If the file still exists in your WebSpace, we changed the file-permissions back to the old value.
If you should require further information, please reply to this e-mail, leaving our reference [removed] in your message. You can also call us at [removed], from Monday-Friday, 11:00am-22:00pm.
We appreciate your cooperation and look forward to continuing to provide you safe and secure hosting.
Best regards,
Hosting Security
--
1&1 Internet Ltd.

Conny March 21, 2017 at 10:43 am • Reply

Thank you Mark for your information ! And thanks for your good work!

Peter March 21, 2017 at 10:08 am • Reply

It boils down to the old saying, you get what you pay for. With the drop in price over the years for dedicated servers I've seen so many company's pop up offering cheap forms of VM hosting yet their skills on setting up a secure server environment are lacking to say the least. FTP being the most common by far. I think Mark touched on this with a user being able to read other users directory's. I use only FreeBSD jails now for many years for a dedicated site tied to a single ip address. If I offered shared hosting the server would be setup completely different. Biggest problem I found was people using wordpress wanting security levels I applied lowered as some plugin was not working correctly. Wordfence has always been the first thing I've installed on a base install and yet I've come across people deactivating it because of some problem on their sites. Madness !
Keep up the good work Mark , enjoy reading your articles.

Jennifer March 21, 2017 at 10:31 am • Reply

I bet one was deluxehosting which is the check company and they took over liquid web. I say this because I had two clients with the same weird hack and they were unrelated customers.

Dean March 21, 2017 at 3:01 pm • Reply

What do you mean when you say they took over liquidweb?

Susan March 21, 2017 at 10:33 am • Reply

In the past, I had a cheap hosting company and paid for it dearly, my site got hacked, the hosting company got hacked, nothing was secure. I had to start over after a deep dive into local hosting services.

When I asked the new hosting company how they managed their security they advised me that they did NOT keep their backups on the same server as my site. That's an important security feature to consider. Great information here, Mark. Thanks.

Jennifer carello March 21, 2017 at 11:24 am • Reply

I see some people writing how they have to piece back together hacked websites-you don't have to live this way. Use good security like wordfence and then if a site still gets hacked - if you have blogvault you can restore your site in no time by clicking through. They save backups for a long time, too. if you have not made a lot of changes you can go back to a safe copy. I would never ever have a site without using them. And a lot of developers love living this risky life because in my 20 years of building websites I have NEVER had a site come to me with backup installed. I don't work for blog vault - that software has just saved my butt over and over and over again so I thought I would share with the community. Safe wordpressing everyone!!

Jack Kennard March 21, 2017 at 1:34 pm • Reply

Jennifer, couldn't agree more. Backups should be part of every site's maintenance plan. Unfortunately it usually take one minor or major rebuild before a backup plan becomes part of the maintenance program.

Bob Hennessey March 21, 2017 at 12:33 pm • Reply

Are there any web hosts that implement firewall rules to thwart most of the malicious traffic prior to it even hitting the website or Wordfence?

All of these websites left to defend themselves on their own? The smart ones using Wordfence of course, but it would be beneficial to the webhost and all of its users to block known malicious traffic at a higher level, blocking known malicious requests at a higher level before php even kicks in? Especially if a site isn't up to date this would be a huge benefit.

Seems like fish in a barrel to leave these sites on their own out there.....

Mark Maunder March 21, 2017 at 12:36 pm • Reply

Unfortunately that is the situation for the most part Bob. Some hosts use mod_security to protect their customer sites, but the rules aren't WordPress specific and aren't kept up-to-date in real-time. As far as I'm aware, most hosts use nothing.

Luke Cavanagh March 22, 2017 at 3:16 pm • Reply

Pretty sure quite a few WP managed use mod_security, but it can be quite resource intensive on the servers.

Peter Bates March 21, 2017 at 6:17 pm • Reply

You can use cloudflare to mitigate a lot of bad traffic with page rules and I set up nginx with naxsi rules and specific rules for wordpress. I also limit PHP to allow_url_fopen=Off and allow_url_include=Off. Also use route in rc.conf to block certain ip blocks that appear here on wordfence. So there is a lot server side you can do to mtigate any attack vector. I use freebsd jails.

Equipper March 22, 2017 at 4:26 pm • Reply

Yes, use cloudflare/wordfence etc... for firewall rules and/or use LINUX... Google: Linux Firewall rules. Its easy to setup but you need root access to the linux machine.. Do you have it?? There are lists of known Bots and ipaddresses that are considered malware etc.. And please use a git repo... In case a hacker changes your code you know what was changed..

Dave March 21, 2017 at 12:42 pm • Reply

Not sure how you feel about a partisan approach, but I'd appreciate some hosting recommendations - not just who has the best security practices but who has also demonstrated good response (like the sites you mention) since no approach is probably bulletproof. I'm seeking out a new provider... Thanks!

Mark Maunder March 21, 2017 at 12:51 pm • Reply

We're chatting about doing something like this Dave.

Equipper March 22, 2017 at 4:17 pm • Reply

Have you tried digitalocean? 5-10 dollars per month... You can lock down you site with ease or just host your WP site on appengine... Then be done with it. Seriously, cloud computing is here its time to jump on the bandwagon. Theres a reason why Godaddy does not provide PCI Complient servers anymore... its the way their hosting is setup.... Folks i don't mean to be a smart ass but have you heard of Amazon Cloud? Its not going to protect by itself but shared web hosting is always going to be a risk.. Its the nature of it...

Lydia March 21, 2017 at 12:53 pm • Reply

All of your advice has been helpful, but this list was especially relevant, given the amazing amount of hacking activity going on out there. Thanks again for being there!

Tudor March 21, 2017 at 1:55 pm • Reply

Hi,

I would mention an important point to "the last version" of PHP. Some hosting let you choose your version of PHP so you can choose (if you really want to live dangerously) one that is not supported for already 4 (!) years. Example PHP 5.3 http://php.net/eol.php the default (!) option, for compatibility issues I suppose. I could also choose 5.4, 5.5 which are also no longer supported. They push the decision to you.

I would add that not the latest version is important but at least a supported version (branch) with all patches to date. I might prefer to use the version before the last one, it might be more stable, like one would consider for the operating systems. In the specific case of PHP there is some discussion about what features would work in 7.0 and not in 5.6 for example, both are maintained.

Luke Cavanagh March 22, 2017 at 3:17 pm • Reply

I would take a look at

https://kb.yoast.com/kb/how-to-update-your-php-version/

Quite a few WP hosts have PHP7 as default now.

Dean Cantave March 21, 2017 at 2:56 pm • Reply

Mark,

Thanks for the post! I've actually narrowed down my selection to a hosting company that is costly on the price ($100 a month) but from my research it appears that they are a premium when it comes to good hosting. I've been mulling over this decision for months now since I am launching my new blog next week.

I'm wondering if the issue you mentioned with one hosting account having access to other directory structures within another hosting account is something that is more common on SHARED hosting? I don't believe this would be an issue with VPS and obviously not an issue with a Dedicated instance.

Do you agree that VPS is probably the preferred hosting option to mitigate these kinds of security vulnerabilities?

Peter Bates March 21, 2017 at 6:33 pm • Reply

It's all about correct configuration of the server, I personally have all user accounts set with a umask of 27 and that user account would also be set nologin thereby not allowing ssh access but allowing sftp if needed.
$100 a month is not a lot if you have a good sysadmin who knows his beans. Personally I build all my vps ( jails ) from scratch and from source using libressl, Yes it's time consuming to setup initially but each vps is basically your own dedicated server on it's own ip and cloned daily with zfs snaphots.

opinions March 22, 2017 at 7:59 am • Reply

Dean, I've been doing this for years (pro blogger) and have never found a hosting company that's adequate for less than around $90/month. This be for virtual server with several websites, medium level traffic (~10,000 uniques a day, excluding bots) that spikes. For that kind of money you should be able to get pretty much 24/7 tech support, which is essential for those of us who would rather write blog posts than configure our own hosting, though if you're a one-person show you'll be forced to learn at least something about hosting so you can make intelligent choices.

One thing Mark left out of this is your server should have some kind of firewall that's configurable with the help of the hosting company tech support. This is separate from Wordfence and protects against things like SFTP and FTP login brute forcing. Or at least that's my understanding.

Scott N March 21, 2017 at 3:01 pm • Reply

I'm pretty happy that our small hosting company (QTH) would get an A+ on this quiz! :-)

- Scott

Jobst March 21, 2017 at 3:22 pm • Reply

One of the things I have seen with a lot of shared hosting (virtual) servers: if you have root access to the server (non Cpanel) you can see the network traffic on the (shared) interface(s) using either ngrep or tcpdump for all accounts on that server.
I know there are issues totally separating traffic for all of the accounts on a server, but I know it can be done, it scared the crap out of me.
A test for this should be included and should be made question #6.

Mark Maunder March 21, 2017 at 3:45 pm • Reply

I think you need root to put the interface in promiscuous mode to be able to use tcpdump to see all traffic. Even if you have ssh and shell access, and a tcpdump binary, you shouldn't be able to see all traffic.

Asmita Nepal March 21, 2017 at 3:57 pm • Reply

Your advice are very helpful, but this list was especially relevant, given the amazing amount of hacking activity going on out there. Thanks

Equipper March 22, 2017 at 4:09 pm • Reply

They will not release the list. But you can assume that the majority of sites hacked out there are ones on Shared Web hosting solutions such as godaddy. I've seen alot of hacked websties on these sites because once a hacker has root access ALL the sites can be hacked. Just use digitalocean its 5-10 dollars per month and you can setup the security features you need. They have great tutorials and trust me its not worth the time and money using these Shared Hosting solutions anymore... THE CLOUD is here folks time to jump on it..

Kabeer Khan March 21, 2017 at 8:30 pm • Reply

Great information regarding hosting security, Thanks for sharing.

Arty March 21, 2017 at 11:54 pm • Reply

We use Enta.net who are so far behind on everything we can't even install plugins or update WordPress, not without a overriding the SSL auth check. We were told 2 years ago we were on an old server but they refuse to update. Appalling.

Sam March 22, 2017 at 2:01 am • Reply

Thanks for the great article; price and features are what concerns most people and security is so often overlooked. I would agree with others that an article about the highest-ranking hosting providers in security would be very valuable!

I use Wordfence myself and I know you guys are always on top of things. Would really like to hear your opinion on the most secure hosts. I don't think any hosting companies provide Malware Removal, do they? I did see that WPX Hosting have just introduced malware removal for free though. Have you heard of them?

I will be directing other people with security concerns to this article. Thanks again and would really like to hear your thoughts on the best secured hosts!

Russ Michaels March 22, 2017 at 4:42 am • Reply

I see a lot of host bashing going on when things like this happen, and yes there are some terrible bedroom hosts out there who have no idea what they are doing, and have no security on their servers, but a lot of hosts are stuck between a rock and a hard place when it comes to keeping servers up to date. More often than not it is the customers themselves who stop them from updating servers as they refuse to take security seriously and refuse update their sites despite all the warnings, so they cannot be moved to another server and the server they are on cannot be updated or the host risks losing all those customers. And then when their site gets hacked, due to their decision not to update it, and stay on outdated servers and technology, they are the first to complain.
Did you know that according to research 75% of websites have been hacked?
Some customers do not care even after they have been hacked, they still are prepared to spend any money on their website or hosting to keep it secure, and it will happen again and again.

I used to run a hosting company myself until last year, so I do have first hand experience of this, and here is one example.

We originally used to run an old hosting control panel called HELM, which had reached end of life and was no longer supported, but most hosts kept it going for many years after its death as it was a good system. But then the day came that Windows Server 2003 also reached end of life, and HELM did not run on any newer version of Windows, so it had to go, as did all the servers it was running on, as it is not safe to keep them online. On top of the OS, these servers also had other old and vulnerable software like ColdFusion 6/7, PHP 5.2, etc.

We actually spent about 2 years trying to get customers off these old servers and onto our new ones, with dire warnings about the serious vulnerabilities, and we finally announced they would be turned off 9 months in advance of the windows 2003 EOL. We even offered to get sites fixed for the customers at a reasonable rate.

We sent monthly reminders, we put a notice on every outgoing email (tickets, invoices, billing reminders, everything), on the ticket system itself, on the control panel login page, literally every place possible, so it was literally impossible to not be aware of it. Yet still a number of the customers on those servers ignored the notice and did nothing, and the day the servers were turned off, their sites of course went offline, and the complaints started.

Amazingly rather than address the actual issue, a lot of these customers instead went looking for crappy hosts that were still running and supporting Windows 2003 and the old and outdated tech. So they were happy to take the risks of being hacked and having data stolen, just to avoid having to do the work in updating their sites.
So we literally had 2 choices, either continue running these insecure servers indefinitely for the sake of keeping those remaining customers, running an EOL operating system, or turn them off and lose the customers. For a small host this is not an easy decision.

I am quite glad to be out of that business now, instead I now do Managed Services, and as part of that I offer managed hosting using other hosting providers. I monitor, maintain and manage the websites for the clients, keeping them up to date and malware free, and making sure the servers are up to date as well. If there is any problem with the host, I just move the customers site elsewhere for them.

Equipper March 22, 2017 at 4:02 pm • Reply

I'd recommend using Amazon EC2, google compute, digitalocean, cloudflare, etc.... Its much easier then dealing with a shared webhosting solutions like GoDaddy (and cheaper)... Also, you can choose what version of PHP X , mysql x , phpmyadmin X you want to have. I have all the latest versions. Its also easy to setup a LAMP stack on these cloud servers now a days. I spend less then 20 dollars a month and have the best hosting solution(One that is private) with a load balancer.
My setup includes: PHP7, SSH (key access only and restricted to ip addresses), Apache running as WWW user, GIT repo(private), SFTP(keyaccess only), log files saved offline for ever, phpmyadmin can only be accessed via SSH key forwarded through my local machine. I can update linux distro(Debian Managed by Google)as I see fit and with my git repo i have a backup of my wordpress site. Cloudflare helps with botnets brute force attacks and I have wordfence for scripting hacks....
Contact me if you need help..

Vitaly March 23, 2017 at 4:08 am • Reply

As usually, great post.
The only issue I see that a hosting company will answer you "yes, of course" to all your questions.
So only some kind of security rating from Wordfence and other security companies and organizations may help.

Leave a Reply

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.