7 Web Hosting Tips to Help Secure Your Site – CNET
7 Web Hosting Tips to Help Secure Your Site - CNET
Online security is more important than ever before. The Identity Theft Resource Center said 2022 was close to setting a record for the number of data breaches in a year, and according to Chainalysis ransomware payments totaled $457 million. And these concerns aren’t just for major corporations — they affect anyone with a website.
Web hosting security gaps can compromise the personal information of a website’s visitors and owner. Cyberattacks that exploit these gaps can also cause site owners to lose revenue by defacing or deleting their site information. The exact risk to your site depends on what kind of web hosting plan you have, but many of the best web hosting services offer a range of cybersecurity tools to help keep your site safe.
Here are seven important security tools to look for in a web hosting service.
SSL certificates
Secure socket layer certificates are cryptographic protocols that encrypt and authenticate data between servers, machines and applications operating within a network. These help prevent third parties from intercepting, altering or recording sensitive information like a person’s credit card information.
Think of these certificates like the secret language you and your best friend came up with when you were little: You know your friend is saying the teacher is the worst, but the teacher is wondering why you’re discussing how much banana pudding is needed to fill a football field. SSL certificates make sure your visitors’ information is all sent through the secret language.
Secure file transfer protocol
File transfer protocols, or FTPs, are used to transfer large amounts of unencrypted data to your web hosting server — like if you wanted to upload a video or multiple files to the server. Using an FTP does not provide users with a secure transferring method, leaving your data vulnerable to third-party interception.
While many web hosting services offer FTP access by default, some web hosting services, like Ionos, offer secure FTP access by default instead. Secure FTP encrypts the data you’re transferring for greater security. That way if you’re transferring sensitive data, just like using SSL certificates, you know your data won’t end up in someone else’s hands.
Web application firewalls
A web application firewall protects web applications by filtering, monitoring and blocking malicious web traffic meant to record data about the site’s visitors or the site’s owner. All web traffic must pass through a WAF before it reaches the server hosting your site. If the WAF sees suspicious web traffic trying to access the server, it blocks it. These firewalls can also prevent unauthorized data from leaving the web application. They act as checkpoints to and from web services to make sure nothing malicious is coming in and nothing important is getting out.
WAFs are like bouncers outside the club you and your friend went to over the weekend. The bouncers let both of you in, but they turned away the person behind you who was already slurring their words and acting like they owned the place.
Some web hosting services, like A2 Hosting, include WAFs in all their web hosting plans. If you select a hosting plan that doesn’t offer WAFs, companies like Imperva and Cloudbric offer WAF plans with additional security features. Some of the plans could also improve your web hosting security even if your web hosting service offers WAFs. Some WAFs also offer reports and analytics to better identify vulnerabilities and resolve them to help protect data.
Antivirus and malware protections
Antivirus and malware protections are key to have, especially if you have a shared hosting plan where you are sharing a server with potentially hundreds of other users. While you and everyone else are uploading files and data for your sites onto the same server, some of those files could unknowingly contain a virus or malware. Once the file reaches the server, the malicious code within the file could impact every site on the server. Your site could be vandalized or brought down, causing you to lose visitors and/or revenue. The malicious code could also steal your data or the data of your visitors.
Think of the server as an apartment building and everyone inside of the building as a website. If someone comes into the apartment building and they are sick, that illness has the potential to spread throughout the building. In this case, antivirus and malware protections stop the illness from entering the building in the first place.
For shared hosting plans, the web hosting service is responsible for maintaining antivirus and malware protections. However, if you have a VPS or a dedicated server, you might have to install your own protections.
Distributed denial of service protection
Imagine you’re asking your parents a question, but your little sibling doesn’t want your parents to tell you the answer. Your sibling gathers all their friends, kids from the neighborhood, classmates and anyone else they find and they all start screaming at the top of their lungs to drown out any other noise. You can’t hear yourself think, let alone whatever your parents are saying. That’s what a distributed denial of service, or DDoS, attack is like to your website.
DDoS attacks are cybercrimes that flood your site with traffic from a network of malware infected and connected computers called a botnet. The increase in traffic can prevent visitors from accessing your site, disrupt your work and could overwhelm the server your site is on. No matter what hosting plan you choose — shared, VPS or dedicated — the increase in traffic eats up resources available to your site and the server at large.
Web hosting services with DDoS protections in place are able to detect and prevent these firehose style attacks from happening. A WAF can help detect and mitigate DDoS attacks, but often this isn’t enough to prevent an attack. One tool to help prevent a DDoS attack is an intrusion-prevention system. These network security tools monitor for malicious web traffic activity and reports, blocks and drops the activity.
Some web hosting services, like HostPapa and InMotion Hosting, display their DDoS prevention tools on their plan breakdown pages. If a web hosting service doesn’t display its DDoS prevention tools, you should contact the service and ask if it does offer these protections. Defenses against these attacks could save you and your site from losing revenue and visitors.
Site data backups
Backups are components of disaster recovery and are a last resort in cases where your site is compromised, defaced or deleted. A backup allows you to restore your site to its former glory. You can choose to manually back up your data, or you can enable automatic backups so you can schedule when your data is backed up.
Having safe and secure backups minimizes the amount of time your site is down if it is compromised, potentially saving you visitors and revenue. Some web hosting sites, like Bluehost and A2 Hosting, offer free automatic backups with their hosting plans — A2 Hosting also offers manual backups. However, lower-tier web hosting plans might only offer manual backups, and automatic backups are available on higher-tier plans.
Some backups, like those provided by GoDaddy, are stored in a secure cloud server. Other backups are stored in separate servers from the one your site data is stored on. These precautions ensure that if your server is compromised, your data is still safe. Not all web hosting services take such precautions, though, and they may not say in their hosting plans where backups are stored. If this happens, contact the hosting service and ask whether the backup is stored on the same server as your data. It could save you a headache later.
You can also save all your backups locally onto your personal computer, hard drive or server. This is handy in the event that your web hosting service keeps backups for two weeks, but your site was compromised three weeks ago. In this case, this means the server’s backup is also compromised. Having local backups would give you access to an uncompromised version of your site.
Managed hosting plans
Consider a managed hosting plan if you don’t have the time — or the experience — to monitor your website for security issues. With managed hosting plans, the web hosting service handles any potential administrative issues, security updates, patches and provides additional resources for your site.
Managed hosting plans are kind of like hiring Batman’s butler, Alfred Pennyworth, to monitor your home and make sure everything is running correctly. He can even provide some defense if needed. Unmanaged hosting plans leave maintenance and security in your hands. Because of this, managed hosting plans are generally more secure than unmanaged hosting plans.
Where to look for these features when choosing a hosting service
Web hosting services show a lot of what comes in their web hosting plans on their hosting comparison pages. This comparison page from A2 Hosting shows that it offers features like SSL certificates, DDoS protections and virus scans. This page from Dreamhost shows that it offers features like SSL certificates, automated daily backups and secure FTP. Having easy access to service comparisons is helpful when deciding which company to trust with your website.
However, you might need to contact your web hosting service to see if it offers security features that are not advertised.
For more about web hosting, check out the best web hosting services of 2023, the best website builders of 2023 and 11 things to know before you launch a website.