8 Website Security Problems to Avoid
Security is a joint effort between the account holder and the host.
The average hosting account has eight ‘layers’ of security.
So which of these layers are you, the client, responsible for?
1. Physical Access
Security starts with physical access to the machine – or the datacentre.
This is solely the responsibility of the datacenter provider, if not the host.
2. Local Network
The second layer of security is the local network around the physical machine: routers, switches, load balancers and other networking tools.
Again, the responsibility for security is down to the datacentre provider.
3. Operating System
Linux, Windows or even Mac, every web server needs an operating system.
An attack at this level can affect all of the sites that live on a machine, regardless of the account they are on.
The responsibility for this layer usually lies with the host, unless you’re on a blank, truly unmanaged dedicated server. The host has installed the OS and is responsible for its upkeep – that includes security patches and updates.
(If you use a shared or VPS hosting account, you don’t even have access to this layer.)
4. Virtualisation Layer
On a VPS, the virtualisation layer is a software layer that exists between the operating system and the users.
Its function is to break apart a single physical machine into multiple virtual machines. An attack at this level could impact all the virtual machines on the physical server.
If this layer exists, it’s the host’s responsibility to maintain it. By design, it is out of reach of the user.
5. Virtual Operating System
This point is related to point 5, above.
If a server has a virtualisation layer, it will also have a second operating system for each virtual machine on the server. An attack here would only affect a single virtual machine.
On managed VPS accounts, the responsibility lies with the host. On unmanaged accounts, it falls to the user.
Depending on the agreement, either the host or the webmaster must update and maintain the OS in the same way as the main operating system
6. Server/ Server Management
On top of the operating system, each account has its own set of software installed. This software includes the web server, the database server, support for scripting languages, etc.
This layer may also include account management tools such as cPanel, which exist behind the scenes.
An attack on this software would have a similar impact to an attack on the second operating system.
On a shared hosting account, this level is the responsibility of the host. On a VPS or dedicated server account, responsibility varies depending on how much management the client has paid for.
However, all users have the responsibility for their application passwords.
7. Site Management
The site management layer covers all software used to operate the site.
This can be a CMS like WordPress or Joomla, a bulletin board system such as phpBB or something else altogether.
An attack at this level will usually only impact a single site. But because this software is public-facing, it’s the most vulnerable and the most commonly-exploited weakness.
Some hosts will integrate management of one or more site tools in their management package, but the vast majority do not, so the responsibility for maintaining and securing this layer falls to the user.
8. User’s Computer
Your own computer can be compromised, leading to problems with your server.
Malicious software can grab passwords, and a compromised machine can be used to make unauthorised changes.
Clearly, the responsibility here lies with the user.
Working Towards Better Security
Your security is only as good as its weakest link. Having the most secure, locked-down installation of WordPress does no good if your operating system has a hole in it that allows easy access. Likewise, having an up-to-date cPanel is useless if an attacker can grab your password from your local machine.
Know your obligations and make sure you do your part to ensure your website is secure against attack.