Web Hosting Security Tools & Features
Security is critically important for any website, and doubly so for any business website. It isn’t just eCommerce sites that need to worry about security, either. Though financial transactions have their own special set of concerns, any website that collects even basic information about users (name, email address) needs to take security precautions with how that data is handled.
Additionally, even the most non-commercial sites (personal blogs, small non-profit groups) can be at risk for viruses, spam, and other malicious activity.
Hosting companies offer a range of security features, but it is ultimately your responsibility as a website owner or manager to ensure that your website is properly secured. This is something you want to think about from the very beginning, not added in as an afterthought.
Common Security Features of Web Hosting Plans
SSL Certificates / SSL — Secure Sockets Layer — is a form of encryption that creates a secure connection between a website and a visitor. It is essential for any form of private data transfer, like entering Credit Card numbers into a shopping cart form. Additionally, Google has recently announced that websites using SSL encryption will receive a slight rankings increase over sites that do not.
For SSL encryption to work properly with web browsers, a website owner must obtain an SSL certificate from a Certificate Authority. Most web hosting companies have partnered with a Certificate Authority in order to provide SSL certificates as part of the web hosting package, with automatic setup. Usually, SSL Certificates require a dedicated IP address.
SSL-related security features:
Shared SSL — Shared hosting plan providers often, but not always, provide a single SSL certificate that is shared by all customers sharing the hosting server.
Private SSL — Some shared hosting plan providers allow users to add a private, or dedicated, SSL certificate to their plans for an additional fee. Usually this requires a separate purchase of a dedicated IP address.
Proxy SSL Encryption — This is an advanced feature used to provide SSL encryption into a private network from outside the network. A single server acts as a proxy for other servers inside the network, and provides a layer of SSL security.
Other Security Tools and Features:
Sender ID - Sender ID is an email anti-spoofing protocol similar to Sender Policy Framework (SPF), with several improvements.
Using Sender ID ensures that spoofed email which is sent masquerading as if it came from your domain will not be misattributed to you. This helps others filter out spam email and also helps your legitimate email from being blacklisted.
ASPSecured - ASPSecured is a securty module available for the ASP (Active Server Pages) programming language.
TRUSTe - TRUSTe is a Data Privacy Management Platform, comprising a suite of related tools for ensuring data privacy and communicating that security to your customers.
Firewall Protection - A firewall is a hardware or software system which blocks certain types of traffic. In a web hosting environment, requests are blocked either because of their origin or their content.
Most shared hosting plans include basic firewall protection, but it usually cannot be customized because the firewall is shared by all customers. If an IP address is blocked for one customer, it is blocked for all. More problematic — it an IP address is white listed for one customer, it is white listed for all.
For this reason, some website owners need a dedicated firewall. Depending on the hosting company, this may require a VPS (Virtual Private Server) plan, or it may be possible to add it to a shared hosting plan that has a dedicated IP address.
IP Deny Manager - If you are using a firewall, you may need to be able to manually add or remove certain IP addresses from being blocked. This requires an IP Deny Manager tool.
Hotlink Protection - Generally, your media assets for your website are accessed as part of a larger set of requests for your entire website.
However, it is possible for someone to embed an asset (usually an image) on their website by pointing directly to your file in the source code of their website. This allows them to use your content, possibly without your permission. This is called “Hotlinking.”
This may be bad for two reasons. First, you may not want someone else using your content — in which case, they may be infringing on your copyright. Secondly, when the image is loaded from your server by another website, it is using your bandwidth. If you pay for bandwidth, of if the linking site is very popular, this can cause problems for you. Hotlink protection disallows this from happening.
Snapshot Backups - One of the most important security considerations is frequent backups. No matter what precautions you take, there is always a risk that something will happen to compromise or corrupt your data.
A snapshot backup will allow you to restore the files and database on your server as it was at a particular time in the past. Usually, a series of snapshots are saved, so that you can restore to some specific point. This is important because if you always delete the old backups as new ones are made, you may end up not having backups from the period before the problem began.
Do shared hosting plans offer the same level of security as VPS or Dedicated plans?
In general, no. While your host should be taking a number of security precautions to ensure the reliability of their servers, it is much harder to secure a shared server than a private server.
Think of a shared hosting plan like having multiple profiles on your home computer. If your son decides to download a game off his favorite bit torrent site, and that game turns out to be a virus, your son’s account is not the only one infected. Your entire computer, and any account on there, is now at risk. The same is true for shared hosting, because you’re all sharing the same server.
Learn more about specific security features below:
Hosting Frequently Asked Questions
Can I use all of these security features with a shared hosting plan?
Some security features will still work with a shared hosting plan, but many of them require a dedicated IP address.
You will need to check with your host to determine whether or not a dedicated IP address is available with a shared plan.
Even if it is, if security is a concern for your organization, consider a low-cost VPS instead of a shared plan. They cost a little more, but the added peace of mind will be worth it.
Why pay for a Private SSL when Shared SSL is offered for free?
Private SSL provides a number of advantages over Shared SSL.
The biggest advantage is that your domain is listed on the SSL Certificate, which is important for two reasons.
First, your visitors expect to see your site’s name on your certificate. With Shared SSL, the certificate will list your host’s domain instead of yours. Many website visitors, especially those visiting an online store, will see this as a red flag.
In addition, one of the checks your browser does when it reaches a secure site is to make sure the domains match up. If they don’t, it will pop up a warning, letting users know.
When is Shared SSL a good option?
Shared SSL is typically used for sites that don’t require public access.
For instance, when you log into your site’s admin panel, Shared SSL can make that login more secure. Another good use for it is on company sites that restricts access to employees only.
Of course, if security is a big concern for your company site, Private SSL (and a private server) are still a better option.
How much security does my site need?
That’s ultimately up to you, but there are a couple of major factors you should consider when determining how much security to invest in.
First, what type of content are you hosting? If it’s just a personal blog, you probably don’t need to spend a fortune on security. If it’s a company site that’s critical to your organization, secure that thing.
Second, what type of information are you asking from you users? If you’re hosting an online store and need to capture credit card information, you need to at least have a private SSL Certificate.
If you’re storing that data, go for the firewall too. If you’re asking users for their email addresses, date of birth, or other private information, you should add on whatever security measures you can afford.
Where do I find all of these security features?
Most of these should be offered by your host. Check your control panel, or contact your host. If you’re shopping around for a new host, make sure to look at all the features available and go with the plan that offers the security features you need.
Will my website visitors know what type of security I have in place?
In many cases, yes.
If you have an SSL Certificate, visitors will see the lock icon on their browser’s address bar when they go to a secure page on your website.
Other protections, like TRUSTe, allow you to put a special logo on your site, letting your visitors know they’re information is protected.
Other security features, like firewalls, happen on the backend, and your customers won’t ever know about it. But that doesn’t mean they’re not important.
How does Sender ID know if an email came from my domain?
Sender ID compares the IP address used by the sender to the owner listed for the alleged sending domain. If these do not match up, there is a high chance the email is not legitimate.
If I block a user’s IP address, does that prevent him from ever visiting my website again?
Most home users have dynamic IP addresses, meaning they change periodically. Additionally, if someone really wants to visit your site, he can always go to a local coffee shop, where the IP address would be different.
However, IP blocking software can be very useful for blocking organizations, blacklisted addresses, specific regions, or even specific countries.
They are also useful for limiting access to only a single or handful of IP addresses, for private access.
Will hotlink protection keep users from downloading my images?
No. Hotlink protection only stops other websites from linking directly to your images. Users can still go to your website and download your images. There are some applications that make this more difficult, but none are foolproof.
What protections does ASPSecured offer?
ASPSecured allows you to secure your ASP pages with such features as user and group protections, multiple user logins, automatic account expirations, credit card processing, password lookup scripts, and much more.
How much storage space is required for Snapshot Backups?
Most backup programs will allow you to set how often you want backups to take place, how far back to keep backups, and how much space can be allocated for backups.
In addition, you can usually select what sections of your server you want to backup, so if some files are not important, you don’t have to back them up.