Jail bars. Image credit http://www.flickr.com/photos/mattobee/Security is a huge concern for us, and something we've put extraordinary effort into. These measures are standard on our shared hosting platforms and available as an option on dedicated servers:

  • Server and control panel software is updated nightly.
  • All hosting accounts run in their own space, so cross-account hacks are blocked.
  • A dynamic firewall isolates any IP address that attempts to access accounts with various techniques, including brute force attacks.
  • We use a custom tuned rule set in the Apache mod_security module, which blocks many exploits. It is linked to our firewall, so repeat attempts result in the attacker being cut off.
  • System-wide nightly security scans that identify a broad scope of vulnerabilities including malware and out of date code. This identifies both major CMS updates, and vulnerable extensions/plugins.
  • Real-time on-upload vulnerability scanning. Anything matching a malware signature is immediately quarantined.
  • Process tracking mechanisms that help us pinpoint the exact vector that is used for an exploit. We pass this information back to the maintainers of the vulnerable code and work with them to achieve a resolution.
  • Deep backups. Seven days on the local server, bare metal restore backups in the data centre, and 60 days of encrypted backups off-site.
  • Outbound mail is throttled, so if an account is hacked and used as a spam source, mail is stopped and technicians are alerted.
  • Malicious web crawlers and site scrapers are blocked by default.

In the first year since we implemented upload and system-wide security scans, the incidence of hacked sites was reduced to zero, even though several accounts still run outdated versions of various web applications. Every single site hack attempt was successfully blocked and only one mail account has been compromised.

Why doesn't every hosting company do this? Simple: it's less profitable. While these security measures don't directly affect website speed, they do put an additional load on the server. This limits the maximum number of sites that a server can comfortably handle. Fewer accounts per server means less revenue per server, which means less profit. While other hosts are terminating accounts running these older packages, we have no problems with them, confident that our defences are strong and our backups reliable.