Shared Hosting and Web Application Security – The Opposites

Shared hosting might be an affordable solution for many businesses and startups, but because of the way shared hosting works web application security is not in your control. Read about all the pitfalls of shared web hosting and what you should look for when choosing a hosting provider for your web applications.


Shared Hosting is Simple but Lacks Flexibility

So you are feeling entrepreneurial and want to start a fresh, new website for your idea.  Great!  Starting a website anymore is so very easy, and various hosts offer a plethora of options, ranging from the WYSIWYG wizard website generators, to the standard old-school style of "throw your website files here" data dump.  These are all well and good, but they come with some rather serious problems and risks.

First and foremost, these options are very simple and do not afford you much flexibility.  Say your website starts out simply as a restaurant menu page, and as you grow you find the need to add a take-out shopping cart or online reservation handler.  Oops!  That shared hosting solution only allows for very limited software (and many do not even allow for anything beyond static images and web pages for security purposes).  There is, however, a far more sinister problem with shared hosting, and that is security -- or rather, lack thereof.

Shared Hosting Means Shared Everything, Including Hack Attacks

The reason shared hosting is called "shared" is because you are sharing the web server that hosts your website with dozens, hundreds, perhaps even thousands of other websites.  Remember how I said many shared web hosts do not allow for anything beyond static images and web pages?  The reason is because there is not a whole lot a shared web host can do to offer much web application security to explicitly separate all the websites they host.  However, even limited software execution does not inherently protect the websites hosted.

For example, your little restaurant website could be hosted on the same server as a website that has irritated a particular hacking. Hacking groups are infamous for using distributed denial of service (DDoS) attacks on websites they dislike.  A DDoS is not selective to a single website hosted on a shared server, either, so that DDoS can take down the entire server, including your website and web applications.  You have no way to protect against this, and indeed, no way of knowing you were on a shared server with a targeted website.

Less Simple, More Effective, Complex Hosting: More Variables Means More Problems

Say that shared web host lets you and others use software on your website (such as PHP or Perl).  That is great for you, because now you can probably run that take-out shopping cart or online reservation software you have grown into needing.  But wait!  Now you're handling personally identifiable information, and you want this to remain secure.  So you do everything you can to ensure your website is not vulnerable to malicious web attacks... but have all the other websites on your shared web server done the same?  Probably not.

When a web server runs scripting software, it does so as a single 'user'.  To explain this simply, this is done to partially prevent, by file system permissions, unauthorized access to the web server from compromising the rest of the server itself.  However, that does not mean each individual's website is secure, as often all websites and web applications running on the web server run under the same web server user.  Since a web host running the Apache web server typically runs under the 'apache' user, all websites are run under that user.  So if's code is insecure, it does not matter how secure your shopping cart or online reservation system is, your data is still easily accessible via a hacking attack.

To combat this, web hosts typically setup individual user accounts for each hosted website and install what is called "su" software (standing for switch user), such as suPHP for PHP and suEXEC for Perl.  This type of software limits the access of the website software to only the website it belongs to.  This, however assumes that the web host is properly configured and the su software is secured (nearly all server security vulnerabilities are by poor configuration).  Furthermore, do not forget that you need a database for your shopping cart and online reservation systems, and that, too, must be secured by the web host.

What Are My Other Web Application Hosting Options?

Many reputable and well-aged web hosts have grown wise and experienced enough to learn from past mistakes and ensure their systems are as secure as possible. But they still cannot prevent every conceivable variable, and shared web hosting opens the door to many, perhaps too many, web security vulnerabilities.  So the question remains: How do I host my website, but do so securely without shared hosting?  Unfortunately, when you approach this end of the spectrum, you lose that "easy" aspect of shared hosting and enter into more complicated arenas, such as virtual private servers (VPSs).

For example if your website runs on WordPress (as many do), WordPress itself suggest a few places to host.  These have been time- and hacker-tested and proven about as reliable as can be, while still retaining the ability to gently customize your WordPress-based website.  If, however, you need more (again, we revisit the shopping cart or online reservation systems), perhaps it is time to invest in a VPS.

Not Simple, Very Effective and Highly Complex Hosting: Now You Are Playing With the Big Boys

A virtual private serer is essentially an entire bare server (think of the ability to do your own shared hosting, if the VPS's resources allow it).  The 'V' stands for 'Virtual', meaning that it is not technically a steel-and-silicon server humming away in a data center, but rather an emulated one of many on a steel-and-silicon server.  Think of it as shared whole servers rather than simply shared website hosting.  That is about as deep as we will go with VPS descriptions, as anything more would be its own article of pages and pages of explanation.  But we digress...

VPSs are very cheap.  Some websites showcase incredibly inexpensive VPS deals, and a few even go the extra step to be extremely transparent about those deals (describing past community experience, company establishment, and so forth), so cheap does not necessarily mean unreliable.  If you grow even larger still, you can even begin looking into dedicated or co-located server hosting, but that, again, is discussion for another article.  However, bear in mind that once you go the VPS route or above, all of the web application security falls on your shoulders, as well as the running of the web server, database server, and so on.  Everything comes at a price.

Wrap-Up, To Go

All in all, there will be at least some risk no matter how you host your website.  Shared hosting is easy, but puts you at the mercy of your web host and whomever else they host on your server. VPS hosting puts the onus of everything on you, but effectively removes others from the equation.  At the end of the day, only you can decide what is best for your website's hosting, but keep in mind that every option requires some level of sacrifice.  Now quit worrying about your website and get back to your restaurant.