Our team of privacy and security experts conducted hours of research into the world of website hosting in order to find the safest and most secure hosting companies of 2018.
But first, it’s important to define the different types of hosting so that you can make an educated decision on the best type of secure hosting for your business.
The 3 most common types of web hosting are,
- Shared Hosting (see our list of the most secure shared hosts)
- VPS Hosting
- Dedicated Server Hosting
How to Choose the Right Type of Secure Hosting
Let’s start by clearly defining what a virtual machine is. Any operating system that provides an interface for users to send commands to a computer is a virtual machine. In other words, every operating system on every computer is a virtual machine. The great power of this technology is that it allows you to have multiple virtual machines running on the same computer or server without the various operating systems being aware of each other. This compartmentalization leads to excellent security and privacy for each machine.
However, when you buy a shared hosting plan, your website files and databases get stored on a single virtual machine along with other users’ files. This is an inherently more risky solution than, for example, virtual private server (VPS) hosting, where every user gets their own dedicated virtual machine. In light of this, it should be noted that shared hosting solutions are not appropriate for everyone.
Here are some important shared hosting facts to keep in mind:
- Even though websites share the same space, users have no access to each other’s files. Except for those with administrator privileges, you needn’t worry about others viewing or manipulating your information. However, security breaches are more likely to occur in a shared hosting environment, so if your website processes critical data, such as social security numbers or credit card numbers, you should choose a more secure hosting solution, such as a dedicated server or a VPS.
- All users on a shared server have access to the same pool of resources. This means your shared space can be affected by other users. Whenever a user on the server runs a particularly resource-intensive application, your own website’s performance will be affected. This means that performance hits can be unpredictable and outside your control. Oftentimes called a noisy neighbor, this is one of the principal reasons why security on a shared server cannot be guaranteed.
- If a group of malicious users makes a targeted attack on a website you share space with, the attack will slow your website down and make it vulnerable as well.
- Security breaches can occur from common server handling mistakes. Small oversights and errors within the server network can sometimes open up your information to malicious forces. Web hosts take measures to protect against these errors through good design, but there’s always a chance of them occurring.
Although shared hosting can sound scary, web providers on this list offer top-notch security, so there’s a low chance of privacy infraction. As long as you’re not hosting websites that contain particularly private data that under no circumstances can be exposed, such as medical or financial records, you’ll be well-served by shared hosting.
Who Shared Hosting is For:
Anybody from the serious business owner to the casual blogger can have most website needs fulfilled by shared hosting. Low to middling levels of traffic will be handled without a problem. Dedicated system administrators, employed by the shared hosting company, will handle all the technical details, allowing you to focus on running your website.
Each user has complete control over what services and applications operate on their website. Web hosts offer specifically optimized applications, but customers don’t have to use them if they don’t want to. However, certain actions, such as firewall disabling, require contacting technical support before going through. This protective measure is employed to guarantee the safety of all users in the shared environment.
Common shared hosting use cases:
- blogs and freelancer portfolios
- on-the-go processing power
- designers needing to host a client’s website
- e-Commerce stores
- community forums
Who Shouldn’t be Using Shared Hosting:
High levels of traffic (35,000+ visitors per day) will not only drag down your performance but all other users on the shared server. If you’re running a giant website, you’ll need the power of a VPS or dedicated server.
Additionally, those planning on running resource-intensive websites should also consider a more advanced solution. Examples of such websites include video hosting or streaming services.
Because you’ll be sharing a virtual machine, shared hosts offer no type of root access privileges. If your website requires customized software configurations or setting up scripts for automating certain tasks, shared hosting will not work for you.
Web Hosting Security & Privacy Features to Look For
Here are the security and privacy-related features you should be looking at when evaluating a web host:
Firewalls control a website’s incoming and outgoing traffic by opening and closing web port connections. Information transfer between computers takes the form of data packets that flow through ports, with each port tailored to different types of packets. Open ports allow traffic configured for the port to enter and closed ports allow no traffic. A strong firewall accurately recognizes safe authentic packets to let them in while preventing anything unsafe from entering.
Many types of malware spread to devices connected to the same router. This means a virus could come in through your insecure web provider or website and infect all other laptops, phones and tablets on the network.
Oftentimes, web hosts use a combination of in-house proprietary firewalls and third-party security applications to stop hostile traffic. Choosing a web provider with poor firewall support puts your network at risk. Prevention of infection will always be the most efficient way to manage security as it becomes much more resource and time-intensive to remove deeply-rooted infections.
A distributed denial of service (DDoS) attack overwhelms a server—causing it to shut-down or become vulnerable—by flooding it with enough fake traffic from multiple sources to exceed its processing limit. Once a servers limit is reached, the protection protocols become so stressed or faulty that hackers can easily gain access to the data stored within it.
Fake traffic takes the form of automated bots, which are programs that repeatedly refresh a page or request information from it multiple times per second. Often, normal computers with poor security get taken over by hackers and turned into these automated bots. Hackers with large DDoS networks often accept commission requests to take down websites like digital hit-men.
Unlike most common malware viruses that hackers can put out on the web and never have to manage, DDoS attacks require an active effort. Not everybody has information or a reputation that warrants a DDoS attack. You should be wary of DDoS attacks if you handle sensitive customer information, such as credit card data, or if you own a website with strong political views that could draw malicious attention.
Lacking DDoS protection opens you up to the whims of hackers. If you are seen as vulnerable and a hacker desires your information, there will be little you can do to stop them from opening up your website to their control. While it’s more obvious if you’re running an e-commerce store that this is a danger; bloggers and other less data-intensive users should be wary as well. Having your blog targeted, brought down and then taken over is never a pleasant experience. Your website could be held ransom, used to share misinformation, or turned into another automated bot further empowering the hackers DDoS strength.
Data protection services monitor information for malware and remove them when found. This usually takes the form of malware scanners and vulnerability testers. Data protection is the most flexible security point on this list, as there many anti-malware solutions.
When judging if a hosting provider’s data protection services will suit your needs, look at your website’s functionality and find points of critical service. Once those critical parts have been identified, understand what would happen to them if your firewall failed and a hacker had access to them. Finally, use complimentary data protection services to prevent that access. For example, if your website is a HTML-heavy wiki site, you’d want to use a service such as SiteLock Lite to scan and identify unfamiliar HTML traffic let in through the firewall.
Spam mail can be classified as anything that is either irrelevant to your needs or contains potentially harmful viruses. Most spam mail has been meticulously designed by marketers or hackers to bypass standard e-mail spam filters and to land in the inbox. As a result, specialized filters which either change dynamically over time or employ advanced filtering methods become necessary.
While spam such as junk advertisements does not create security vulnerabilities, spam containing links or images designed to take over your website does. Most hacks through spam require you to open the e-mail, so having a program that prevents those spam messages from ever making it into the inbox work best.
Users without a decent spam filter can usually spot spam by strange e-mail headers or unknown senders. The problem is that it’s challenging to spot all of them with a high enough accuracy to prevent infection 100% of the time. A moment of lapsed judgment or an unfortunate misclick is all it takes. Not to mention it takes time and resources to constantly have to monitor every e-mail.
SSL security certificates
SSL certificates digitally link a website’s details and traffic to a cryptographic key, creating a secure connection between users. Oftentimes, you see a website’s SSL certificate as the padlock icon in the URL with the word, “secure”. Some SSL certificates use more complex cryptographic keys, making it harder for hackers to destabilize them. Having a secure connection prevents outside influences from rerouting or slowing down website visitors. It also enhances a websites Google ranking score and creates customer trust.
Insecure connections can have information stolen from them or in some cases be completely hijacked. Not having an SSL certificate will also cause most web browsers to show a red, “insecure connection,” icon, when your website loads. Once authentic connections have been established and recognized, repeat visitors benefit from increased loading speeds via tools such as cookies.
The current standard for SSL certificates is the free “Let’s Encrypt” certificate, which was released to make the internet a more secure place. There are various levels of SSL certificates offered by Comodo for companies that need utmost security in inter-business connections and for e-commerce sites.
Domain name privacy
A domain name identifies a group of registered IP addresses and is used in conjunction with the domain name system (DNS) to connect people to the websites they’re searching for. To host a website, you are required to create a domain. During that domain creation process, you are required to provide personal information such as your name and date of birth. That personal information gets stored in a domain registry that can be queried by the public.
Without domain name privacy, anybody can perform a WHOIS query to find your address and other details. Hackers will be able to use your personal information to scoop up your domain before you when it expires and hold it ransom.
Let this story impart the value of domain privacy. The Dallas Cowboys football organization didn’t refresh their domain when it expired in time and people swooped in to steal it. Now cowboys.com has become a male dating site.
Data backups are complete digital images of your website put into storage. They contain all the information that makes up and works with the website. Some data protection services use data backups to compare the current version of your website to the old one in order to find significant changes which could be the result of malware.
Sometimes accidents happen, tragedy strikes a data center or savvy hackers get access to your site. In all of these events, your data will be completely lost and without a data backup you’ll have to start from square one. Data backups let you roll back the clock to a previous version and go from there.
Frequently asked questions
What is the difference between shared hosting and VPS?
The biggest difference is that in shared hosting every user has access to and “shares” a single virtual machine server. A VPS user gets one entire virtual machine to themselves.
A VPS will always be more stable and secure since resources are not shared. Speed and memory is determined by the plan but generally, VPS services are faster.
What’s the difference between shared hosting and reseller hosting?
The difference between shared hosting and reseller hosting is that in shared hosting you are a user sharing space with other users. In reseller hosting you own the space being shared out to other users.
As a reseller host you purchase and control the shared space given to you by a hosting provider. Users generally use reseller hosting to take general hosting services and transform them into niche servers for hosting things like video games. Reseller hosts can also be a shared user in that controlled space as well.
What’s the difference between shared hosting and dedicated hosting?
Unlike shared hosting or VPS services, a dedicated hosting plan grants full control of a physical server instead of a partitioned-off virtual environment. You share no part of the server with any other users except administrators.
While you still use a virtual machine to interact with the dedicated server, you have complete control over installation and management of it.
Can you do anything to optimize website performance on shared hosting?
Yes, you can always do things to optimize your website. Ranging from more efficient coding practices to image optimization, being on a shared hosting plan doesn’t prevent you from having a well-optimized web property.
The best way to learn website optimization is to start with a few guides on the subject. From there, walk through each element of your website and see if there’s a resource you can Google for about optimizing it.
What can I do with root privileges?
Any server that can be interfaced via UNIX shell offers root privileges. Those with root privileges have the ability to change settings deep within the inner workings of the operating system. Often times, it’s dangerous to start changing these settings without an explicit understanding of how the code operates. There are many stories of users accidentally deleting critical functionalities of their server.
VPS and dedicated hosting services usually grant users root access for the space they’ve purchased. Savvy users can create shell scripts and other types of automated processes which handle things like automated e-mailing lists. There are many front-end and back-end applications that can be installed without root access and which can help achieve these same goals.
In shared hosting, no user receives root access, because this would allow them to view all files and data belonging to other members of that shared space.
Can you install WordPress and other content management systems (CMS) on a shared hosting account?
Yes, some web providers, such as DreamHost, even include one-click installs with their shared hosting services. Most CMS packages can be easily installed by following the appropriate set-up instructions and requirements. You can also use your hosting provider’s guides and technical support team for help.
Can you run an e-commerce store on shared hosting?
Yes, but always make sure that the shared hosting service you choose provides the speed and stability necessary to support your traffic. Be wary that shared hosting has increased security vulnerabilities at times and make sure to secure customer databases. Shared hosting services can be a great way to quickly test an e-commerce store to see if is viable for profit.
While some shared hosting services offer scalability, any e-commerce website that starts to receive any meaningful traffic should quickly upgrade to a VPS or dedicated server.
Glossary of common hosting terms
- server: collection of hard drives and processing units that deliver information to other computers on remote request
- VPS: virtual private server, an entire virtual machine reserved for a single user
- reseller hosting: acquiring a block of servers from a web provider and than hosting others through them
- bandwidth: the amount of data that can be transferred between a website and its users
- hard drive space: the amount of dedicated storage memory available
- root access: a user with administrator powers who can change key information on a server
- IP: a unique identification number for computers communicating over networks
- IP filtering: preventing known IP addresses from connecting to a website
- dedicated IP: an IP permanently associated with a single website or server
- domain: the name websites use to be identified as in the DNS
- DNS: domain name system – a database of connected names and IP addresses
- SSL: secure socket layer, a type of encryption that secures data transactions
- SSH: secure shell, a type of file transfer
- FTP and SFTP: file transfer protocol and secure file transfer protocol
- blog: a type of website authors use to promote or communicate about specific topics
- WordPress: a unique software designed for blogging
- control panel: access point for shared hosting users to interact with their web hosts
- cPanel: a type of control panel commonly used by shared hosting providers
- Apache Server: an open-source web server that’s often deployed on the most common servers
- Cookie: a saved text file browsers use to remember users and their activities on a website
- HTML: hypertext markup language, a syntax used for writing web pages
- HTTP: hypertext transfer protocol – the rules for sending HTML data packets