Cheaper Shared Hosting Imperils Security

Hosted servers, especially shared accounts, can pose real security problems. Some hosts are better than others, but with shared hosting, you basically have to keep your fingers crossed. Ive been a fan of shared hosting as a cost-efficient solution for most Web sites, but you pay a price for saving that money. Im not as much of a fan as I used to be. In a way, its like taking a bath with strangers. You probably save a lot of water, but you dont know whats in there besides the soap. A well-designed and -managed operating system and other system software can attempt to protect applications and users from each other, but things do go wrong at times. Consider what happens when an attacker goes after one of the other sites on your shared server. Vulnerabilities such as this MySQL Password Handler Buffer Overflow Vulnerability or this PHP wordwrap() Heap Corruption Vulnerability occur. If the attacker gains control of the server or the database, youre all just as vulnerable. And it may not be an outsider. It could be one of the other hosting customers. If the hosting admin and other customers arent attentive, the offending party might even get away with it. Because the host can run literally thousands of low-volume sites on a single box for Web hosting (they need another box for mail hosting), it can be enormously profitable even when the sites are very inexpensive. There are a number of mature “control panels” available to hosts, and many write their own, to let customers manage their own sites. If things go well, it should be nearly pure profit. I guess dedicated hosting must be even more profitable, since hosting services seem to push it far more than the cheap shared plans. I suspect there are a lot of dedicated hosting users out there paying $150 a month for needs that would be served by a $20-a-month shared plan. Mike Prettejohn of Internet research firm Netcraft Ltd., which follows the hosting market carefully, said he thinks “strongly themed shared hostinge.g. the Yahoo storefronts”are the best type of shared hosting. They define a rigid but easy-to-use environment for the customer, limiting the damage the customer can do, accidentally or otherwise, and they scale brilliantly for the hosting company. Generic shared-hosting accounts, on the other handthe ones with access to Perl and PHP and (shudder!) shell accountsare a potential disaster. Its very easy for one customer to DoS (denial of service) all of the others with a badly written program. And you know how youll often read about a vulnerability in Linux, such as this one, but its not so big a deal because only local users can exploit it, not remote users? Those shell accounts make the users local. (Good management can prevent those users from uploading and executing arbitrary and exploitative code, but good management isnt built into the operating system.) And then there are the external DoS attacks. Ive read reports indicating that general DoS attacks against hosting services are up, so if your sites are in the wrong IP range, you get to suffer along with everyone else. Larry Seltzer has been writing software for and English about computers ever since,much to his own amazement,he graduated from the University of Pennsylvania in 1983. He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years. For several years, he wrote corporate software for Mathematica Policy Research (they’re still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market.
For the original version including any supplementary images or video, visit http://www.eweek.com/c/a/Security/Cheaper-Shared-Hosting-Imperils-Security/

Shared hosting is best for Magento

First put the Magento stores in their own VDS envionment (so you are running 30 VDS on the server) and see how they perform. Then close them down and put the same stores in shared environments on that server. They will almost certainly perform faster on the shared set up. This is because the server is not running 30 versions of Apachie, 30 versions of MySql etc. Further the host company will pay MUCH more attention to the up time and configuration of the shared server, than the individual virtual machines. They will be able to set up and tailor the server once to run Magento more efficiently and keep it running. Of course there are downsides to a shared service. You are much more dependent on the traffic of the other sites that you share the server with. That said a decent host will have processes in place to monitor for this and stop one store hogging all the resources. Further as you are presumably running a proper Ecommerce site you will have your own SSL and thus your own IP address, so you will not be affected by another site being blacklisted. Obviously you need to pick a host who does not cram thousands of sites onto a single server, and preferably a host who knows how to configure a server to run Magento. At all times you need to be conscious of your objective. You only real selection criteria when choosing a host. YOUR SITE MUST RUN FAST. Thats it. The customer perception is all that matters. Your site must come up quickly, when they do a search the results must be returned quickly, when they add an item to the cart it must be added quickly, when they checkout the process must flow quickly. No hesitation, no blank screens, no annoying wait. So with the 4 hosting plans I have used in the last 3 years, the shared one is half the price, twice the speed, and fully managed. PCI compliance By this I mean making sure the site can pass a PCI security scan. If a host company cannot get a shared service to pass a PCI scan move on. Many can, so do not listen to their excuses. If you want to store credit card details on your site, then I am afraid that a dedicated server (or two) is required, plus very deep pockets. Selecting a good host This is easier said than done. I wasted over two years and went through three hosts before I threw out my selection criteria and went back to basics. I originally looked for a host that would support Magento. That would assist in the upgrades, and help bug fix. I forgot to ensure that the host did proper hosting things first. It is far better to find a good host and a different company to support Magento as and when you need it.
For the original version including any supplementary images or video, visit http://www.practicalecommerce.com/columns/the-view-from-england/10964-Shared-hosting-is-best-for-Magento

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s