The malicious party may be identity or data thieves looking for sensitive information they can use for personal gain. But, they can also be people seeking only to cause disruption. Regardless of which camp an attacker falls under, they pose a threat, and website owners would be wise to protect their sites against threats preemptively.
One critical aspect of securing websites is to make sure that the hosting providers supporting the website take security seriously. If the hosting company is lax about preventing unauthorized access, finding and removing malware, and so on, it is like leaving one’s back door hanging open and unguarded.
Furthermore, it’s important that the hosting company makes the security features they offer accessible and easy to use. In 2018, the FTC reviewed 11 hosting companies, looking at the security features they offered and how easy it was for users to access and enable them.
Things like SSL support and use of encrypted channels for data transfers were included in most plans and straightforward to use. Others important technologies (such as those used to prevent phishing attacks) were not supported or difficult to enable. The bottom line: the average hosting could be the weakest point in your digital security.
When comparing web hosting options or when reviewing a current vendor, how does one determine if a given company offers secure web hosting?
When choosing a hosting provider, we often spend a lot of time reviewing the features the company offers to its customers, including resource allocations and supported integrations. These are important.
But, teams and decision makers need to look closely at security features and implementations as well. Look for reviews written by actual customers and research past known security breaches.
Here are the key features that the hosting company should support and be enabled by webmasters.
File transfer protocol (FTP) is used to transfer files from local computers to the web hosting account. The problem with FTP is that unauthorized parties can intercept and modify files in transit fairly easily (and without detection). Using Secure FTP (SFTP) instead closes this vulnerability.
SSL (Secure Socket Layer) certificates are used to establish secure connections between a website’s servers and the visitors’ browsers or devices. With a secure connection, the two parties can exchange information without fear that a third party intercepts and reads data that should remain private. Many hosts offer free SSL certificates, but premium offerings that offer additional protection (e.g., for subdomains and other lower-level pages) may be a good idea.
The Sender Policy Framework (SPF) allows people to publish the domains and IP addresses they use to send emails. Email providers use this information to determine if an email actually originated from the sender indicated; if not, it is flagged as spam.
SPF serves two purposes; it helps those who rely on email prove that they are a legitimate sender, and it helps people identify spam messages. Spam messages are more than just a nuisance; they could contain phishing attacks designed to get users to part with sensitive information. (Phishing attacks are scams featuring emails that look reputable. They include requests for the sender to provide sensitive information, which the attacker then uses for personal gain.)
DomainKeys Identified Mail (DKIM) is an email authorization method used to protect against forged sender email addresses (in the From field), a technique commonly used in spamming and phishing. With DKIM, senders sign an email with their digital signature, proving that the domain name displayed in the message is authentic.
Depending on the use and purpose of the website, there may be regulations by which the web hosting must abide. Some of the more common regulations include:
Website owners are ultimately responsible for the security of their sites. To that end, they need to make sure that their web hosting provider offers the functionality they need to protect against unauthorized access, malware, privacy breaches, and other types of cyber attacks.
