Security questions for every web host

Security is one of the last aspects people consider when choosing a web hosting company. What they don't realize is that a secure server is an essential part of any hosting plan and without one a malicious user can get access to, manipulate, delete or steal valuable information about your online business.

Namhost takes the security of our clients websites and our servers very seriously. We have several security measures in place to protect your data from malicious activity.

Below we've assembled a list of ten questions and the reasons to why they are important. These are but an example of the questions every prospective client should ask their web hosting company before signing up.

Scripting languages

1. What are your policies for upgrading Perl, PHP and other scripts and languages to the latest versions?

It's important that all software is always kept up to date to decrease the number of security holes in those software applications.

Using older software versions make it easier for malicious users to gain entry through old bugs or security holes.

2. Do you allow register_globals for PHP?

The PHP register_globals function has been deprecated as of PHP 5.3.0 and removed as of PHP 5.4.0. and should be unavailable if the latest PHP version installed on web hosts server.

The function contributed too many security risks in applications written in PHP.

3. In PHP do you set open_basedir?

The PHP open_basedir function defines paths from where it can get access to files. It's considered a security risk because paths to secure files could be defined with this function.

4. Do you require all Perl web pages to run with taint turned checking on?

Taint checking is a Perl feature that highlights specific security risks in code that could be used by malicious users to hi-jack a script.

Administrative privileges

5. Does your web server run as root?

Root access is also called the superuser and it is a special user account used for system administration.

With such high administrative privileges a user can perform any task without confirmation.

6. Do you keep the cgi-bin directory out of the document root?

The cgi-bin directory is where a server stores all it's applications and other executable scripts.

By not having the cgi-bin in a default location, it can decrease the risk of malicious attacks because executable application can only be run from this folder.

7. Do your database processes run as root?

Again, with such high administrative privileges a user can perform any task without confirmation.

This is to prevent common mistakes by normal users since a database can easily be deleted by mistake.

8. Do you make use of chroot?

Contrary to belief, chroot should never be used for security purposes. It's intent and development was always been for the following:

  1. Testing and development
  2. Dependency control
  3. Compatibility
  4. Recovery and Privilege separation

Security applications

9. Do you use mod_security?

ModSecurity is an embeddable web application firewall that gives users some protection from a range of malicious attacks.

The application prevents a number of code injection techniques.

10. Is there an option to use SFTP?

SFTP is a more secure form of uploading files to a web server than FTP because FTP passwords are not encrypted when sending login information to the server.

 

Does your hosting company insure your data is secure? We do. See our list of hosting packages for a more secure and affordable hosting experience.