SiteGround Security Ins and Outs
I’ve always wanted to express how I feel about security in the shared web space, where dozens of users divide the same resources and at the same time require dramatically different technologies to be enabled on a single host server (such as different PHP engines with different options enabled, Perl, Python, an FTP service, an email service, a Database service, etc;). In case you’re an admin, you’ll know how difficult it is to provide all of that on a shared hosting server while allowing access to practically everybody on the Internet and at the same time maintaining a very good level of security. Believe me, it’s a tough job. I know it as I’ve been dealing with that for more than 8 years in a row now, on a daily basis.
There are two main types of security precautions a website owner should be concerned about that I would like to discuss.
1) The first and most important is not so much related to the server, but to the website itself and to be precise – whether the website is secure enough. It all starts with the design and development of the site and what security practices are followed. Good security practices include a well-written, tested and non-exploitable code of the site; using SSL on sensitive pages especially those, on which you transmit data from and to the user; not using lame passwords; protecting your forms with captcha and other applicable secure mechanisms; etc. In case you run a third party software, such as Joomla or WordPress – always make sure you run the latest stable version of your software and all your modules. If you don’t know how to do that – ask your favorite SiteGround Support team 🙂
2) Even in the case you run a very well written and secure web software, there is still a high chance you get hacked and stumble upon all the negative consequences of that. Whether you get hacked also highly depends on your hosting environment – on the server security and on the rest of the users hosted on the same server spot as you.
Looking at most hosting companies’ websites, they either don’t say anything about security or just say they run “secured servers”. However, from my 8 years of experience in the hosting business I know for a fact that running the so-called “secured servers” does not help in the event a website gets compromised. Furthermore, it won’t make you happier that your website lies on a secured server if it gets compromised because another client hosted on the same server got hacked through an outdated application (this happens all the time) and from their account the rest of the server got hacked too. So you might wonder what does exactly “a secured server” mean then? It usually means the following:
- Frequently updated server kernel
- Frequently updated control panel
- Frequently updated services (apache + PHP, MySQL, Exim, etc)
- A firewall
- A Spam filtering service
where ”frequently run stock CentOS kernels (primarily because they are old) like most of the other hosting providers. We patch Vanilla kernels with popular security patches (like GRsec) and with some in-house written security and performance patches too.
- We isolate accounts on the server – with the in-house started and developed product Hive, which later grew into its own brand called 1H.com, we brought down the chances of a single account compromising the whole server close to zero! In reality every account on SiteGround shared hosting environment (including Hosting Plus and Business hosting accounts) is live on something similar to an isolated VPS environment within an OS called BaseOS. All the accounts have read-and-write access only within its home directory, which means that even if hacked through let’s say a Joomla module vulnerability, the attacker cannot go outside the account. Also a lot of commands and tools from the Linux system are either changed or disabled in order to further minimize the risk of intrusion through the server. Sounds pretty much like a heavily configured VPS, right? Only much much cheaper J.
- Even having the Hive account isolation technology in place and not having to worry about one account affecting another, we’ve also developed scripts to check for hacked content and very often notify website owners with hacked scripts or applications. Who else does that? The answer is Google – once your site gets hacked, Google will tell everybody about it and you will lose visitors, clients, trust! We advise our clients how to solve the problems and even help them if they don’t have the knowledge to do so theirselves, before Google finds out. We have also recently launched a very cool extra service called HackAllert that monitors your website on a daily basis and emails you about malicious code or website security issues.
- We run a powerful Intrusion Prevention System called 1H Hawk, which will identify if someone is trying to bruteforce any of your passwords – like FTP, Email or other, and will disable access to the attackers IP address IN REAL TIME.
- We monitor! Most of the times while there’s an attack on the server, there are many signs on the server about it. Most hosting companies monitor their servers (and by servers I mean server load only) every five minutes, while we do the same real time and catch threats instantly! And SG does not only monitor load, but also monitors for attacks – both network and hack attempts, spam activity, abnormal resource usage by users and irregularities on a server level. And that’s on every server 24/7/365!
- We have very strict server login policies in place. Server login is not allowed to anybody outside our admin team, even to our DC Supervisors. We remind and advise clients to change passwords every 6 month as a good security practice, while we ourselves update every single login key every 3 months, or upon the occurrence of an event that triggers such a need, like an employee leaving the company. All server logs are preserved and all actions on all servers are recorded at all times.
- Last, I should mention the top security maintained in our new advanced data center, which guarantees the most basic and very essential protection of the data hosted on all our machines. For more info see my other post about it here.
My list goes on, but this post is long enough already. Let me know if you’d like to hear more on how your server at SG runs and those small things we do for you 🙂
Tenko
The SiteGround Mastermind
Comments ( 22 )
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through
Shannon Wagner
Thanks for the info - I think posts like this are very important for building customer confidence. Plus, the security information would be interesting to me even if I were not a SiteGround customer. I'd love to see more of this type...
Nick Gervin
Great info, thanks for sharring.
Kris Rooney
I had an old Word Press blog that was outdated and inactive for over a year. I got hacked. The hacker used my SG e-mail accounts to send thousands of spam e-mails. SG was on top of the problem. long before I was aware of it, they took immediate steps to protect the other users. Very impressive work, guys. I chose to delete the outdated Word Press. Again, sorry, Thank you very much!
Samuel
This is awesome Tenko. Thanks for sharing this info. Now I feel a bit more secure :)
Eiahb
Hi Tenko, I think this entry is very valuable and raises many important aspects in regards to security. I have hosted several accounts with you and I must say I am very impressed with all you do. I am now looking to host a proper plan for my business which is E-Commerce; the Platform of Choice would be Magento. However I do have concerns, and the point you raised “Good security practices include a well-written, tested and non-exploitable code of the site” part of the hosting you offer packages such as Magento, Joomla! And others, some of these somewhat easy to hack by hackers due to the nature of them being open source. It is known before that with URL injections Magento can be hacked. Now my question to you is that do you utilise the actual instillation of products such as Magento to cover known security weak spots. I am looking to for Magento Go Mainly due to my security concerns. If you can elaborate more about security measures you do with Magento installiation for instance that would be great. And I rather do host with you because I use your service a lot. Thanks,
Tenko Siteground Team
Hi Eiahb, First, sorry for the late reply, I've been out of the office for a week attending a conference. As I know that many people will have questions similar to the one you have I decided to share our latest experience with dealing with a WordPress related exploit. You can see how SiteGround reacted to a situation with a vulnerability in a popular plugin for WordPress in details here. In short, our philosophy for dealing with such security problems is to react quickly when they become known and apply a fix that is from our field of competence. And our primary field of competence is the server administration, and not the application code improvement. We believe that the secret for a successful global fight against security vulnerabilities is that everyone contribute quickly and wisely with what they can do best: the creators of the code should come with a security update, and the web hosts should minimize the chance of the vulnerability being exploited on their servers by coming up with and applying fast changes the severs setup that correspond to the situation. Security is a process and not a one time action. So instead of having a false believe that we can do something at the point an application is installed and live happily ever after, we rather apply an ongoing monitoring and thus we are ready to react fast to any major issues appearing.
Avrohom Gershon
Wow! I was not aware of the constant battle you are fighting on our behalf. I'm glad I'm with Siteground!
Mike Pritchard
You guys rock for sure. I Always recommend my clients go with siteground (in fact I have decided to start charging more if they don't) because of the great service, easy to use features, but especially because of the security. (well, okay, the price you charge is really nice too). Of all the sites I have managed I have never once had a siteground account hacked. I have had several accounts hacked that were hosted elsewhere and it consumes a lot of my time when that happens. I have convinced some of my clients to move to siteground due to hacks at their old webhosts. Thank you guys for the great work. Mike Pritchard
Stanley Draper
Fascinating. As a prospective computer programmer, it's always amazing to read about technology, and this is very interesting stuff. I've never realized how truly vulnerable a website can be. Thanks for allaying my hacker paranoia.
Brian Hinkley
I love what SiteGround is doing along the lines of security. I haven't experienced any down time since I moved my sites. The real bonus is the hundreds of spam emails I received on a weekly basis at my old host have stopped completely. Keep up the great work and thanks for everything.
Elijah
"We run a powerful Intrusion Prevention System called 1H Hawk, which will identify if someone is trying to bruteforce any of your passwords – like FTP, Email or other, and will disable access to the attackers IP address IN REAL TIME." IDS is something that has application level protocol scanning that can detect maliciuus code embedded in legitimate http traffic, something that can do deep level packet instpection and detect malicious payload hidden in the traffic, sql injections and so on. I used myslef Tipping Point and F5 for different networks and what you describe doesn't seem like real IPS. I mean even WordFence plugin can protect egins bruteforce atack and block IP adresses in the real time. Do you guys have soething that is enterprise grade level IPS/IDS?
Daniel Kanchev Siteground Team
Hi, Elijah. Thank you for your great question! We do take security very seriously and we constantly strive to improve our services in this direction. Our experience shows that the security technologies that we use are very effective in the web hosting world and our customers can feel safe when using our services. We use a modular/layered approach to security. That being said, the 1H Hawk is just one of the security technologies that we use on our servers. As it is mentioned in the article, it is designed to specifically detect and prevent only the brute force attempts towards the most important services that run on a shared hosting server - the e-mail service, the FTP service, the Webmail and cPanel services, etc. Those are the most common entry points to hackers and blocking unauthorized access to them helps us stop a huge part of the attacks towards our servers. We also have our own WAF (Web Application firewall), which is a completely different software package installed on our machines and has nothing to do with Hawk. The WAF prevents exploits, injections, XSS attacks, etc. by analyzing the requests coming to the server and blocking the malicious ones. This way we are eliminating a big part of the vulnerabilities. The WAF works with security rules that we write daily and distribute on all servers. We do not perform real time deep packet inspection because it consumes a lot of CPU time and we focus on web hosting and not traffic analysis. If needed we can perform deep packet analysis for certain sites that are under attack but this is not something that we do all the time. Our experience shows that our tools allow us to protect our customers 99,9% of the time. There are many applications that are specialized in such detailed analysis and monitoring, such as Cloudflare WAF and Incapsula, which can be used by the clients. As a matter of fact Cloudflare are one of our partners. Even these systems, however, cannot guarantee a 100% protection. Let us know if you have other questions or comments.
Lorien Pratt
I am concerned about additional security measures: 1. Personnel financial and criminal background checks 2. Control of privileged account access 3. Internet routing change detection 4. Audit log completeness, reporting and review (automated or manual) 5. Availability of data base encryption 6. Offsite backup encryption. 7. Bonding of employees
Marina Yordanova Siteground Team
Hello Lorien, these are indeed important points! We make sure to follow the best practices regarding our security while respecting the privacy of our customers and employees.
Tommy Redmond
Hi there, I have a simple question, I hope you can help. I have recently joined Siteground and am just about to go live with my first website. My question is this....do I need to bother with third party plugin like ithemes security pro or is the security provided by Siteground enough? Thank you in advance.
Hristo Pandjarov Siteground Team
Good security is not something you can achieve with a single action. We do a lot to protect you against all threads we can, but it's always a good idea to have extra security added, to use strong passwords, two-factor authentication, etc.
Richard Sage
Have you had any penetration testing done? To what extent can you share (positive) conclusions from that? With an internet business on a hosting provider, the responsibilities to the outside world regarding cyber security are to some extent by definition split between the hosting provider and the website owner. If something goes wrong in the elements which are more the Siteground responsibility, then "Siteground said they were OK, so I trusted that they had done" is not as strong as "I had penetration testing for script injection etc done on my pages (and fixed issues found), and for the server-level aspects Siteground had penetration testing done by Xxxx". As a parallel, I have seen on-line casinos publish reports by auditors regarding fairness of the games provided.
Hristo Pandjarov Siteground Team
Yes, we do perform penetration tests on a regular basis using an independent company plus the always live bounty program. We take security very seriously and do everything possible to make our systems as safe as possible for our clients.
Jeremy
This would be most useful if a report could be made available to customers showing the results of the pen tests performed by the independent company mentioned above.
Hristo Pandjarov Siteground Team
Sharing pen reports publicly is pretty bad idea and security practice. I can assure you that all reported issues(if any) from such reports are fixed with highest priority by our team.
Christine
If my site is hosted in the US, is that system secured so that only US can access? Or is it accessible outside the country?
Hristo Pandjarov Siteground Team
All our data centers are accessbile from all over the world. If you need such restrictions, you need to place them manually on your account.
Start discussion
Thanks! Your comment will be held for moderation and will be shortly published, if it is related to this blog article. Comments for support inquiries or issues will not be published, if you have such please report it through