Hello Forum, Are there web hosts best known for their ass-kicking, lock-tight security? I'm in the beginning phases of researching how to create a website (my first, I'm a noob). It will be a blogging website with a user forum (but I will want to scale it into something bigger, given that it's successful and given I learn a heck of a lot more than I know atm). However, the subject matter is health/medical related, so security is of the utmost importance. Everyone visiting the site must have full confidence that whatever they share or comment will stay within the confines of the website. And I want it to be that darn lock tight. I know SSL certification is ground zero for all of this, but are there particular hosts who are known for their security? I also have like, a barebones budget. Me's po'. I'm so noob, I was thinking of starting it as a Wordpress theme site, getting the blog part down first, then working on the forum later. There may also be a small e-commerce component (handful of products). I'm very new to web design, hosting etc., so I apologize for my noobness. Yours truly, SeekingAnswers
If you are in USA and need to store health/medical related records in your server, then you need HIPAA compliant hosting, which is very expensive (> $1000/mo).
Thank you for your reply gigapros. I've been doing a lot of research into HIPAA law, and so far, based on what I've found, I will not need to do HIPAA level data protection. I will not be a "covered entity" -- I'm not a healthcare provider, insurer, device maker, etc. or subcontractor thereof, so I can avoid all of those expensive requirements. Of course, my research may, at some point, tell me I'm wrong. What this level of security would be for, would be the peace of mind of the users and for the reputation of the website, in that people would feel safe within its confines. If I could afford HIPAA level protection, I would get it without thinking (just to make everyone feel warm and fuzzy). But since I don't think it will be required, and because I am on a less-than-shoestring budget, I'd like the next best (way lower cost) thing.
Well. Generally speaking, WP isn't secure. Never has been, probably never will be. It can be made MORE secure, of course, but it's not made for security - it's made for ease of use. That being said, starting out with it should be fine, I would perhaps ponder trying to budget in (in a year's time or so, perhaps, if you see the site's being used) a proprietary solution (of course, that's no guarantee it will be any safer, but if you either learn a lot, or get someone knowledgeable on board, you might manage to make a minimal approach vector). Also note that semi-commercial or commercial sites are usually the most sought-after price for the black-hatters out there - which might mean that if your page becomes popular and maybe creates a name for itself, it might be prodded by more advanced threath-vectors. Basically, the site is as secure as you make it - whether or not the host has firewalls and/or other means of protection in place is a bit of a moot point if the admin-page is wide open, or if the site is susceptible to SQLinjection, for instance.
Thank you for your detailed response PopSiCLe. I've started noticing that trend throughout my forum reading -- that Wordpress isn't known for its security. I also am realizing, based on your response and others', that a lot of security has to do with how the site is built and managed, rather than the hosting solution. I would much prefer a proprietary solution, once the budget's there. Unfortunately I have to start dirt cheap, which means using pre-built stuff and a shared server. I've put some serious thought into diving back into the programming world -- I haven't been there since high school, and it wasn't like I was some wiz kid back then either. I had a very basic grasp of C/C++ (like AP level), and that was the end of it. I realize the world has changed a lot since my computer science days. I've considered investing in one of those programming boot camps, but can you really learn enough in one of those to create a high-quality proprietary website? I imagine that someone who does it for a living will always be drastically better at the task. Anyway, I may be veering off topic, but your response really got me thinking. Down the line, I certainly intend to have some skilled people working with me. But in the initial phases, I believe it will be a lone wolf project -- until I pull in the meat. I also didn't know that such sites were a turn on for black hatters. I have a lot to learn!
I'm not saying that your site will be an immediate target in any way - but there are a lot of bots and scripts attacking WP-installs, trying to login, bruteforcing etc. Hence why there is need for added security, changing usernames and use strong passwords. When I said that these sites are potential targets, I was talking about sites with a lot of traffic and huge member-base - if they also provide an online-shop, perhaps which offers payment via credit cards or similar, it might be even more tempting - what IF that page has stored the information? Even though they shouldn't? And yes, the security is more about how than where - if the site is rock-solid on an open box with no firewall, it's gonna be rock solid even when there is 15 strong firewalls in front of it - it will just be harder to reach If it's wide open without a firewall, it's still gonna be wide open with a firewall - although it might be slightly harder to get to it. The problem is that most webservers aren't broken via doing stuff that goes through the firewall, it's broken via bad coding. And, of course, sloppily set up servers AND firewalls. Letting the DB-server communicate onto the open web, for instance... which most hosts do. Instead of having to go through a secure intermediary. And so forth and so on. There are hundreds of holes to fall into - I'm sure you'll find some Just make sure you have backups, hash what can be hashed, encrypt what can be encrypted, nake sure you run on a proper version of SSL, etc. etc.
What you're saying makes sense. Over time, especially with success, I'll become a target. Thank you again for your feedback. Do you recommend any books, websites, or publications for learning about website security? As a beginner?
Most of the hosting providers offer tight security but it is also clients responsibility like maintain strong passwords and keep changing them, never share your passwords, optimize scripts and database and in WordPress, keep the plugins up2date.
Sorry, I don't really know any books - I don't read them I follow online resources, and I read up on every new "scare" they provide info on, apart from that, most of web-security is "old news" - it's just that most webmasters are oblivious.
Bad coding is one of the reasons security is breached. I agree with @PoPSiCLe that a Firewall can be brached as well, it would just take more time. Please ensure that you perform a thorough research before narrowing down on your hosting provider. Also keep reading reviews of user who have had a bad experience since it is here where you actually come to know the downside of the providder's services, security, servers, connectivity etc. Good Luck!
I believe that you need to look at the quality of the service and especially customer support. Try considering vpsnine.com and their vps hosting solutions. Try code REPZ15 for a 15% discount on first time orders. There are a lot of helpful tools included that I am using for my business.
Thank you for the additional advice everyone! I'm still researching a host. This stuff is far more complex than the days of Geocities haha.
Having a hosting company that has air tight security, and you having wordpress is potentially the same has having deadlocks on the front doors, bars across the windows, and having the back door wide open. So many times I have seen people get hacked, NOTHING from the server side of things, but rather due to using basic unprotected wordpress setup and or dodgy or outdated themes and plugins. If you really want top notch security, dont just take a good host, but take a commercial wordpess plugin such as sucuri (https://sucuri.net/website-firewall/signup), as this helps protect your site. A good host can give you advice on what plugins to install, and guide you on how to secure it, but realistically, securing your own websites is your responsibility. There is a line between providing support for the hosting platform, and being your personal website developer, a standard hosting company simply cannot lock down every single 3rd party script that you use on your behalf. If you want a host that can lock down the server tighter then anything else, including the server, and your main website, I would be looking into a premium website design company, where they would have developers and coders whos job is to ensure your website is up to date, secure on and working the way it should. Good luck with your project.
Now a days most of the web hosting companies are aware and demand for strong security and listening to the demands of their customer. When you are searching for a new web host for evaluating the security, you just checkout the several things you have to consider like SFTP, SSL, Backups and server maintenance. Several websites which are best for web host are inmotion hosting, green geek, powerup hosting, blue host, host gator etc.