Hosts are concerned with the security of their infrastructure, not with your website.
This is a distinction that most website owners fail to make, and it’s made more evident to me every day. This same misunderstanding however puts hosts in a precarious situation where clients expect security, and to some extent get it, but on the other it’s not the type that matters nor will it address today’s challenges. This is all compounded by the economics that drives the hosting ecosystem.
I should probably clarify however that this is probably not a blanket statement for hosts. But for a majority of today’s Shared hosts that deal specifically with end-user websites, it’s very much the case.
The Dilemma that is Security For Hosts
What I have found to be most difficult when trying to partner with hosts, is actually not that they don’t understand websites are under attack but rather they are literally pressed against a wall with what they can do.
They have strong forces they have to deal with that dictate that security must be at the top of their mind, and yet their budgets and setups just don’t allow for it. Just think about it, you, as the end-user pay for cheap hosting (i.e., $4.99/mth) and for that you expect the world. Yet, this need, this requirement, is being led by external forces that put security at the top of your mind. In 6 months, when the world has moved on to the next big thing, your expectation will be that that too is rolled into the fold.
Try thinking of Hosts as an Internet Service Provider (ISP). They are leasing you the space and you’re responsible for that space. They are giving you the pipes to do what you need to do, but it’s your responsibility to manage the endpoints (the routers, the PC’s, notebooks, mobile devices).
Now think of hosts, same exact scenario is at play.
From a security perspective they are providing you the security you require at various levels in the stack, just not the website itself. They are working to configure the boxes so that they can stuff as many sites as possible, while ensuring that users can’t leap frog into other accounts (something known as directory traversal or privilege escalation). This doesn’t necessarily apply to fully-managed solutions like the Squarespace, Tumblr and Wix websites where the hosts take full ownership across the stack (also why you’re limited on what you as the user can do).
The reasoning is simple. They can’t implement a solution to account for the weakest link in the security chain – you, the end-user.
It’s a Perception Problem
The issue hosts have is perception, as with most things, and for end-users, perceptions is reality and those realities quickly becomes the organizations realities.
What I mean by this can best be tied to conversations I have with end-users. When it’s someone that has no idea what my company does, the conversation often starts the same way:
Yeah, I don’t need that, my hosts takes care of my websites security.
I feel myself squirm in these situations but the facts of this statement are so incorrect and yet, how do you go about explaining it without coming off overly bias?
So there in lies the rub.
A majority of end-users assume, wrongfully so, that the hosts are concerned with the security of their website, and what they fail to understand is that their concern for the website’s security only goes as far as the impacts it has on their infrastructure. An example of this is found in several of the host ToS:
Customers may not use [Hosts] network as to attempt to circumvent user authentication or security of any host, network, or account. This includes, but is not limited to, accessing data not intended for the Customer, logging into a server or account the Customer is not expressly authorized to access, password cracking, probing the security of other networks in search of weakness, or violation of any other organization’s security policy.
It’s also why you’ll find very clear references in their Terms of Service that you, as the end-user, are responsible for your own security but yet who really reads those things anyway:
You agree to be fully responsible for all use of your account and for any actions that take place through your account. It is your responsibility to maintain the confidentiality of your password and other information related to the security of your account.
It is your responsibility to ensure that scripts/programs installed under your account are secure and permissions of directories are set properly, regardless of the installation method. When at all possible, set permissions on most directories to 755 or as restrictive as possible. Users are ultimately responsible for all actions taken under their account. This includes the compromise of credentials such as user name and password. You are required to use a secure password. If a weak password is used, your account may be suspended until you agree to use a more secure password. Audits may be done to prevent weak passwords from being used. If an audit is performed, and your password is found to be weak, we will notify you and allow time for you to change or update your password before suspending your account.
What you also find in the Terms of Service are the actions they will take if you are found to be in violation of their terms:
Any account found connecting to a third party network or system without authorization from the third party is subject to suspension.
Any account that is found to be compromised may be disabled and/or terminated.
— Hosting Company
It really doesn’t matter which Host has this in their Terms of Service, they all state or imply it in some way shape or form. This isn’t good or bad, right or wrong. It’s just the reality of the situation with Website Security and where it fits in the Hosting bubble. You as the website owner should be aware of this if you’re placing your hopes on the host to be your security savior, you’re incorrect and will likely find out the hard way.
How Hosts Handle Website Security
When I think about the hundreds upon hundreds of hosts out there, I can often count one one hand those that actually will provide website security for their clients in-house.
Most however do it for an additional fee, leveraging third-party providers. Very few actually have their own technologies, the resources available to handle the evolution in today’s attacks, and are unable to keep up with the various infections affecting website owners like you.
Their configurations are often the same. Many have their own flavor of Modsecurity configured at their respective edges, consuming rules from various rule creators, which they use as a Firewall to block malicious attacks, and leverage ClamAV for server-level scans, looking for backdoors, rootkits, etc. These are often highly ineffective for website malware infections.
As for your own website security, if you want to extend beyond the bare bones (which is highly ineffective with today’s reality), then they encourage you to enroll with their partners. Even if they don’t offer you a partner, and encourage you to leverage their solution, it’s often White Labeled — and still someone else’s stack. What you want to consider in this configuration however is that it’s just like government work. Being I was a defense contractor, it always came down to the lowest bidder, not the best technology. Food for thought.
To account for this, like many of you I too have to depend on hosts.I have a distinct way that I handle my website security to ensure you, the reader, has a safe online experience when visiting and reading my content. I’ve shared it to show you that ensuring a safe experience for your own readers, and that peace of mind is possible.