When we first create a blog or website, all the decisions we need to make can quickly overwhelm us. Do we really need a website and a blog? Should we go with Blogger or WordPress? Do we want to go the free route or pay for a self-hosted site we’ll own?
That last question encompasses many complicated issues I’ll dive into next week. But if we decide to go the self-hosted WordPress.org route, we then also have to choose a hosting company.
What’s a hosting company, you ask? Today’s post is actually the second of two articles about hosting companies. Part One is over at the Writers In The Storm blog, where I cover what a hosting company is and why they’re important. Vitally important to those of us who choose to have a self-hosted site.
So that means we have to know how to pick a good hosting company. How are we supposed to do that? We’re writers, not tech people.
In Part One, I cover some of the things to look for in a hosting company. I’ll wait while you check out that post. *hums Jeopardy theme* Back now? As I mentioned in that post, one critical responsibility of a hosting company is keeping their servers secure because if their servers are hacked, our websites become vulnerable or even go offline.
Today in Part Two, my tech guy will give us the inside scoop on what a hosting company can (and probably should) do to keep their servers secure. Please welcome Jay Donovan!
Tech Talk: Website and Blog Security
Thanks, Jami, for letting me out of the server room for a few moments to talk about how a good hosting provider can help keep your site running safely. *notices a window* Hey, is that sunlight? *squints* Ow, it burns my people.
By my definition, a “good” hosting company views themselves as your partner in achieving your goals rather than one who simply provides a service. That sounds like a trope, but unless you’re planning on acquiring a “tech geek” badge, you’re going to have questions and occasionally need some hand-holding. The providers competing to be the lowest priced host can’t afford to spend much time on support or ensuring that their servers are delivering pages to your site’s visitors lightning fast.
Today we’ll discuss how a web hosting company can help keep your site running securely. Or sometimes, not keep your site running securely. For the sake of simplicity and to keep the author in the back row from nodding off, I’ll limit the conversation to WordPress.org sites and the core software required to run it.
A Quick Technology Primer
To understand what can go wrong, let’s briefly explore the technologies needed to run a WordPress powered site:
- The typical webhosting server runs the Linux operating system. Linux is a competitor to Microsoft Windows and Apple’s OS X. It runs on everything from supercomputers to smart phones. (If you have an Android phone, you’re using a variant of Linux.)
- Apache is web server software. It’s the software that talks to your web browser. It can directly answer requests for images and simple web files (HTML & CSS). WordPress uses both, but it has more complex needs. Luckily, Apache knows to ask for help when it doesn’t know what to do.
- WordPress’s posts, comments, page information, and settings are stored in a MySQL database.
- And the final core piece is the PHP programming language. WordPress is written in PHP.
This ends the jaunt into the tech. *hands out paper “Tech Geek” hats to those still awake* If you know a tech geek, call them to say how you’re currently reading up on securing a “LAMP application.” LAMP = Linux + Apache + MySQL + PHP
Or you can think of Linux as the Buffyverse (Sunnydale and Slayers / Vampire lore), Apache as Buffy, MySQL as Giles, and PHP as the Scooby gang. Everything happens in the Buffyverse but without Buffy, no slaying occurs. (Robot Buffy doesn’t count.) Giles manages all the information and lore. And the Scooby gang does the boring/dirty work but causes almost as much trouble as they prevent.
Why WordPress.com and Some Hosting Companies Limit You
With the tech basics covered, we can move on to how a good hosting company can help you minimize security risks to your web site. Security risks include hackers/malfeasance, hard drive failures, and human error.
My phrasing choice of “minimize risks” is deliberate. With all the complexity involved in each of those components, it’s impossible to guarantee your site will never be hacked. This is especially true if you aren’t diligent about updates and the plugins and themes you choose to install. For this reason, many web hosting companies (including WordPress.com) will limit available add-ons, even at their premium service tiers.
A good webhosting company will have a few roles in helping to keep your site safe.
A Good Webhosting Company Will Take Care of the Stuff They Control
Regular updates of all LAMP and other server software.
Both PHP and WordPress have a somewhat deserved reputation for being insecure. They have greatly improved over the past few years, but you and your host need to be very attentive to security updates. Your host is responsible for PHP and you are responsible for WordPress and plugin updates.
Backups! Backups! Backups!
- How and how often do they perform backups?
- Are restores tested regularly?
- Are any backups saved to a different location?
- Do different tiers of service have different policies?
- Do they have a Disaster Recovery plan?
All critical servers are monitored.
- Are they monitored from multiple locations?
- Do they watch for and actively block hacker attacks?
A Good Webhosting Company Is Communicative
- Do they actively post about security risks?
- Do they warn about significant upgrades & site changes?
- Are they available for a quick question?
- Is their advice good and info correct?
- Will they admit a problem or cover it up?
A Good Webhosting Company Provides Security Related Extras
- Will they perform WordPress and plugin updates for you? If so what do they charge?
- Can they remotely help with a computer virus?
A Good Webhosting Company Won’t Do Something Bad for You Because It’s Easier for Them
I recently helped with two cases where the hosting company failed their client.
In the first case, an author’s site was hacked multiple times before he came to me for help. In my investigation, I observed that the author wasn’t a typical hacker target. There weren’t any bad plugins, and everything was up to date. He spent hours on the phone with his hosting company and they denied anything was wrong on their end. Turns out the host’s Linux server his site was on had been hacked.
All the other sites running on that server were also hacked, and all of them had been labeled as malicious sites by Google. Even after being cleaned, some anti-virus/firewall software still blocks access to his site.
The second case is about a different type of security, a site owner being secure in the knowledge that their hosting company won’t break them. A very popular site advocating self-publishing disappeared from the net. It was offline for more than a day. Turns out the hosting company cut them off for being too popular.
Yes, seriously!?! The hosting company knocked them offline—no differently than a hacker attack could. Eventually the site owners were able to bring their site back online, except the hosting company forced them onto a VPS (Virtual Private Sever). So now the site owners have to either learn how to manage/update Linux, Apache, MySQL, and PHP or live with the default settings. My gasteds were beyond flabbered.
So how does TechSurgeons stack up to this list? Pretty good. There’s always room for improvement.
Stuff We Can Control:
- Updates: We do extremely critical updates within 48 hours, critical updates within a week, and less important ones monthly. Our goal is to balance expediency with caution. Sometimes those rushed updates have problems of their own so waiting a day or so allows us to avoid the pitfalls.
- Backups and Hard Drives: All servers have mirrored hard drives, so if one fails, the second keeps going. Each LAMP server is completely backed up at 11PM. At 2AM, all sites are backed up to a different server and then those backups are copied to a server at our office. Restores are tested at least weekly, and we’re alerted when backups fail and need to be rerun.
- Monitoring: All servers are monitored locally and from a remote server in Seattle. Hacking attempts are logged, hackers are blocked, and email alerts are sent to us. Excessive login attempts on WordPress sites are not yet logged and blocked—there’s a plugin we want to test which might work really well.
Probably overly so. We use the @techsurgeons Twitter account and often our personal accounts to mention problems, maintenance, and when you should run updates. We’re starting to use our Facebook page and will now post the same messages there. We love it when you ask us questions on social media—it’s fun being helpful. And yes, we admit when we break stuff. It happens—I caused 9 minutes of downtime so far this year.
Of course. Our rates are on the website. And we’re allergic to nickel & diming so rarely charge for small stuff.
Any hosting company you’re considering should be able to answer these questions for you. I’ll hang out in comments if you have questions about the tech stuff or other hosting issues.
Jay Donovan has been a geek since before geeks were cool. He’s done it all, from remotely debugging the Internet connection for a US aircraft carrier deployed to *REDACTED*, to being responsible for the servers and networks for one of the largest Internet sites in the world, and the most challenging job of them all—parenthood.
He’s trained as a Certified Ethical Hacker (yes, really!) and always uses his geeky powers for good. When he’s not neck deep in wires and computer parts, you’ll find him hanging out on Twitter as @jaytechdad or at TechSurgeons.
Wow! Thanks, Jay! *still giggling over the Buffy analogy* I think I might have understood all that. Maybe.
Too many “hosting companies” don’t have the tech background to build the redundant networks and servers that can handle hardware crashes and high traffic, much less hacking attempts. As of a year ago, my site was the target of 150-200 hacking attempts per day. My site has been linked to from HuffPo and MediaBistro and didn’t go down.
I’m happy to leave my site in the hands of a professional who lives and breathes this stuff (except for when we briefly let him out to glimpse sunlight *smile*). And now we all know the questions to ask of any hosting company we’re considering. Let’s give Jay a big hand for filling us in on hosting companies!
Registration is currently open for my two workshops designed for those with no knowledge of WordPress, websites, or blogs. Interested? Sign up for only one of the workshops: For a free website/blog: “Develop a Free Author Website in 60 Minutes (or Less!)”; or to set up a website/blog you own: “A Newbie’s Guide to Building a Self-Hosted Blog or Website.” (Blog readers: Use Promo Code “jamisave” to save $5 on registration.)
Did that explanation make sense to you or do you need clarification? Does knowing all the ways a poor hosting company can screw things up—and knowing the right questions now to judge if a hosting company is good or poor—make you more or less likely to go the self-hosted route? If you’re self-hosted, do you know what your hosting company does to keep your site secure? Do you have any questions for Jay?Pin It