Weblogtoolscollection News » WordPress Tips and Hacks

WordPress Security, Part 1: Hosting Environment

  • Topic started 3 years ago
  • 1 posts so far
  • Latest reply from natalija

  1. First thing you need to take into consideration when security of the website is concerned is the server you host your website on. There are 3 main hosting type environments and depending on what you are using there are different security related concerns you must take into account.

    Hosting companies are offering UNIX/Linux-based servers or Windows-based servers. Due to pricing of Windows licenses, they are not commonly used to host websites based on WordPress or other PHP based systems. Most servers will run on different distributions of Linux, and they commonly use Apache as web server. I will not write about Windows-based servers, since they are much different to set up and use, and also they are very rare for WordPress website, and not really relevant for this article.
    Shared Hosting

    Most websites, especially smaller websites are hosted on the shared hosting servers because they are cheap and they are powerful enough to run. Shared hosting means that a single server is used for many different users accounts. Server is not yours to use and modify as you need, you are limited by the shared environment settings that hosting company set for all accounts on a server. There are some things you can change and use.
    If you decide to choose shared hosting company, make sure that they are using latest (or at least current) software: Apache server (or something similar), PHP (version 5 is a must, with 5.2 or 5.3 being preferable) and MySQL (version 5 is most commonly used). They need to allow you to use HTaccess files (there are still many hosting companies that don’t) and preferably allow you to use own copy of PHP.INI file for some settings that can be changed for each account. Good support is always important, especially until you set everything and make sure that server is working right. Always require access to some sort of control panel: CPanel, ISPManager or Plesk (there are others, these are the best).

    Shared hosting is limited in what you can do with the server (again, it all depends on the hosting company), and you will not be able to install additional software: Firewall, PHP extensions, MemCache… Most shared hosting companies have decent security related setup, but again, make sure to check what are you getting into.

    Sharing server by default means that all accounts and all domains on it will share single IP address. So, if that IP gets blacklisted for some reason because of some other user, you will be affected also. Most shared hosting companies offer purchase of separate IP for your account only.
    Virtual Private Servers Hosting

    Or VPS for short is becoming very popular in the recent years, mostly due to much better performance you get and much affordable prices caused by many more emerging companies offering this kind of service. VPS is basically a whole server only for one user, this server is not actual physical machine, but a virtual machine-made through process of virtualization and sharing of hardware resources. There are many different methods for this used today with nodes distribution and clouds getting more in popularity. You are only user of your VPS, and you can have full control over installing the server and setting it up. VPS can be unmanaged (you need to do everything by yourself), or is managed where hosting company is still in control of installing the server and helping you run it.

    If you decide on VPS hosting, be prepared to work more on the server setup and maintenance (depends on managed or unmanaged VPS configuration). If you need to use mail server on your VPS (and in most cases you will need that), make sure to set mail server properly: reverse DNS (usually you need to ask for this from the hosting company), set up limits, SPF records… Be sure to run latest version of OS you have decided on, updated kernel, updated web server, PHP and mySQL. Also, I strongly recommend installing some firewall software (LFD is really good one with a lot of options to set). Make sure to use strong passwords for everything and to change them often. If you run personal server (no outside users), there is a less chance of intrusion because you will be only one that has access to it.

    PHP also can be improved and expanded to include Suhosin security extension. Some Linux distribution (like Ubuntu 10.04), will install PHP with built-in Suhosin. To be honest, I don’t like it and I don’t use it. I find it hard to set up, and it was always causing more problems than I was prepared to deal with. But, if you have patience and time to test it, I recommend trying it. As for the mySQL, usually server is set to allow only local access to it, so no one can access it from outside your server.

    VPS is the best solution for hosting: not very expensive, full control over the server, great potential for setting it up exactly as you need and in most cases very easy to expand to use more hardware resources when your website(s) starts to grow and to get more visitors.
    Dedicated Hosting

    What I said about VPS can be said for dedicated hosting. But, in this case you actually have use of full physical machine. This is usually very expensive solution, but most powerful one. If you don’t care about spending more money, this is the best solution and the most complex from maintenance standpoint and work you need to invest also..

    Posted: 3 years #

RSS feed for this thread

This topic has been closed to new replies.


Back to top

0.049 - 12 queries