Security issues in shared hosting environment

In a Shared Hosting environment, different clients share the whole server but each client has its own set of resources. A number of websites share a single server. It is an economic solution for those websites which do not have high traffic and high storage requirements.

As an online business owner, what is most important for you is the security of your website and here I will discuss the various security issues in shared hosting environment. Let us face the bitter truth that in shared hosting environment, it is not possible to completely cover all the loop holes. A server is never completely secure and everything that interacts with your server is a threat to you.

Let me share an analogy with you. A shared server is like an apartment building and a dedicated server is like having your own house. You are sharing all the resources like water supply, power supply, parking lot etc. with other people in the apartment building. In an apartment building if someone puts on his A.C. then it will put extra load on the power grid of the entire building. If there is short circuit in one apartment, the entire building is prone to face the impact of power cut. Similarly, an anti social element staying next door who tries to peep into your apartment poses a security threat to you. While in your own house, you have all the resources just for yourself which are not shared with anyone. It’s like a dedicated server where the clients have full control over the server regarding the choice of operating systems, root access, hardware, software etc.

In shared web hosting, the HTTP server like Apache requires a control over the files to be served to the client which immediately poses a security concern. If the domains have the ability to run scripts or if the domains have the access to the shell, then in shared hosting environment, one client can modify the files of another client. Though in a multiuser operating system like Linux read/write/execute privileges can be provided to different user groups (user/group/other) yet through a simple PHP script, files outside own home directory can be accessed. Even when using pre-packaged software solutions, you need to allow the hosting server to have read, write and execute access to your files and thus exposing vulnerabilities to other clients. Moreover though the functions like exec( ), shell_exec( ) provide flexibility to the developers, yet they pose adverse security problems. Let us see a very simple example:

Most of the websites require some image uploads from the web and if the client on shared hosting does not have server permission then these uploads will not move to the destination directory. The common solution is to give all the users 777 (read/write/execute) access to the destination directory. This is a common solution but what it has provided is an easy way to hack the files of other users sharing the same server.

Now just think about the situation when your website is on a server that hosts a number of websites out of which few are vulnerable to attacks. Now if even a single one is attacked, the downtime for your website also increases as it is hosted on the same server. And if this happens during working hours when you need to send/receive important emails your business will surely get a negative impact. There are several hosting companies that claim guaranteed 100% uptime which is a complete lie as a server will be down during maintenance. A Denial of Service (DoS) attack on one website impacts the rest of the websites in the shared hosting environment. So a poorly managed server can cause downtime for all sites hosted on the server. Extending the analogy of apartment building, suppose some problem in an apartment on ground floor causes blockage to water, then the water will not climb up to any of the apartments on other floors if there is just a single pipeline. It’s like a DoS in case of shared servers where all the websites suffer.

So concluding, I could say that there is a trade off for low costs in terms of security in shared hosting. Security in shared web hosting cannot be as strong as the dedicated server. So a good solution is to keep your sensitive data in a database. Be careful while uploading files on the server and keep all server utilities up to date. A lot of log tracking, access tracking and website usage tracking have to be done. You even have the option of Virtual Private Servers. VPS or Virtual Dedicated Server (VDS) hosting provides a middle path between shared and dedicated web hosting services. Every user has a full control over his Virtual Server up to his own OS image. This blocks other users from seeing or modifying information even when the information is present on the same server. But if you are playing with highly sensitive data, then the best solution is “Go for a Dedicated or Virtual Private Server(VPS)”