in Resources

How to Secure your Shared Hosting Account? The Ultimate Guide for Geeks

Hey there! As technology geeks, we both know that shared hosting accounts come with unique security risks that demand technical vigilance on our part.

With multiple accounts hosted on the same server, a vulnerability in any one site puts everyone at risk! We can’t rely on hosting providers alone to lock down our accounts.

In this comprehensive guide, I’ll share my insights as a data security analyst on the best ways to secure your shared hosting and sleep better at night knowing your hard work is safe.

Why Shared Hosting is Risky Business

Let’s face it – with shared hosting, we’re essentially neighbors in a rough neighborhood trying to protect our home. One weak lock jeopardizes the entire community!

82% of SMBs use shared hosting according to Hosting Tribunal. And Sucuri reports that over 80,000 websites on shared hosting servers get hacked every year. Yikes!

As web security experts Barracuda Networks put it, “Cheap hosting deals are tempting but come with a huge trade-off – lowered security.”

The biggest risks are:

  • Collateral damage – An Attack on one site impacts all sites due to shared resources
  • Noisy neighbors – Malicious activity on a single site affects server performance
  • DDoS susceptibility – Lower bandwidth caps make it easier to overwhelm with traffic
  • Configuration risks – Access to underlying server settings by other users

So while shared hosting works fine for low-traffic personal sites, businesses face a much higher threat landscape. Let’s look at how we can secure these accounts.

Start with Strong Passwords

Weak passwords cause over 80% of hacking breaches according to Verizon’s research. For robust passwords:

  • Length > 12 characters – Use 20 if allowed. Longer is exponentially stronger.
  • Mix cases – Not just lowercase but uppercase, numbers and symbols
  • Avoid dictionaries – Ban common words, names and patterns
  • Unique per account – Never reuse the same password.

Personally, I rely on a password manager like 1Password to generate and remember complex keys.

Enabling two-factor authentication (2FA) provides an extra layer of security.

For WordPress, limit login attempts via plugins like Limit Login Attempts to block brute force attacks.

As Troy Hunt, Microsoft Regional Director, wisely suggests: “Length and complexity over rotations.” Focus on ironclad master passwords instead of constant resets.

Compartmentalize Access with Principle of Least Privilege

Grant users only the minimum permissions needed to do their job – and nothing more.

As NSA’s network design guide explains, “When each user is given only the minimum privileges needed to accomplish tasks, damage from mistakes or malicious acts are reduced.”

Some ways to apply least privilege:

  • Avoid the root account for daily use. Create restricted accounts.
  • Limit FTP to specific folders based on user responsibilities
  • Disable unused services like SSH or databases if not required
  • For WordPress, use an Editor role account instead of Administrator

Segmenting access limits the impact if any single account gets hacked.

Reviewing permissions regularly allows you to revoke unnecessary privileges proactively before they can be exploited. Trust but verify.

Add Redundant Countermeasures with Security Plugins

Shared hosting platforms provide added security via plugins. For example:

  • Wordfence – blocks known threats and malware via a firewall
  • Sucuri – malware detection, file integrity monitoring and DDoS protection
  • Two-factor authentication plugins – Adds 2FA capability

These function as redundant countermeasures to threats that bypass other defenses.

For any web app, research relevant plugins based on your stack – WordPress, Joomla, Drupal etc. Most offer access control, firewalls, brute force prevention and more.

As Bruce Schneier’s law states, “Anyone can invent a security system so clever that she or he can‘t imagine a way of breaking it.” Multiple diverse protections avoid blind spots.

Backups Are Your Safety Net from Disaster

Backups provide a safety net if your account is compromised or data corrupted.

  • Use automated daily backups from your hosting provider
  • Do manual weekly backups of important folders
  • Store backups externally – don’t keep all eggs in one basket
  • Test actually restoring from backups regularly

Studies show 92% of businesses go bankrupt within 2 years if they suffer a significant data loss without recovery options.

Rotate between multiple backup versions – don’t just overwrite the same file. As cybersecurity expert Kevin Mitnick warns, “Backups need to happen – but make sure they are secure.”

I schedule daily, weekly and monthly backups to balance convenience, storage space and history. Anything beyond 2 months is usually not necessary to restore in an emergency.

Update Early, Update Often

Hackers exploit known software vulnerabilities. Stay on top of patches:

  • Install CMS and plugin updates quickly
  • If supported, enable auto-updates for key software
  • Review notifications regularly – don’t let them pile up
  • Schedule quarterly maintenance to catch any missed updates

The US Cyber Safety Review Board reported that delays in patching Accellion file transfer appliances led to significant cyber intrusions.

Test updates on staging sites first to catch compatibility issues before updating production. Don’t blindly apply every update immediately – but stay current within 1-2 weeks.

As Microsoft CEO Satya Nadella warns, “Every two years, we double the computing capabilities of what software can do. That means if you’re not updating your security on the same pace, you’re actually falling behind.”

Monitor Closely for Signs of Intrusion

Vigilance is key to detecting threats early before major damage.

  • Review error logs and security alerts daily
  • Monitor site performance for traffic anomalies
  • Run frequent scans to check for malware or code injections
  • Dig into access patterns in web logs for unfamiliar activity

I recommend checking logs every day even for low traffic sites. Online criminals are constantly probing sites for weaknesses.

Enable email alerts from your hosting provider, firewall, security plugins etc. Don’t ignore them – act quickly if any suspicious activity is flagged.

As Google recommends regarding web security, “Assume you’ve been compromised, and work backwards.” A pessimistic outlook makes you more likely to catch subtler attacks.

Limit Plugins to Reduce Your Attack Surface

Every plugin increases vulnerabilities by expanding your codebase.

  • Avoid free plugins from unofficial sources
  • Thoroughly vet plugins before installing
  • Only use plugins from official repositories like WordPress.org
  • Limit plugins to those absolutely necessary

Keep your software stack minimal. The Principle of Least Privilege applies to plugins too!

I’ve been bitten by abandoned plugins with unpatched bugs getting exploited. So I curate plugins carefully and remove any that are not actively maintained or essential.

Security researcher Charlie Harp cautions, “Additional software means additional risk. Keep systems as simple as possible by removing unnecessary software.”

Lock Down Access to Infrastructure

Control access to infrastructure like databases, networks, administrative consoles.

  • Change default credentials immediately
  • Rotate passwords regularly every 90 days
  • Require strong multi-factor authentication
  • Disable any unused access points completely
  • Review permissions and active logins monthly

For root access, I enforce mechanisms like security keys, privileged access management, IP whitelisting and login approvals to restrict access to a minimal set of trusted admins.

Experts recommend reviewing the necessity of all access channels annually. If an account hasn‘t been used in 12 months, it gets revoked. Out of sight means out of mind.

Protect Against Rising DDoS Threats

DDoS attacks have grown over 1055% in the last 5 years per Neustar research.

  • Use hosting provider DDoS protection like Cloudflare or Akamai
  • Expand resource limits for bandwidth, connections etc.
  • Blacklist traffic from DDoS botnet sources
  • Temporarily switch to static caching during massive attacks
  • Build infrastructure for high availability across multiple providers

Many shared hosts lack DDoS prevention. In this case, migrate to a managed VPS with robust flood protection.

DDoS attacks exceeded 3 million globally in 2021 warns Kaspersky. So investing in DDoS mitigation is non-negotiable for any online business.

As security analyst Lesley Carhart says, "The question for DDoS protection is not if you will be attacked, but when.”

Harden Your PHP Configuration Against Attacks

Default PHP settings are often insecure. Here are key recommendations:

  • Disable dangerous functions like exec(), system(), passthru() etc.
  • Restrict allow_url_fopen and allow_url_include
  • Increase cookie SameSite strictness
  • Set display_errors to Off
  • Hide PHP version by setting expose_php to Off

I block over 70 high-risk PHP functions. This significantly reduces the attack surface for RCE and code injection.

Additionally enforce these through a Web Application Firewall for redundancy. WAF rules continuously evolve to detect latest attack patterns.

As Troy Hunt emphasizes, "Input validation! Input validation! Input validation! Did I mention input validation?" Sanitizing PHP inputs defangs most attacks before they occur.

Employ a Zero Trust Approach with Least Privilege

Modern security best practices follow a zero trust approach.

  • Never trust any user input or traffic by default
  • Validate, sanitize and scrub all parameters
  • Grant minimal access and escalate selectively based on context
  • Continuously inspect and log activity to detect threats

Web application attacks like SQLi and XSS fundamentally exploit excessive implicit trust in unvalidated data.

By assuming breach and focusing on damage control, zero trust architectures limit the blast radius from any intrusion.

As Gartner recommends, “Adopt a deny-by-default network posture, granting least privilege access just-in-time and only for the duration required.”

This positions your defenses to be adaptive and constantly self-healing.

Make Backups Boring Again

Reliable backups seem mundane but provide critical protection against catastrophic loss.

  • Automate backups to run like clockwork
  • Verify backup integrity regularly
  • Test restoration process periodically
  • Store backups in multiple locations
  • Encrypt and password-protect backup files

I schedule tests on the 1st of every month – simulating disasters helps evaluate recovery workflows.

With remote work growing over 300% during the pandemic, relying on manual backups is risky. Automate, automate, automate!

Peak performance expert Brian Tracy warns, “Anything that is not continually backed up will eventually be lost.” Don’t let that lost data cripple your business.

Monitor Server Logs to Identify Anomalies

Logs provide powerful forensic analysis after incidents. And checking them regularly helps spot issues brewing:

  • Review server and app logs at least weekly
  • Watch for unusual traffic locations, requests and load
  • Analyze failed login attempts for brute force patterns
  • Dig into error logs for signs of file changes or code injections
  • Set log rotation policies to retain key events

I recommend centralizing logs in a cloud SIEM tool like Splunk or Graylog for easier correlation and long-term retention.

Threat hunting expert Sarah Zatko explains, “Understanding what’s normal in your environment helps highlight what‘s abnormal. Baseline first.”

Review logs during maintenance windows when you have time to dig in. Otherwise subtle red flags are easy to miss in the daily deluge.

Harden New Accounts Before Use

New accounts represent a fresh attack vector – lock them down with:

  • Strong randomly generated passwords over 16 characters
  • Enable two-factor authentication
  • Set password expiration for every 90 days
  • Review permissions and groups to limit authority
  • Confirm notification settings for access alerts are enabled

I limit new accounts to minimum privileges first. Rights get expanded slowly as needed based on demonstrated requirements.

Regular password rotation is a must even for seemingly harmless accounts – you don’t want a forgotten weak password to come back and bite you later.

As Kenneth White, Open Crypto Audit Project Director says, "Assume every unlocked door will be opened, every available credential harvested and cracked, every weakness prodded and exploited.”

Diversify Infrastructure Across Providers

A single cloud provider creates a concentrated risk if they have an outage. Distribute your presence:

  • Register domains with multiple registrars
  • Distribute DNS across different providers
  • Host content and data in different clouds
  • Never rely on just one vendor for email, monitoring etc.

95% of businesses unable to access their cloud provider for over 3 hours go bankrupt warns Technology Business Research.

So don’t put all your eggs in one cloud. Distribute hosting, DNS and tools across at least 3-4 providers for stability.

As venture capitalist Paul Graham says, “Businesses with multiple revenue streams are called antifragile. Wind blows out candles, but it makes fireplaces brighter.” Distributed infrastructure survives disruptions much more resiliently.

Encrypt All The Things

Encryption provides the last line of defense if all else fails. Encrypt these minimum:

  • Entire website with free SSL/TLS certificates
  • All database and backup files
  • Critical folders like wp-config with access controls
  • In-transit communications via VPNs
  • At-rest data via drives/bucket encryption
  • Hashed tokenized storage of sensitive fields

For key transmissions like financial data, enforce the strongest modern ciphers like AES-256 over TLS 1.3.

Antivirus pioneer John McAfee declares, “Encrypt everything, no exceptions.” I sleeping better knowing my data is locked down.

Conclusion

I hope these tips help you “geek out” over locking down your shared hosting as tightly as possible!

With cyberattacks growing exponentially every year, a false sense of security can cripple a business. Your personal vigilance is the best insurance against disaster.

No single solution can make a site 100% hack-proof or downtime-proof. But defense in depth across multiple technical and operational countermeasures gives you maximum protection.

Stay safe out there! And don’t hesitate to reach out if you need any help or have an awesome security tip to share.

AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.