Nightmares in web hosting
About six weeks ago I decided to update my web site and upgrade my CMS software. That required having my web host transfer my site to a server that was configured to handle the new features. Upon request the site was moved, but afterward “Support” failed to:
- verify the site subsequently was accessible via the domain URL, which it was not.
- send the new URL for the site admin access.
- send the new settings needed for email.
- send the new URL for webmail access.
Support was so unresponsive that within a week I moved to a new web host just to get the site accessible again.
Lesson 1: Check web host reviews to verify whether support is responsive and thorough as well as available.
My admin and I agreed to try a VPS (virtual private server) at the new host, thinking that a virtual machine, which typically is set up within an environment that has already been secured, such as on a PC with malware protection or on a PC or server inside a network firewall, would prevent some issues that caused problems for the previous host.
My web administrator is a veteran of nearly 30 years on UNIX systems who is known for securing them well. The new web host recommended an OS that was somewhat new but assured us, orally as well as via the statements on its web site, that it would “hand-hold” as much as necessary for set up, maintenance and security.
It took several days to build the VPS and the site and to investigate and address every security issue we could identify. Within a week, however,the web host sent a nasty email notifying us that the admin password for the site - which is set through software selected and installed by the web host and which we could neither configure nor replace - had been cracked and the site was being used to send spam.
I took the site offline, got support on chat (phone support, we realized after we moved, was reserved for emergencies only) and repeatedly asked for instructions on how to block hackers. I was told only to change the admin password and make sure all software patches had been applied.
Lesson 2: Make sure phone support is 24/7 for all causes, not just for emergencies.
That hardly seemed adequate, but I did so and put the site back online. Although I have a record of the chat, there was no user name attached to whoever chatted with me.
Lesson 3: If chat support does not provide even a user name so you know which support representative is responding to you, RUN.
About a week later, the web host sent a vitriolic email saying the site had again been compromised via the admin password and was again being used to send spam. It specified the hacker has exploited a vulnerability in my CMS software and threatened to terminate the account if the vulnerability were not blocked.
Notice the web host flatly stated the entry point was the control panel to the web site administration, over which we had no control and which has known weaknesses commonly exploited by hackers. As long as the entry point - the administration control panel - was insecure, the site was unsecurable.
Lesson 4: Determine what software is being used for operating system, administration, and email and research the security issues associated with each before you switch. If security on those elements is cheesecloth, the site will be unsecurable.
Also, some investigation indicated the hosting company placed servers handling VPS sites outside its firewall with no native security at all. If so, we were being charged premium prices for raw hardware with less security and support that a standard, less expensive shared hosting account, or even a home PC. What a great setup for the hosting company! Provide raw hardware, charge premium prices, and appear ferociously security-conscious by browbeating the people who pay for the unsecured - and possibly unsecurable - space and wrack their brains trying to plug holes they did not create and cannot control.
Lesson 5: If you decide to go with a VPS option, specifically ask what security options are in place for it and what assistance is available to the person building the VPS to secure the site.
If the host advertises “managed hosting” for VPS, make it specify what that means. Preferably, get those fine points in writing. Cursory investigation indicates the unsecured scenario is typical, although not universal, for VPS offerings, and that most companies - sometimes despite claims to the contrary before you switch - neither provide a secure environment for nor assist in securing VPS.
Within 24 hours had moved the site to a new web host and an arrangement other than VPS.