Looking For A Secure Webhost For WordPress

[Jeffro]

Let's say I'm looking at different webhosting companies to host my WordPress powered website and the ONLY thing I care about is security. This is a shared webhosting environment. What questions or things should I as a customer look out for or ask in order to determine if the host meets certain requirements where my website using WordPress will be secure?

[jkudish]

I think that having up-to-date technologies is very important, APACHE and PHP primarely.

[Ipstenu]

SQL too.

One of the things I always tell people is to go to the public forums for the apps you want to run (like Wordpress.org). Do a search on the webhost you're thinking of using and see what comes back. Sure, you have to balance the whinging with the pimping, but you get a good idea of things. Like if you look up GoDaddy on WordPress.org, there's a lot of discussion about them, good and bad. But if you look up (say) LiquidWeb, it only really shows up with a couple mod_sec errors and then as recommendations for a good host.

I also always look them up in the BBB, which you'd not think of for security, but if a site gets bad reviews and warnings, they're usually suspect in many regards.

Ask about internal firewalls. What do they use to keep naughty people out? Look up the answers and see what people say about those products.

Backups! Do they back things up for you? If so, how often and for how long are those backups kept?

SSH and SFTP - If they don't offer these, I walk away.

24/7 phone support, toll-free to your area. Full stop. Extra points if they speak your native language and are willing to deviate from a script when you prove yourself competent.

Physical security. Is my data going to be jacked by Mel Gibson from Mad Max? Okay, that's a joke, but the idea's there. Redundancy for access. If the data center in Newark is nuked, will my data still be available in your off-site backup in California? What's the fail-over time frame? Redundant lines in case a backhoe goes through one?

Also I want to know if they over-sell their shared hosting, but ... that's harder to sort out. I ask if there are limits on users/usage per shared host, usually.

[kgraeme]

Ask how they secure/sandbox the user account space, whether your account space can be browsed by other users. By default *nix systems don't protect user home directories. (e.g. chroot, http://www.cyberciti.biz/tips/howto-...ail-setup.html )

Also how they secure/sandbox the php processes. By default, php has to run with apache privileges and any code that runs on the server, regardless of user, runs in the same security context. Sandboxing the PHP code to a specific user account is important on a shared host so that user1 can't write some code that hijacks user2's site. (e.g. suphp, http://www.suphp.org/Home.html )

[kgraeme]

SSH and SFTP - If they don't offer these, I walk away.

Agreed.

SSH is basically command line access, but everything you type at the command line is secured between your computer and the server. This is different than the old Telnet where even logging in sent your credentials in the clear.

SFTP is the same thing. FTP sends login and all transferred information in the clear. SFTP is a FTP-like interface via SSH. One caveat is that it may require changing FTP clients to something that supports SFTP. There are standalone clients like SecureFX as well as support built into IDEs like Dreamweaver and Aptana. (There is also FTPS, also known as FTP-SSL, which uses the same kind of SSL certs as a website uses for securing the communication. This is more popular with Windows based servers, in my experience.)

[eyecool]

Ask for links to successful wordpress websites that they host. If there aren't any good one, look elsewhere.

Really though, someplace like linode.com (Donncha's site is hosted there) or maybe vps.net (yoast is a huge fan).

I have experience with linode. It's awesome. I'd help you set up properly, as a gift, if you'd like a hand.

A successful blog + forum I know you've never heard of that's hosted there (just for comparison) is http://www.greenandgoldrugby.com/ He's running on a linode 360 ($20/mo). Look at it and tell me it's not screaming fast (and secure).

[Jeffro]

These are all good tips and suggestions. So far, I have the guide looking pretty good.

[eyecool]

=x Thought this was for your site. I've been afk a lot and thought you might still be having issues.

If this is for a guide, "Hosts with known problems" could be a worthy section. Seems like Network Solutions and GoDaddy are on the short list of 'just don't host it there'. LOL

[Martin]

Ask for links to successful wordpress websites that they host. If there aren't any good one, look elsewhere.

Majority of hosts will not do that

[andrea_r]

Ask how their MySQL is set up. Can you access your own databases?