Displaying items by tag: secure web hosting
None of our clients have ever received a message of this nature, and we aim to make sure it stays that way. We do that by ensuring that your sites, all addon components, and all server applications are up to date. Plus, the sites and the servers have additional commercial security applications in place as further lines of defence against unwanted visitors.
Just because no client of ours has ever experienced this scenario doesn't mean that it doesn't happen. It does......every day! If you look at the Sucuri Security Analysis you can see for yourself how many sites do get hacked......we're talking of thousands on a daily basis. The fact of the matter is that every 4 to 5 years, a site will reach the stage where it can't take any more security patches or run on later PHP versions. The reason for this is that the application is now totally out of date and contains multiple deprecated and end of life processes that need to be totally removed from the installation. That is the point where it needs to be replaced as you can't keep papering over the cracks.....you can only go so far. Though by that time it's going to look very visually dated to users anyway, which is not a good way to present yourself to potential clients. Dormant site equals dormant business in the view of end users.
At that stage we can no longer support sites of this nature as they represent a danger not just to themselves, but to every other client on the server. We won't take risks of this nature......the wellbeing of our clients' businesses is too important to us. Unfortunately, some clients refuse to accept our recommendations. Obviously they don't consider their site security to be of any relevance, so they find a web hosting provider who doesn't consider their server and client security to be of any relevance either. Now you have the perfect storm!
This is just playing Russian Roulette......and one day you will get the loaded barrel. It's just a matter of time. And that time arrived for one former client this week when he received this mail from his current provider.
We have found that your site is potentially compromised/hacked. Our scanning systems have provided the following information regarding the issue: Malware detected. Our Team cares greatly about your site's health and well being and we recommend one of the following options which we have documented in detail for your review: Have a developer clean the site or request a site sanitization from us ($90)
Due to the nature of the problem, we need an immediate response from you. Simply respond to this email letting us know what option you are choosing. If we do not hear back, the site will be isolated and blocked to protect your site data as well as the network.
His provider can clean up the malware for $90.......but that hasn't changed the status of his site one bit. All they will do is remove the malware - his site is still in the same outdated and vulnerable position it was before it got hacked. So within a week or so it'll get hacked again resulting in another $90 cleanup bill. And this will continue ad infinitum until he replaces the installation entirely.
Unfortunately, it's not just the cost of the cleanup processes! It's the lost business, the diminished client confidence, the disruption, and the resulting stress of a trainwreck like that. And just when you think it can't get any worse you find that Google has blacklisted your site because it's found the malware on there. Be aware that websites lose about 95% of their traffic when blacklisted by Google, and getting them to reassess your site status can take some time.
It's not the first time this has happened to an ex-client and it won't be the last. There is an easier way of course - just listen to the security advisories that we give on your site status. After all, if your mechanic tells you that your brakes are about to fail........do you then carry on driving regardless, thinking it won't happen to you?
Nothing is more important than security......and there can be no compromises in this area. Seriously......just don't risk it!
Are you absolutely sure that you're fully complying with GDPR regulations and directives? You need to be certain of this, because if you don't comply there could be some serious pitfalls ahead. We all have responsibilities, so it's essential that we know exactly what is required of us.
In my position, I have a duty of care to advise you on best practices, and to ensure that your websites continue functioning 24/7/365 without grief! I can only do that with your cooperation in the event that your applications are approaching end of life. And since the implementation of GDPR in May 2018 the stakes have got a lot higher. Now it's not just me telling you, the European Union are saying it as well - and they're enforcing it to the letter.
Outdated software is always going to mean a jackpot for hackers, but there are some website owners who are seemingly willing to roll that dice! Unfortunately there's now another implication, and this one can do you more damage than any hacker is capable of doing. And that is failing to conform to GDPR compliance!
GDPR is about risk assessment and mitigation. If businesses use software that is EOL (End of Life) they are knowingly, or unknowingly, increasing their levels of risk and in breach of GDPR. If you fall into this category then you are likely to face the heaviest penalties if personal data is compromised.
That applies to everybody, irrespective of whether you're in the EU or not. For example, if you're in the US, the HIPAA Security Rules state that entities must “implement security measures sufficient to reduce risks and vulnerabilities". And if you're using unsupported or EOL software then you are in breach of this regulation.
So how does all this affect you and us?
In your case if you use outdated software and there is a data breach you face huge fines. In the first 9 months, 206,326 cases were reported!
The biggest so far is Google who had a €50 million fine levied in France, then the levels vary according to the severity of the breach. A Healthcare organisation in Germany had an €80K fine for exposing sensitive personal data, and even a small social site there got hit for €20K for storing user passwords in plain text.
In our case, we cannot provide you with EOL and outdated software. If we do, then we are in breach of GDPR regulations for using insecure applications to handle clients' data.
My ignorance or your ignorance doesn't cut it! We are all accountable, so we need to be aware of the possible ramifications of breaching GDPR regulations. Let me be absolutely clear here......the financial penalties in the event of a data breach are potentially crippling as you can see HERE!
I also suggest you review a summary of the regulations HERE......in particular the directive "Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing".
What's caused this scenario?
It's down to the accumulation of data breaches over the last 25 years due to the casual attitudes of website owners, which also includes Government departments and large enterprises, who never took security seriously. Then throw in the massive corporations who've deliberately misappropriated users' personal data for both financial and political reasons.
This has now led to a situation where we're being monitored, and held to account, as if we're living in a world borrowed from the dystopian fiction novels of George Orwell!
To summarise.....I've always kept clients aware of the dangers of end of life software. However, I'll openly admit that in the past I have allowed a little bit of leeway for them to get their sites updated. Or if they choose to do so, move their accounts elsewhere and continue to take the risk. But I cannot do that any more......otherwise we'll all be breaching GDPR regulations. So if a client is approaching the point of EOL software on thir account, the situation needs to be addressed prior to expiry........not at some point after that date.
There may well be providers who will take this risk because they don't want to jeopardise their income stream. We won't do that.........the penalties for data breaches are too severe to leave anything to chance.
So we're all in the same boat here inasmuch as we have to ensure that we are in full compliance with GDPR regulations. Be aware that there's no "Get out of Jail" card on this one!
Time doesn't bypass anything, or anybody! That includes our computers, our mobile phones, our TV's, our cars......even us! So why would websites be any different?
Yet it's been my experience in the past that when I notify some clients that their sites have become outdated and no longer have security support they seem surprised. It's as if they weren't aware that websites, like everything in life, are affected by the passage of time.
So how does a website age? Visually you can always tell an old website because of the way it looks, as it will appear somewhat dated compared to modern ones. But it's not the visual element that's the problem.....it's the code that's been used within it where the problem lies. Because as time goes on, security holes appear. And if they're not patched and updated then there are going to be security breaches!
Another critical element in the "safe" life expectation of a site is PHP. PHP is the scripting language on the server that runs all our clients' websites......in fact around 83% of the sites on the Web are powered by PHP.
Over the years, as with all technology, PHP has advanced considerably. It's much more secure, and now considerably faster in the time it takes to render web pages. This gives you peace of mind re security, and a much better experience to your users. But as it advances through the versions it becomes necessary to remove certain coding elements that older sites used. This is to ensure that any unsafe elements are no longer included, and to continue to advance the application in terms of performance and security.
Unlike some years ago, we now have the option to run multiple PHP versions on a server at the same time......so most web hosts are able to accommodate the needs of all users at any given time. At present we have PHP 5.6, 7.0, 7.1, and 7.2 available which can be assigned on a per site basis. And 7.3 is due to launch next month so that will be added as well.
But a big change also happens next month which will affect clients on older sites: PHP 5.6 and 7.0 will become unsupported and end of line! Here's the PHP version calendar:
After those two highlighted dates, any users on PHP 5.6 and 7.0 will no longer have security support and are potentially exposed to unpatched security vulnerabilities.
The key point you have to be aware of here is that if you still need to run on those old PHP versions, then there's elements within your site that are out of date as well. So there's two risks facing you: outdated site software and outdated server software.
In terms of our clients, we will continue to provide PHP 5.6 and 7.0 for them until the expiry of their current hosting period. At that point, if they don't intend to upgrade their sites, we will find an alternative Web Host for them who can still offer these outdated versions. But be aware, those Hosts won't be able to offer that facility indefinitely......there will come a point in time when they'll withdraw them too.
As always, my advice is this: Only use currently supported versions of site software and server software. If you don't, then you're putting yourself, and others on the server, at risk of potential security breaches.
As I mentioned earlier, some clients don't like to hear that they are potentially at risk. But we have a responsibility to keep clients informed, in the same way your mechanic would give you a safety advisory related to your car. I doubt that anybody wants to get a report saying their brakes are failing........but it's most definitely something they need to be told!
Another reaction I get is when clients say "Why would anybody want to hack my site? It doesn't get a lot of visitors so I'll just leave the site as it is".
Now just change that thought process to "Why would anybody want to burgle my house or steal my car? I'll just carry on leaving the doors unlocked".
Make no mistake, Point 1 and Point 2 express exactly the same point of view.....that somehow it won't happen to me. However, statistics suggest that it will happen to you if you don't take security seriously. There are more than 1.86 billion websites on the internet. Around 1% of these, something like 18,500,000, are infected with malware at a given time each week; while the average website is attacked 44 times every day. Official Industry Source HERE!
Just because you're not aware of this situation doesn't mean it's not happening. It just means it's not happening to you because of the proactive steps we have taken on an ongoing basis over many years.
If we are no longer able to take those measures because of the circumstances I've detailed in this article then we have a responsibility to our clients to make them aware of it. Of course, what they decide to do at that point is their decision......but nobody who's a client of ours can ever say "I didn't know".
There's been a marked escalation of Brute Force Attacks aimed at popular web applications recently!
First let's establish what is a Brute Force Attack?
Essentially it's a number of remote computers who control thousands of other infected computers that bombard your site with hits from thousands of IP addresses. Their target is the Administrator login area in an attempt to get access.
Besides the risk of them getting access, there's also the knock-on effect of this extreme volume of traffic on the server itself. This sort of scenario can bring a server to a complete halt with all sites going offline as a result. But in the case of recent attacks nobody else was affected.....only the actual site that was under attack. And we can thank Cloud Linux for that!
So what can you do about this very real threat?
The only solution is the installation of a commercial firewall on your site BEFORE an attack happens! I'm not going to openly divulge what it is and what it does for obvious reasons....but it works!
Be aware that if you do come under Brute Force attack without the firewall then Cloud Linux will just take your site offline till the attack subsides. That way no other clients are affected.....just YOU! How long until it comes back online again? That depends on how long the attack is sustained for......the last one was hitting the server from 8500 IP addresses, so it's not as if we can blacklist 1 IP and be done with it. If only it was that simple!
When the attack subsides we will then be able to access the site and install the firewall to prevent any further disruption. But until that point we're limited in what we can do because the attacks are coming in thick and fast from thousands of locations throughout the world. So if you're the next target be prepared for some downtime if you don't have this firewall in place ready.
One thing I can confirm though.....no sites were compromised in any way and nobody got access. We're proud of that because it's a testament to what we already have in place! But with the site firewall as an additional security layer we'll then be in a position to pick them off en-route.....well before the stage where the site goes offline. If you want business continuity, then this is the way forward.
Effectively, the bar has now been raised in terms of security threats. So to counteract this we've got to offer additional commercial security applications installed into the sites (not the server) to protect our clients' interests. We're certainly not burying our heads in the sand! If you choose to bury your head in the sand then that's your choice....but be aware it's only a matter of time before somebody else becomes the next victim. Really, the only question on my mind is "Who's Next?"
Security is the most important aspect of any internet based application. Bar none! Just because you haven't experienced bad things.....bad things do happen, and it's getting worse. Every day we battle with various attempted security breaches at both server and site level. If they're particularly serious then we let clients know.
It doesn't help that despite numerous security advisories, some clients knowingly continue to run obsolete and insecure software. Unfortunately there's only so much we can do in these situations because vulnerabilities actually exist......so it's only a matter of time before somebody exploits them. That's an absolute fact.
If you're on current software (which 99% of our clients are) then the risk is greatly reduced. It doesn't mean you're impervious to intrusion by any means, but the odds in your favour are a lot better. But what do you do if somebody wants you taken out of commission for either business or personal reasons?
Now this is where it gets interesting......because recently, two sites have gone through a period of sustained and premeditated hacking attempts. And one of them was ours! Yes.....I'm talking about this site!
In our case, somebody (for whatever reason) bombarded the site with intrusion attempts. And despite everything being locked down tight, they got in. We were onto it virtually instantly and dealt with it, but the results could have been catastrophic.
So it was at that point we had to rethink our options. We immediately put in a commercial website firewall application along with a number of other security related initiatives......which for obvious reasons we can't elaborate on. Since then all has been well, but we're expecting a repeat at any time, and no doubt this will be at an even higher level of expertise.
The second incident occurred very recently......and it was directed at one of our lady clients. Somebody who's been with us for many years and has a very successful business. Her attacks were perpetrated over a longer period and at a much higher volume than ours. It sent her bandwidth usage through the roof resulting in her site going offline for a short period.
We then set up the same security system as we'd done on ours, but we even had to take the unprecedented step of blocking transmissions from a number of countries. Yes.....it was that bad. I'm pleased to report that since then everything is back to normal.....however, as in the case of our site, we're monitoring any traffic to her site very carefully.
So why were we, and our client, attacked in this manner?
The common denominator is we've both been in our respective business sectors for nearly 20 years and are very well established. It could well be the case that we're the dominant entities in our markets......and if either of us were taken out of commission then others could potentially stand to gain from it. Neither of us have any problems with any person (client or otherwise) past or present, and neither of us have any bad business relationships with competitors or associates. So there's absolutely nothing conclusive to go on.
The fact remains that two of us with current and secure software were taken out of commission in a clinical, systematic, and sustained manner. This was no script kiddy or opportunist behind it.....this was a pro who no doubt was being paid to get the desired result. Disruption was minimal in both cases as we were on it fast......but it just goes to show that even when even when all your web applications are up to date, a pro can still get to you. If you're running obsolete software then the result will not be a short disruption, it'll be a trainwreck......but that's your choice.
The cold, hard truth is that even if all applications are up to date and all normal security processes are in place, you're still vulnerable. Not vulnerable in relation to the amateur hackers (like obsolete sites are), but you are most definitely vulnerable to the pros. And it doesn't cost much for somebody to hire a pro to do this sort of job! Both my client and I are fairly sure this is what happened in our cases......and we may not be in the clear yet, as only time will tell.
My feeling on this whole business is that now I would never run a site of mine without having the commercial firewall (and other initiatives) in place. Our property was violated....the site felt "dirty" afterwards so we replaced it entirely. If you've ever had a car stolen and returned then it's the same feeling, and I don't want to be in that position again. Should any clients want to have the same level of protection put in place to secure their site, and the way things are these days I would certainly consider it, just contact us at
This relates to the most important aspect of what we do.....Security! Because it's estimated that there are millions of outdated and totally obsolete Content Management System websites still in circulation. And they're all playing Russian Roulette!
Besides looking very dated.....which isn't going to inspire potential customers, the majority are not even mobile compatible. Consequently they're unlikely to get any business through mobile searches as their sites will not render correctly on different devices. And when you consider that the majority of internet searches now come via mobiles, then it's obvious that their potential target audience is going to be severely restricted.
Obsolete websites can be a business killer in terms of your credibility, but there's more to it than that.....there's Security!
We covered this in some depth nearly a year ago in The Life of a Website and it holds just as true today. Nothing has changed except the obsolete sites have now become even more vulnerable. Essentially, the stakes have been raised!
If you have an outdated site (and you will have had notification of this) you are potentially at the mercy of site vandals, script kiddies, activists motivated by current political events, and more organised groups that will take advantage (in a very clinical manner) of any weaknesses. This is usually accomplished by injecting malicious scripts into sites followed by a redirect for visitors to something like the Neutrino Trojan exploit kit server.
Therefore your visitors will be compromised by this weakness as well......making your site a danger to everybody, not just yourself.
The main target for that particular exploit (and there are many others) is WordPress content management systems.....which we don't use. In fact we won't even allow these sites on our servers. Not that it's a bad CMS by any means, but there are just too many poorly built and outdated WordPress sites out there done by hobbyists and amateurs, and they represent a security risk to everybody.
So while the risk you face isn't as severe as those people, the risk is still there. All we can do is make you aware of it.
If you choose to continue with the insecure site, we will just migrate it onto a Legacy Server that still supports the obsolete and deprecated server side scripts that these applications need.
Obviously running outdated site and server software is not exactly the ideal scenario for you or us. So moving these sites onto another server so as not to prejudice the status of current up to date sites is what we have to do. Remember that the longer it goes on the more the risk increases to you and everybody else. So don't play Russian Roulette with your business website........because one day you may get the loaded barrel.
We're reluctant webhosts! We never wanted to provide web hosting. All we ever wanted to do was build websites.....nothing else. But back in 2003 we reached the point where it was impossible to get anything done on potential clients' hosting services because more often than not they were unreliable, slow, and in some cases unfit for purpose. So we had no choice, we had to provide hosting ourselves!
We wanted the best that we could realistically afford at the time. So for some years we struggled to break even on hosting......just to be able to build sites. Then we'd outgrow our resources, so costs increased once again! In 2007 we had to move from reseller accounts to virtual private servers (VPS), then in 2009 onto a Hybrid VPS. By 2011 we'd outgrown all flavours of VPS's.....and it was onto Dedicated Servers!
We share with no one, we don't sell hosting to outsiders, and only our clients with our sites are on there. We actually turn hosting business away every week simply because we do not want a bad neighbourhood.
We're not server administrators.....we're web designers. So we pay for the highest level of server management that the datacentre can provide, with a guaranteed 5 minute response time 24/7/365......using the same upstream provider since 2009. We're in good hands.....and so are you!
Now let's look at some of the different aspects related to hosting!
Server uptime: Our uptime percentage over the last year is 99.97%. That figure is up there with some of the best in the industry! It means that over the last 12 months the server has only been inaccessible for 2 hours 37 minutes. And approximately an hour of that was down to scheduled network maintenance performed overnight GMT.
How do we know if a server goes down? We use a remote monitoring service to ping our server (send a signal) every minute of every day. If the remote server doesn't get a response it sends me an instant text message that something may be wrong. It's no joke getting a false alarm at 4AM, but it happens. You see why we never wanted to be web hosts?
Backups: Many hosts claim to have them.....but don't always take that as read! We actually do.....using the industry leading R1Soft backup system.
Every Monday/Wednesday/Friday starting at 12AM an automated process makes a backup of every site on the server, and then stores it on another server in the same datacentre. It repeats this process throughout the month till it eventually reaches it's maximum of 10 backup points. Then the oldest backup is replaced with the newest, and the process continues.
Security: One very important point here! If you are still running on outdated software that has now been withdrawn, then none of the factors below will help you much. This is because your site may well have security vulnerabilities that cannot be patched due to age, so an intruder could potentially just walk straight in without the alarm going off. If this applies to you, then you've already been informed of the situation. Now here's some (but not all) of the security processes that are in effect:
We take the hosting side of the business very seriously.....despite the fact that we never wanted to be webhosts. But as we had no choice, we thought that just like design, we'd better do it to a standard that surpasses all others.....so we did!
Let's summarise the facts:
1. Unlike others, we are not hosting resellers on low budget shared public servers. These are our servers!
2. We turn away business regularly because we won't expose our clients to any potential risk by taking in outsiders.
3. We have a solid infrastructure that is professionally managed and running on business class networks.
4. Throughout the years we've invested back into the business to deliver a better quality hosting environment.
So don't compare what we do with others.....because not all web hosting is created equal!