hgb Posted April 13, 2015 Share Posted April 13, 2015 What is the best method to secure content on shared hosting servers? I currently host several information site and a couple of forums on a shared hosting Windows plan from Godaddy. I would like to secure the data transfer but I am not really interested in getting separate IPs for each domain. I am getting ready to renew my hosting account in a year or so and I want to hear thoughts and suggestions on the subject. Thanks for taking the time to read this post. Quote Link to comment Share on other sites More sharing options...
ZaraByte Posted April 13, 2015 Share Posted April 13, 2015 You honestly can get a decent VPS for under $20 a month from money companies like digitalocean or ramnode by far i'd have to say ramnode is the best host i've hosted with i don't have any issues with my vps i pay like $5 for my server and its no better then a Raspberry Pi when it comes to hardware. I run wordpress just fine on it. obviously that's not what you wanna hear but i stay away from shared hosting due to security issues also because if someone is being attacked everyone is effected many other reasons i stay away from shared hosting. I don't think many people on this forum use shared hosting if they care about their website. setting up a website on a VPS is really simple matter of searching for "How to setup a LAMP Server" tons of guides on it i can have a fully operating webserver setup in about 10 minutes. Quote Link to comment Share on other sites More sharing options...
cooper Posted April 13, 2015 Share Posted April 13, 2015 [...]i don't have any issues with my vps [...][...]i stay away from shared hosting [...] Just to make sure I've got the distinction between the two right, with a VPS you get one from a large lump of virtual machines on a physical host and you get to play with that virtual box as you wish (yadda yadda TOS), whereas with shared hosting you basically get write access to that part of the file tree that maps to your domain on the webserver (yadda yadda cpanel). Am I right? Quote Link to comment Share on other sites More sharing options...
digininja Posted April 14, 2015 Share Posted April 14, 2015 You don't need a unique IP to run a site over HTTPS so most hosting companies will be able to let you add one to the hosting package without much effort. Quote Link to comment Share on other sites More sharing options...
digip Posted April 14, 2015 Share Posted April 14, 2015 What is the best method to secure content on shared hosting servers?Any hosting that I've worked with in the past, shared or private, needed a unique IP for SSL certificates, even with vhosts and shared hosting. They will most likely charge you a fee for each site you put SSL on though, vs one fee, since each of them need a unique IP address for each SSL certificate to show as valid, but on the backend, you can still be on a shared host and should not require a VPS, which in itself is more of an issue with your initial question:"What is the best method to secure content on shared hosting servers?" and to that I would say depends on how the shared host secures the back end. SSL on the front is fine, but on shared hosting, any other user's site compromised(and GoDaddy is not the only host with this issue but largely one of the worst) you run the risk of having your site seen and accessed depending on how each server is setup, and it's on a server by server basis, not per host. You can have 10 servers on the same host locked down and one not be, which is what I've run into on many hosts. It's just been my experience with GoDaddy servers and accounts I've worked on for clients, almost all of them have been easily traversed out of their home directory to see files from other shared users, so keep this in mind if staying on GoDaddy servers. Not that other hosts don't suffer from the same issue, and I've even found it over the years on Dreamhost, which is where my sites are hosted, but they've fixed it as soon as I notified them. GoDaddy, hasn't always been as friendly nor responsive to fix issues I've found on their servers in the past and in many cases pulled the generic "change your password" or "it's something you did, and not on our end" type responses. GoDaddy also had/may still have a WordPress worm that comes back every so often on their network, that inserts code into the header.php file of all found WP sites on the shared hosts, but also goes after cPanel and vBulletin based sites they host, so pray you're not on a leg of the network that gets hit with it if using any of these packages. Quote Link to comment Share on other sites More sharing options...
digininja Posted April 14, 2015 Share Posted April 14, 2015 I've not worked with shared hosting in a long time but on the servers I admin I have plenty of certificates on a single IP, guess if they can charge they will. Many years ago I was with Plusnet and they let you ssh to the server to admin your files and they allowed you out of your home directory and into other user's directories. I pointed it out to them and they told me that all I could do was read info that was already public so it didn't matter. I tried to explain the problem but they didn't want to hear. Seeing as someone will be probably thinking "why not just encrypt your files on the disk", you can't as the web server has to be able to read them to serve them. For those thinking "why not encrypt your data", you can but you probably need the key to decrypt it on the server and anyone with read access will be able to read the key and so decrypt things. Quote Link to comment Share on other sites More sharing options...
cooper Posted April 14, 2015 Share Posted April 14, 2015 You don't need a unique IP to run a site over HTTPS so most hosting companies will be able to let you add one to the hosting package without much effort. That's probably true for regular certs - as long as the domain associated with the cert is what you're accessing as a client, you're good to go. The roughly 10x as expensive DNSSEC certs (the ones that put the name of the company visible and with an alternate color in the URL bar) require the client to do a reverse DNS lookup of the server's IP and only when that returns the domain name from the cert will it accept the cert as valid for that domain. So in that case you most certainly DO require a unique IP for this HTTPS site. Quote Link to comment Share on other sites More sharing options...
digininja Posted April 14, 2015 Share Posted April 14, 2015 Thats very true but from the tone of the initial question I have a feeling that a basic cert is all that is required. Quote Link to comment Share on other sites More sharing options...
ZaraByte Posted April 14, 2015 Share Posted April 14, 2015 (edited) Just to make sure I've got the distinction between the two right, with a VPS you get one from a large lump of virtual machines on a physical host and you get to play with that virtual box as you wish (yadda yadda TOS), whereas with shared hosting you basically get write access to that part of the file tree that maps to your domain on the webserver (yadda yadda cpanel). Am I right? I just stay away from shared hosting a VPS has always been the closest thing to a dedicated server i can have for the price i've had dedicated servers in the past but they're a bit out of my budget for now. awhile a VPS is basically a virtual server that sits on a dedicated server and shares the same resources like a shared server their is better freedom to a VPS then shared. I possibly made a mistake i how i say things but i at least get the point im trying to make. plus $5 a month is pretty decent for what whats offered. Like i said my site might as well be running off a Raspberry Pi the only difference really is some of the hardware. If i honestly had the hardware to handle a DDoS attack i'd just run my website off a Raspberry Pi. OT: I dunno much about SSL Certs i had a ssl cert for my site awhile back due to me moving around i just finally dropped it people hardly use my site for anything anyways and besides if you're honestly gonna register on my site with the same password you use for everything else you use then i guess you should get hacked :B SSL was just too much of a hassle for me plus you gotta make sure that you fix everything on your site that was http and change it to https otherwise the information isn't gonna be fully encrypted on parts of your site. meaning lets say you have a wordpress website and you have images on your site for examples of programs you made you basically have to manually edit them urls from http to https im sure you know but for people who don't know just figured i'd say that. Find a host you're gonna wanna stay with long term then setup SSL my issue is i move around so much that i just dropped ssl support on my site. Edited April 14, 2015 by ZaraByte Quote Link to comment Share on other sites More sharing options...
digip Posted April 15, 2015 Share Posted April 15, 2015 meaning lets say you have a wordpress website and you have images on your site for examples of programs you made you basically have to manually edit them urls from http to https im sure you know but for people who don't know just figured i'd say that. Find a host you're gonna wanna stay with long term then setup SSL my issue is i move around so much that i just dropped ssl support on my site. If setup properly with relative URL's or even open urls (ie "://site/path/file.ext" - not http or https vs "./directory/file.ext") you can use htaccess to rewrite all http to https without the need for HSTS even to be implemented. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.