Security (Lack there of)…

The need for top notch security in the hosting industry can not be overstated. Consumers and businesses are becoming more and more savvy to the need for security in all aspects of computing. However, understanding that you need security and implementing it are two very different things. Let me give you an example.

To fly to Mexico from Salt Lake City (Where my FAMOUS Utah Jazz are from!! GO JAZZ) requires a passport. My brother was supposed to fly to Puerto Vallarta today. He THOUGHT he didn’t need a passport to fly there, but of course he does. Don’t worry, I let him have it for being completely unprepared. He called me up and was depressed that he couldn’t be there with his friends. Being the person that I am I NEVER take “No” for an answer. I immediately started thinking how to get around this “security problem”. Driving into Mexico requires far less documentation than flying into Mexico (I’ll never understand why – actually I do, but lets not get into a political discussion when talking about security!!). I then called several Mexican airlines to ask if a US Citizen needed a passport to fly within Mexico. The answer was no. Fantastic, what if my brother flew from Salt Lake City to San Diego, took a 30-40 minute cab ride to Tijuana, and then jumped on a plane to Puerto Vallarta. It couldn’t be that simple. Surely I couldn’t get out of the need for a passport to fly internationally in an hour?

Sadly the answer was yes. Its great news for my brother who is getting on a plane in a couple of hours but pathetic that our countries “security” is so ridiculous. When security hassles legitimate customers but does nothing to stop determined individuals it isn’t security at all. So many products and services prey on individuals desires to be safe but really provide nothing but a VERY false sense of security. Unfortunately ignorant decision makers set security policy in every aspect of our lives. From banks, and financial institutions, to our borders, to our own computers security – its broken from the top down.

What can I do to provide better security for our customers? A lot! We work all the time to educate ourselves and update our servers with all the latest “real” security options available to us. I think we do a pretty good job, but we can always be better. I have seen huge hosting companies that are open to attack in multiple areas where one abusive person could literally destroy the company. I won’t name any companies, but I have first hand knowledge of many companies that take a less than stalwart stance when it comes to security in the hosting industry.

We do our best to segregate customers from each other so that when a customer of ours makes a foolish decision, or doesn’t keep their own code and security up to date that their own site will be compromised without affecting our other users. Security for our servers as a whole is our responsibility. Security for individual sites and those who choose to run scripts such as blogs, forums, etc is the responsibility of our customers. Please take that responsibility seriously!

Thanks,
Matt Heaton / President Bluehost.com

14 Responses to “Security (Lack there of)…”

  1. John Draper says:

    You need a passport to come home – not to leave. How does he prove his citizenship when he comes back? As a minimum, it will be a hassle.

  2. Hi Matt,

    I have been using Bluehost for almost 2 years now and I am fascinated by how reliable and secure it is – I had been hosting my sites with other hosts as well and there would always be hacked sites and other issues – but never a thing happened to me at Bluehost. Thank you for that!

    Best regards,
    Liz

  3. Larry Ludwig says:

    Yes I agree Matt. Our industry as a whole MUST take security seriously. IMHO there are also too many “script kiddies” on the hosting side too. All they know how to is run scripts given by the control panel maker.

  4. Francis says:

    You just touched on an issue that’s been plaguing me! I’m currently with a different host (who I’ll tell you if you email me) that gives you as many unix accounts as you like and allows you to host one or more domains and assign it to an account. This allows me the piece of mind that if one of the websites gets hacked all my information and my other domains aren’t up for grabs!

    Unfortunately they are slow and unreliable (they used to be better!) so I’m looking for another hosting company who does the same. Or at least provides some sort of security between domain names. If bluehost did I’d sign up with you in a heartbeat. I have clients who use you (and have for years) with no trouble.

    It’s just I need more security!

  5. Bob Barr says:

    I’m a bit overwhelmed with the amount of information on script security. Being new to web design, I’m a bit apprehensive about adding a script to my site. Can you recommend a concise guide to setting up good security on php scripts?

  6. Mark says:

    So your brother drove into Mexico without a passport. But the real question is, can he get back into the US without a passport? I would be more concerned with getting back, than getting there!

  7. Dave Atkins says:

    You should write a blog post about what has been going on in the past few weeks. My sites were down an entire day 2 weeks ago while you rebuilt the server or something and today, my database server had to be restarted. Is there something going on that is causing your servers to be more unreliable or am I just unlucky?

  8. Adam B. says:

    Matt,
    As a customer I appreciate your fierce concern for security. I noticed that this blog is built wordpress, and most of my sites are built in wordpress as well. What can I do with my wordpress sites to ensure security on an individual level.

  9. Brent2 says:

    @Adam B.

    From everything I’ve read, WordPress is pretty quick on security, so long as you stick with the current version. Pretty sure 2.5.1 came out to fix one security problem, along with a couple nat-sized bugs.

  10. charles says:

    yesterday i spend 3 hours fixing 10 of my websites hosted with IX hosting, which was hacked. The hacker posted some text and url into my wordpress blog site. Finally, i found out that they running brute force through the mysql database. Once gaining the access, he manipulate the mysql data entry, and change to his desired text.

    Truth is that, he might be one of the hosting user, that might also sit on the same server. And, its easier for him to run a brute force locally. Thus, gaining access to my database.

    sadly, i have to spend 3 hours checking root folders and file (which is untouch).. and then repairing the mysql, and change whatever password that i can think of. Finally, the attack is gone for now.

    Yes, ‘internal’ security is a big concern for hosting company. Attack not just from external source.

  11. A passport is required to re-enter the U. S. from Mexico. The issue with driving is that you may or may not be pulled in for secondary check. If you aren’t, you won’t have to show the passport. If you are, you’re in for a long, LONG detention. I can say all this with confidence, because I’m a Customs Broker and work with Customs every day.

    Also, if you’re a resident alien working/living here on a green card, you must have your passport AND your green card when you come back in. Failure to present both will subject you to either having someone bring the green card to get you out of secondary, OR applying for a new one on the spot, which costs over $500.

  12. Barry Moore says:

    Hi Matt….

    On the security front, you should have somebody take a look at SimpleScripts. Fantasitico takes the time to install .htaccess and/or blank index.htm files into any directory that could be browsed and shouldn’t be, but simple scripts doesn’t.

    To have to do this manually somewhat defeats the purpose of such a fantastic installer because the technically ignorant won’t even realize that there is a problem and leave these wholes for hackers to poke their noses into. I know a bit of simple command line, some basic PHP, so to do it with cpanel takes a fair bit of time and may break something because I’m not 100% sure excactly what I’m doing.

    Good first effort on the SimpleScripts (B-), if you can tidy that little bit up it goes to an A!

  13. From everything I’ve read, WordPress is pretty quick on security, so long as you stick with the current version.

  14. While Fantastico is a wonderful tool, I think it gives many users a false sense of security. Or better said, it lulls many people into not thinking about security, especially with blog apps like WordPress.

    My team and I hear, “But we used Fantastico to install it”, all the time.

    People are usually quite surprised when we tell them that did nothing to secure their WordPress site.

Leave a Reply