August 26, 2020

How Much Security to Expect from Your Web Host

Web hosting security is becoming more and more important. There was a time when if your site was small, you needn’t have worried too much about getting hacked. However, as the resources available to attackers increase, malware is becoming more and more prevalent. Attacks are evolving all the time. So, it’s important to know just how much you can rely on your web hosting provider to protect you. Some do nothing at all, others outsource their security to a 3rd party host like Cloudflare. Yet some (for example, the new HostArmada web host) go above and beyond.

Let’s take a look at the different types of web hosting security, and which hosts provide what.

Cloudflare Integration is Standard

Let’s get this out of the way first. Every single web host offers Cloudflare integration. This makes your traffic pass through Cloudflare’s servers before reaching your site. Cloudflare does a pretty good job of preventing a lot of nasties from reaching your site. Sure, it’s not as comprehensive as their paid plans, they don’t have a WAF (Web Application Firewall), and they don’t allow rate limiting, but it’s still a lot better than nothing.

Even if your web host doesn’t offer native Cloudflare integration, I suggest you use them manually by switching your nameservers to Cloudflare. This is free and will give you access to their extremely fast DNS servers, which will almost certainly outperform those provided by your web host. If you’re lucky, your host will even have Railgun integration – though I’ve found the experience to be rather spotty.

Malware Scanning (Detection and Removal): Example NameHero

Some web hosts like NameHero periodically scan your website and remove malware using their built-in systems accessible from cPanel. They do this for all popular software applications like WordPress. On the other hand, if you’re running a VPS with a custom setup, they won’t be able to do it.

Other web hosts like Hostgator offer this service for an additional fee. And even within that, there are tiers. For example, the lowest-tier SiteLock plan on Hostgator detects malware but doesn’t do anything to remove it. You’ll merely get a notification. Also, there are limitations on how often they scan your site, and you need to pay more to get access to a higher frequency of testing.

WAF: Example HostArmada

An example of an extremely high level of security is HostArmada. They’re a relatively new web hosting provider that has a very tight setup. They provide what is known as a “WAF” or “Web Application Firewall” – something that’s quite expensive to set up and maintain. 3rd party solutions like Cloudflare charge you a huge sum to enable their WAF option, so it’s honestly very surprising that HostArmada can do this at such low prices.

The strange part is that they don’t even seem to shout this from the rooftops. According to this HostArmada review by, the WAF covers DDoS attacks at levels 4 and 7 – something even Cloudflare does not offer on their free tier plan. Maybe they’ll improve their documentation going forward, but this level of detail is mostly hidden on their website, and they mention it mostly in passing.

Bot Detection and reCAPTCHA

A few web hosts like SiteGround and HostArmada also include bot detection on their client’s accounts. This targets certain robots that make repeated requests to your site to either overwhelm it with requests, or to try and probe it for vulnerabilities, or simply because they behave badly and don’t respect either your robots.txt or keep trying to crawl your site without bothering about things like quotas.

The drawback to this is that I’ve noticed quite a few false positives. Meaning that legitimate visitors can be shown the captcha, which doesn’t always render well in browsers. I’ve been faced with situations where I’ve been unable to access even my own website! The captcha solution simply doesn’t work and if so, that’s a major turn off. I’ve had to manually contact SiteGround for one of my sites, and ask them to turn off their CAPTCHA solution entirely!

digital storage media, flash memory, the memory card

Backup Systems

This doesn’t strictly come under the banner of security, but it’s close enough to warrant a mention. Backing up your site is one of the most important things you can do to ensure its longevity. It’s not something you’ll use every day, but when the time comes, you’ll be thrilled that it exists. A lot of cheap web hosts don’t offer any kind of backup whatsoever. Bluehost for example is one of the largest providers in the world, and they have no backup system!

Others like NameHero, SiteGround, and HostArmada, all have their automatic backup services. Ideally, however, you would want to store your backups offsite in a separate network so that they don’t get lost if the main network crashes. This happened to A2 Hosting once, and it never quite recovered its reputation when thousands of backups (sometimes months old) were lost.

Both NameHero and HostArmada store their backups in an offsite location, isolated from the main network for free. SiteGround makes you pay through the nose for this. However, I would recommend going one step further and subscribing to a backup service like DropMySite. NameHero conveniently has a low tier DropMySite package for a cheap price. That’s what you should be looking for!

Bottom Line

Some hosts like NameHero and HostArmada have raised the bar for what web hosts can offer in terms of security. While a simple business WordPress site with a few pages won’t need enterprise-level security, it becomes a priority as soon as your site starts to grow. When that happens, I suggest you quickly migrate to a web host that has proper security practices in place. At the very least, demand malware scanning, and a basic level of DDoS protection. Finally, you should consider subscribing to a WAF like with Cloudflare – but that can come later.

So before you buy, make sure you know exactly what your web hosting provider is giving you. It can translate into the difference between a functioning site and a broken one!

About the author 


{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}