Hack-resistant hosting solution for non-profit?

Question

(While the answers and comments at How do I deal with a compromised server? are useful, my question is more about prevention of hacking when I do not have total (or much) control over the server. I have SSH access but not root privileges. I cannot see or change anything beyond my own user account.)

I volunteer for a non-profit, maintaining their web site for them. We've been on a low-budget shared hosting platform (Bluehost) for several years. The site was built on Wordpress and I did my best to keep core WP and all plugins up to date.

But we got hacked multiple times. Sometimes it was malicious (defacing the home page) while other times it was stealth (I discovered hidden files that seemed to just allow someone to get in and snoop around).

I totally got rid of WP, rebuilding the site on Bootstrap. I removed all files from the server, ran multiple virus scans on the local version of the new site, grep'd for anything that would be suspicious, and then uploaded the files to the server. I was nearly 100% sure this new codebase was "clean".

But within a few days, I discovered (by comparing the server to my local version) a hacked index.php (some 'preg-replace' code was inserted before the first line) and found a "logo-small.png" file in a subdirectory that was not really an image file. It was a big hunk of obfuscated PHP that looked set to to nasty things (I de-obfuscated and viewed the code).

I knew that shared hosts, often with hundreds of sites, could be vulnerable. At this point, I totally distrust the server we're on. But when I asked Bluehost if we'd be safer on a VPS or dedicated server (thinking our "sandbox" would be harder to get into), they said it wouldn't really make a difference.

So I'm in a quandary. The non-profit I help out has limited budget. But I also don't want to continue spending tens to hundreds of hours monitoring and fixing the site. I don't know if hackers are getting in via the file system or an open port that shouldn't be open.

Is there a cost-effective solution that provides much better "hardening"?

Answer 1

If the only thing you expose to internet are non-interactive web pages and do not need to run server-side components, then you can substantially lower your risks by using a static web site.

You are then left with the web engine itself and to some extend the underlying OS. Apache or nginx are not simple to harden so you could have a look at Cherokee or publicfile.

You can go one step further by either hosting your static files on an existing environment which accepts them (Github Pages for instance) or move to a site you build with blocks like Google Sites (which are free for non-profit organizations).

Answer 2

The problem with shared hosting is that:

1. You are dependent on all websites keeping their code up to date. It could be possible another account is compromised which allows an attacker to access your part of the web server. There are several ways to accomplish this, especially if a control panel like Direct Admin is installed.

2. When I - as a hacker - purchase web space on the same server you're on I could just simply (in your case) upload a PHP web shell and (possibly) access all websites located on that server. This is even possible if file permissions are setup properly.

The solution is not to use shared web hosting.

I'd suggest you purchase a VPS. A good VPS (6GB RAM - SSD disks) can be purchased for $7 a month. I could give you the link if you want, but I do not want to advertise it here. That way you're more in control of what's happening.

Answer 3

Move to a Static page system. I too used to have WordPress - but after being hacked 2 times by the "Free Syrian Army" (in an effort to promote their situation ...) I got fed up with Wordpress, and used Nikola.

Simple and easy - static Web Pages.... no accounts/ports/SQL vulnerabilities etc.

There are others (Forks of the same) - look for Pelican as well.

Answer 4

Digital Ocean offers dedicated virtual machines for as low as $5/mo. This would be comparable to a dedicated server in terms of comparing the solution to VPS.

The problem is most commonly going to be your software solution used in the actual serving of content, however. Hardening the configuration files of your chosen suite is non-trivial unless you have experience with that sort of thing.

Server hardening as a general topic is massive, but if you have scoped out a particular set of programs you want to use, Google and ServerFault.SE will most likely have plenty of tips for how to lock them down.

Or like WoJ suggests, you can use a more pre-built hosting solution.

Answer 5

As a rule, it's not the host that gets hacked, it's your site. If you have a safe site, then a simple VPS can keep you safe.

Assuming you don't need your content to respond differently to different visitors, then a static site generator will work for you. Typically they're a bit like wordpress in that you write your own custom content and it gets turned into a themed site, but it's different in that the generator lives on your computer (not on the webserver) and the only thing on the server is static HTML.

So there's nothing to hack. It's not alive. The server can't do anything. It's just content.

If you want to put that on your own VPS, you can get one at Linode or Digital Ocean, or if you're feeling brave, AWS or Google Compute. The lowest tier server at all these places is around $5/mo, which is sufficient for your needs.

You can even host such a site at Github Pages at no cost at all.

Answer 6

If you already have experience with Wordpress, then why not just use the wordpress.com cloud. Hopefully, they will take care of the system administration including security. You just need to keep the password safe and export/backup your posts regularly. You are of course at the mercy of the company, - my blog once got blocked, but I managed to convince them to open it again. Furthermore, possibly not all plugins that you need might be there. There could also be privacy issues, the issue of the domain name of your non-profit organization and ads that wordpress.com might put on your homepage.

Answer 7

There is lots of good advice in the responses. However, possibly the most important advice is to only use a hosting company with a good reputation. Don't base your decision on cost and go for a budget site based solely on that criteria.

The reality is, running a hosting company comes with considerable maintenance overheads. To achieve sufficient profit, cuts need to be made somewhere. Unfortunately, these cuts are often applied to risk management processes because there is no obvious 1 to 1 relationship between expenditure and revenue. The result is that security often suffers.

Larger organisations where reutaiton is seen as an important aspect of their profitability will likely spend more in these areas. They also have the benefit of being able to take advantage of economies of scale. If your not in the position to manage the security risks yourself, you have to rely on your hosting company.

Several replies suggested using a static site rather than wordpress. A static site can help, but of course, if the server is compromised, it makes little difference. However, poorly maintained dynamic frameworks which are not updated are always going to be more of a risk than a static site given the same hosting security.

Wordpress is a high risk solution. It is actively targeted and there are a number of weaknesses in the plugin system. Even if you keep plugins up-to-date, there is no guarantee. Only this week there was a report of a popular plugin which has significant security holes which have been deliberately added by the new maintainer of the plugin (this is a common issue with plugin architectures - chrome plugins suffer from the same issue. You look for some functionality. You are security aware, so you check the references, reputaiton and user reports for a plugin. All looks good and the developer has a good reputation, so you install it. Later, the developer moves on - either selling the plugin or handing it over to anotehr who may not be as ethical. There is no mechanism to alert you to this change. The new owner issues and update which has malicious code. You apply the update (or perhaps the update is auto-applied). game over).

If you cannot just use a static site, then perhaps consider using something other than wordpress which isn't as actively targeted. this won't be convenient as it will likelymean learning a new framework, but may provide some additional protection.

The other thing to seriously consider, especially if there simply isn't enough budget is to sale back your non-profits web reputation. There is a cost associated with having a web presence. If the non-profit cannot afford the cost for a sufficiently secure site, either they must accept the risk of being hacked or they must scale back their web presence to something they are willing to fund. In general, there are few 'cheap' security solutions - you get what you pay for (you can overpay - especially with some of the snake oil merchants being drawn to the lucrative security space, but if you do your research, look for good references/referees, remember there is no such thing as a free lunch and if it sounds to good to be true, it probably isn't, blah blah blah, you will generally be OK).

Answer 8

First of all, I should note that I disagree with the premise about being vulnerable just for being on a shared host. If your shared-hosting account is compromised by another user, that's because either:

• The hosting company didn't properly isolate the users
• The user did something silly (like having 777 files)

With a VPS, the isolation is provided by a different layer, which is harder to overcome. And even more with a dedicated server. So, I disagree with the answer Bluehost gave you.

However, if the compromise originated from your account (eg. a vulnerable wordpress plugin), then it will certainly not matter the hosting option you use.

Certainly, your logo-small.png file looks as if it was uploaded through your application.

As for detecting compromises, I recommend keeping the file in version control. It's easy to make an script that rsyncs your website and commits to eg. a git repository.

This serves as backup and also highlights very clearly the differences when files get modified.

Several answers promote using static files. If the files don't change remotely, and assuming you are the only one changing the web pages (or that they are changed at the same "master" computer) a simple rsync -avz --delete website/ the-server: would roll back to the "clean" version, should such compromise arises. You can even automatically synchronize that way "just in case", although if the website is somehow vulnerable, automatically restoring from backup, although time-effective, is not a real solution.

Answer 9

Personal Computer Security

As per the comment form A.L, the vulnerability may have nothing to do with your website or the hosting but more to do with passwords being stolen from a compromised website administrators computer or similar or maybe the attacker has control over an administrative account that has not been reset since the initial clean-up.

Ditching WordPress vs Upgrading to a Better Host

Moving away from WordPress may help but finding a host with better security practices may be a more effective solution.

I look after about 50 or so websites built with a CMS similar to WordPress and am very conscientious about regularly applying updates. The sites on good quality hosts (e.g. SiteGround) rarely get hacked. SiteGround regularly update their web application firewall to block the most common WordPress, Joomla and other vulnerabilities although you should still promptly update your CMS and any third party add-ons as updates are released.

Shared Hosting vs VPS

Moving to a VPS may reduce the risk of contamination from other accounts on the same server but the security of a VPS relies on the skills of the person or people maintaining it, just the same as shared hosting.

A shared hosting account on a well maintained server is less likely to be hacked than a poorly maintained VPS.

Common Sense Security Precautions

Whatever you do, nothing on the web is ever 100% secure. You can minimise the risk of data loss by running regular backups, copying the backups off-site and regularly testing the backups.

Learn about other common sense security precautions such as:

• regularly applying updates
• keeping the PHP version up to date,
• choosing software only from established and trusted developers
• minimising the number of add-ons where possible
• minimising the number of administrative accounts
• implementing a web application firewall to protect the website and/or enabling a content delivery network (CDN) that includes a web application firewall

In Conclusion

I'd argue the most cost effective solution in your case where you have a budget conscious client is a shared hosting solution with a good quality hosting provider.