Today we’re talking about the risk of hosting with your web designer. I want to make it clear that this doesn’t apply to all web designers or developers out there. Unfortunately however, a lot of designers and developers don’t understand the risk associated with placing your website in the same container with other customers, people you don’t even know.
Preface and Explanation
In August of 2015 we signed on a new customer that had a previous web shop design their website. Typically we ask for the hosting account information so that we can access the files and associated database to the website. Our new customer had no idea what their account information was, they didn’t even know where it was hosted. They did however have access to their domain name registration. Looking at the “A” record we could determine that the website was hosted with GoDaddy. I contacted some of my colleges who work at GoDaddy and asked them if they could help out. They couldn’t provide me much information, but they informed me that the website was hosted in another account that wasn’t our clients.
This led us to believe it was hosted in an account with the previous web design firm. So what’s wrong with this approach you ask? Keep reading!
Some web shops will purchase a shared hosting container and stuff hundreds of websites into it. Not only is this against every web hosting companies terms of service, but it’s very risky for your company, unethical and flat out dangerous for the end user of the website! So why do they do it? Simple … It makes them money. They might be paying $6/mo for this account and have 100+ customers on it paying $10/mo to them. That would net them almost $1000 in profit.
Getting back to the customer that we just on-boarded… We were able to get the login information to the back-end of the website. From here we were able to see, modify, rename, download and delete hundreds of other websites hosted within the same container. It’s not as easy as 1–2–3, but a simple script reveals everything. Not only could we access files, but we could also access all of the database dumps which could have included passwords, usernames, addresses, credit card details and much more. By looking at the URL’s we could verify that some of the sites were e-commerce based websites. This means that each eCommerce client is in violation of PCI-DDS regulations and potentially opening themselves up to serious law suites.
In this case, we discovered that not only does the firm have about 100 other customers in the container, but they even have their own website hosted there, including their CRM. Although not specifically important to the end user, if the container gets suspended, so does the firms website which makes it impossible to file a support ticket. In the main container of their site they also have zip files of paid software. I’m sure Camtasia wouldn’t be happy that their product can be downloaded. This is just gross negligence.
At WireFlare we are a full service web and marketing firm, meaning we provide hosting. We are a unique breed. We have 8 servers online as of this article which are dedicated to providing shared hosting to our clients. All of our servers are bare metal servers that are placed in collocation centers across the united states. We have our own infrastructure and each shared hosting client gets their own container within our network of servers. This protects our clients and ourselves from liability. In addition, our website is hosted on it’s own server, apart from all of our clients. Our DNS servers are hosted apart from any website and are fully redundant in case of failure. We have your back!
If your web design company offers you hosting be sure to ask if you are being placed in a container with other clients. If they say yes, I would reconsider doing business with them. They might be cheaper, but they don’t have the ethics and morals to protect their clientele.
If you’d like a free evaluation of your website we’d be more than happy to take a look.
Be sure to ask questions. If the company claims to have their own servers make sure you get login information to the container (not the website back-end). You should be able to gain access to cPanel or Plesk and you should also be provided with the IP of your server and the FTP or SFTP credentials. If you don’t receive any of the aforementioned ask for it! If they refuse to provide it, run and run fast! This should be provided before the start of a web design project so it’s not too late.
Another way to check would be to ask for, or check via your domain, the IP address of the server and then run a check on that IP. If it comes back with more than 1 site hosted on that IP you can reasonably assume it’s a shared hosting IP. This doesn’t mean that you’re at risk, but it means that you are on IP used by “X” number of other clients.
If you are going to have an eCommerce site I would strongly recommend that you also get your own dedicated IP and an SSL Certificate.