Joomla Hosting Providers, this one is for you

[brad]

Enjoy: http://community.joomla.org/team-blogs/ ... en-up.html

PLEASE share this with your hosting providers people. Together we may be able to make a tiny difference.

[dallen]

That was a pretty good article and I agree with it 100%. I thought that it would be good to add this to the forum so maybe people would read it:
How do I choose a quality hosting provider?

The following is a short list of security-related requirements. Depending on your specific needs, you may have many other security requirements such as shell access, cron access, SSL server, etc.

* Choose *NIX: Joomla! requires at least PHP and MySQL to run. Because Apache/PHP/MySQL run best on UNIX or GNU/LINUX servers, choose a host that offers these options.
* Use Secure FTP: Choose a host that requires SFTP (Secure FTP) for transferring files. This prevents others from snooping your user name and password from packets as they travel over the Internet.

* Set PHP register_globals OFF: The most security conscious hosts turn PHP's Register Globals directive OFF by default. The next best allow you to turn it off in local .htaccess or php.ini files. A host that requires you to run a site with Register Globals ON should be avoided. This is true for any PHP enabled site, whether or not you are running Joomla!. There is a legitimate argument to be made by hosts for keeping Register Globals ON for PHP4 sites. This is that it would break too much legacy code. This argument should not be accepted for a PHP5 installation. Beginning with PHP5, the official PHP recommendation was to keep Register Globals is OFF. Note that beginning with PHP6, there will not even be a Register Globals setting, so don't get caught in a Register Globals backwater. Modify your code to work without Register Globals, and choose a host that encourages such practices.

* Seek PHP flexibility: Choose a host that allows you to use either PHP4 or PHP5.

* Stay up-to-date: Choose a host that stays up-to-date with the latest stable versions of core applications, including the operating system, database, and scripting languages.

* Avoid cheap shared servers: Be sure users on your shared server can't view each other's files and databases, for example through shell accounts and cpanels.

* Proactive server management: Choose a host that provides real information about security compromises, rather than simply shutting your site down. Check their user forums for evidence of how they've responded to cracks in the past. A good host may for example, inform you immediately that a security breach has occurred and will quarantine the problem file for you, while leaving it there for further investigation. A poor host will shut your site down and provide very limited information on why. Watch out! All too many do this.

* Require raw log access: Be sure you have access to raw server logs. Reading these logs is a vital part of site security and recovery.

* Performance matters: Choose a host that limits the number of users per machine and the average CPU load per machine to some reasonable number (depending on hardware). Be sure they proactively move user sites as needed to balance load. Check the number of domains on a server using reverse IP lookup.

* Data center: Choose a host that manages it's own data center. Check the data center infrastructure, such as redundant Internet access, hot swappable backups, full daily backups, environment and access controls, emergency generators, etc.

* Know your neighbors: Check that your host is not at risk of having its IP addresses blocked because it hosts porn or SMAM sites.

* Consider Recommendations: Check this list of recommended hosts.

* Grow with your site: As sites grow in complexity, resource requirements, and security requirements, they may need to be moved off of a shared server environment. At that point, good options include, 1) dedicated servers offer the best possible security and performance, but at the highest expense, 2) virtual servers offer almost all the advantages of a dedicated server, but the hardware and configuration cost is shared among multiple virtual servers.

Read more here!

[dallen]

Actually it doesn't look like the list of recommended host has been updated in almost a full year, so I'm not sure if that is the latest one or not.

[brad]

Actually it doesn't look like the list of recommended host has been updated in almost a full year, so I'm not sure if that is the latest one or not.

It's all we have..

I'm still so reluctant to recommend any hosts to people.. even some on that list are clear oversellers. That list is a small 'reward' to hosting companies who take the time to help out here on the forum. Nothing more, nothing less.

I'm open to suggestions.. but I have been around and while and know the tricks people try to get up to to promote themselves.

[crooz]

The ongoing recommendation to avoid PHP4 is admirable but not practical for everyone. 4 had a long shelf life and is the basis for many packages, and it's not so easy to "just upgrade". For example, on my dedicated server, due to configuration and package reqs, a 4 --> 5 upgrade will force us to do an OS upgrade (and by extension db, webserver, and every other package) and test test test the "legacy" apps for compatibility. There is a lot of cost in time, and possibly for a consultant to help us out.

suPHP has exploits. It is not the panacea some ascribe to it.

I am a very satisfied J! 1.5.x user (for two websites). However, as much as I hear about hammering the host on these forums and your blogs, it's also somewhat your responsibility to build in the best security you can considering you are all volunteer developers. For example, that the install doesn't set proper folder and file permissions is very puzzling; that the package does not require a non-root db user is odd; protecting the admin directory out of the box should be standard; putting the config file in a path not accessible via the web user during setup should be a requirement (esp considering the general lack of knowledge w/r/t htaccess).

Please don't jump on me about "this is a F/OSS project, we're volunteers". I happen to work for the largest pure F/OSS s/w company in the world and understand how communities work, how unpaid workers have to balance many real-world issues. What I see from Joomla is a focus on shiny ajaxy/JS things and built-in security is in the back seat; I hope that as the feature-set matures, J! developers will focus on built-in security so we have the tightest CMS out there. Please accept this post for what it is: constructive criticism.

[brad]

If you feel that the current version of Joomla has a security problem, please let the team know via the proper method.

FYI It's simple to run php4 and 5 side by side if you have other packages that unlike Joomla do not yet support php5.

[Anarchyx67]

Anyone have any pertinent info on TMDHosting?

[brad]

Anyone have any pertinent info on TMDHosting?

Shocking oversellers = bad host in the long run.

[2ninerniner2]

protecting the admin directory out of the box should be standard;

This is one that had concerned me since my first 1.0.x install. I have since converted them and now install only the latest 1.5.7 AND jSecure Authentication. At least with this tool, all but the more dedicated miscreants will not be able to so easily find "where to start" by merely adding "/you-know-the-word" after the site name. I did a bit of quick checking, and was totally amazed at how many hi-profile sites mentioned in these forums still do not have this BASIC measure plugged, or at least well-covered up Yep, there it is. Now, I hope that they haven't given "me" a 50% head start and have at least changed the default "name"

Cheers!
Lyle

[ircmaxell]

protecting the admin directory out of the box should be standard;

This is one that had concerned me since my first 1.0.x install.
Cheers!
Lyle

Security through obscurity is not security...