FAQ: How to choose a qualified shared server host

User avatar
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway

FAQ: How to choose a qualified shared server host

Post by rliskey » Sun Sep 17, 2006 12:06 am

The following is a short list of security-related requirements. Depending on your specific needs, you may have many other security requirements such as shell access, cron access, SSL server, etc.

1. Joomla! requires at least PHP and MySQL to run. Because Apache/PHP/MySQL run best on UNIX or GNU/LINUX servers, choose a host that offers these options. Due to zero licensing fees and lower administrative overhead, such offerings are sometimes less expensive as well.

2. Choose a host that requires SFTP (Secure FTP) for transferring files. This prevents others from snooping your user name and password from packets as they travel over the Internet.

3. The most security conscious hosts turn PHP's Register Globals directive OFF by default. The next best allow you to turn it off in local .htaccess or php.ini files. A host that requires you to run a site with Register Globals ON should be avoided. This is true for any PHP enabled site, whether or not you are running Joomla!. There is a legitimate argument to be made by hosts for keeping Register Globals ON for PHP4 sites. This is that it would break too much legacy code. This argument should not be accepted for a PHP5 installation. Beginning with PHP5, the official PHP recommendation was to keep Register Globals is OFF. Note that beginning with PHP6, there will not even be a Register Globals setting, so don't get caught in a Register Globals backwater. Modify your code to work without Register Globals, and choose a host that encourages such practices.

4. Choose a host that allows you to use either PHP4 or PHP5.

5. Choose a host that stays up-to-date with the latest stable versions of core applications, including the operating system, database, and scripting languages.

6. Be sure users on your shared server can't view each other's files and databases, for example through shell accounts and cpanels.

7. Choose a host that provides real information about security compromises, rather than simply shutting your site down. Check their user forums for evidence of how they've responded to cracks in the past. A good host may for example, inform you immediately that a security breach has occurred and will quarantine the problem file for you, while leaving it there for further investigation. A poor host will shut your site down and provide very limited information on why. Watch out! All too many do this.

8. Be sure you have access to raw server logs. Reading these logs is a vital part of site security and recovery.

9. Choose a host that limits the number of users per machine and the average CPU load per machine to some reasonable number (depending on hardware). Be sure they proactively move user sites as needed to balance load. Check the number of domains on a server using reverse IP lookup.

10. Choose a host that manages it's own data center. Check the data center infrastructure, such as redundant Internet access, hot swappable backups, full daily backups, environment and access controls, emergency generators, etc.

11. Check that your host is not at risk of having its IP addresses blocked because it hosts porn or SMAM sites.

Related Information

Check this list of recommended hosts:

As sites grow in complexity, resource requirements, and security requirements, they may need to be moved off of a shared server environment.  At that point, good options include:
  • Dedicated Server: Offers the best possible security and performance, but at the highest expense.
  • Virtual Dedicated Server: A great security and performance vs. cost compromise. Offers almost all the advantages of a truly dedicated server, but the hardware and configuration cost is shared among multiple virtual servers.
Back to Security FAQ Table of Contents

Keywords: shared server, host, security, register globals
Last edited by rliskey on Wed Dec 13, 2006 10:53 pm, edited 1 time in total.


Return to “FAQs not moved”