We’ve been scanning and removing malware from websites for years, and in this time frame we have seen the website security domain grow by leaps and bounds. Over the same period, the ubiquity of the internet has reached to all corners of the globe, and the number of websites worldwide has skyrocketed (estimated at 955 million and growing). Where do all of those sites live? We decided it would be interesting (and instructive) to look inward to see what the demography of hosts is within our own construct.
Hosting Companies Sucuri Works With
The good news is that it doesn’t matter what host you choose to work through. It’s likely that we already work with whomever you’re likely to choose, though from time to time we do work with hosts that we didn’t even know were in the business. It’s important to note that some hosts, like managed hosts, don’t actually have their own infrastructure. They resell or sit on top of existing hosts. As such, this investigation doesn’t include their number.
This investigation illustrates–in pretty pie-graphical form–that sites on every hosting service get attacked. Regardless of your host platform you should always be thinking about how to protect the investment you’ve made in your website. Here is the host distribution within our environment*:
*The distribution of our clients among the hosts does not mean that any one host gets infected more or less than any other, and is reflective of many different factors.
Our goal is to make the internet a safer place for everyone. To that end, even if you are not our client, we have lots of free tools for you to leverage, based on your technical skill level, to insure your website’s integrity. At the, “for everyone” end of the spectrum is SiteCheck, our globally recognized tool for malware scanning, which can be used to remotely scan any website for malware, SPAM, Defacements or blacklist status. Be sure to read up on how SiteCheck works before using to ensure you understand what it detects. If you want to automate SiteCheck scans and be alerted should your site get attacked, you can always subscribe to our service and enjoy daily scans and unlimited malware removal. Alternatively, if you use a platform like WordPress you can embed SiteCheck within your dashboard. In this way, if you have the technical acumen, you can use our free tools to detect malware and fix your own website.
For everyday website owners wanting to make sure they’re browsing the web safely, be sure to leverage our SiteCheck extensions for Chrome and Firefox. Like we said, our mission is to make the internet a safe place, and one way to do that is by ensuring that everyone browses clean websites.
Moving up the technical ladder, you can use our DDecode, which is a PHP decoder. This is specifically meant for developers, designers and system administrators. If you’ve found a funny payload on your box, we want to see it. If we can’t reverse engineer it automatically through our PHP decoder, then engage our research team via Twitter or Email. We’re always up for a new challenge.
For website owners looking to make attacks stop, regardless of host, look into Website Firewall solutions. If you run your own stack, we recommend using a product like ModSecurity. We also strongly recommend that you architect an environment in which you separate the WAF from the Web Server and leverage technologies like NGINX at the edge.
Or, you could use our Sucuri Website Firewall and save yourself the headache. Did we mention that?
Questions to Ask Yourself Before Engaging a Host
We’ve learned a lot about hosting providers over the last couple of years. One very important distinction to make between them is that each host has their own preferred method of handling website security issues. Some like to throw the kitchen sink at the problem and others place the burden squarely on website owners. Neither of these methods is wrong, but it is important for you to understand what you need to do to protect your website. Our advice to you is to do your homework and find the best host for your website.
To that end, we’ve put together a primer of questions below that are based on our clients’ experience with hosting providers that we would ask our top choices to host our own website:
- What is the host’s response to a website being hacked?
- Will the host stop or prevent website attacks?
- Does the host use it’s own technology, or do they leverage a third party?
- If they leverage a third-party, does that party use it’s own technology or is that leveraged from a fourth party?
- What is the host’s response to a hack? Will they shut you down? Will they tell you that you are hacked or will you find out from your clients when they can’t reach your website anymore?
- If they shut you down, what is their protocol for getting you back up?
- Do they offer you a backup service? If so, how far back does it go?
- Will they help you fix the problem?
- How do they stay current with the latest threats and trends?
- What happens if you get reinfected?
- What is their response time when and if your site gets hacked?
- What assurance can they provide around the management of their stack?
- What happens in the event your website is blacklisted? Do you know what a blacklist is?
- How will the host handle your website in the event of a Denial of Service or Brute Force attack?
My Host Partners With Another Web Security Firm
That’s great. We won’t hold it against you for long.
In all seriousness, there are a lot of website security providers providing a lot of different options for website owners. In fact, most of the hosts in the graph that lead off this post are partnered with another security vendor, yet those websites still found their way to us. In some cases, we work in conjunction with a service provided by the partnered security firm. For instance, another firm may specialize in website backups. While we have a backup product for clients, our focus is on malware detection, removal and prevention.
In other cases, our client websites have come to us because they love that we bundle our malware monitoring and removal plans into one easy-to-understand price. They’ve found that the low introductory offer to website security that their host negotiated only covers malware monitoring. When their website gets hacked, they find that the company they thought would clean their site is actually going to charge an exorbitant amount to do so and they look for other options.
As we’ve said before, there are a lot of options for website security and we’d recommend that you choose the one that’s right for your website. We’re confident in saying that because we truly believe that when you do your homework, you’ll choose Sucuri.