Website Security - Godaddy Hacked

I read through forums again and again to find people complaining about their hosting companies to figure out what we need to do to to make our customers as happy as possible.

Today I was reading a thread about godaddy websites being hacked and that godaddy was working to repair all of the websites. The servers that were hacked were $2.99 per month shared hosting accounts which is where the real problem is.

I think the fact that the hosting company spent much more to repair customer sites than they even charge shows what a quality host godaddy really is and what they do for their customers. Of course the people that were hacked were not seeing it the same way and had everything bad to say about godaddy and their security.

As a system administrator I am well aware of the risks in websites hosting but the average person is not. So I figured it was time to write a page addressing that very issue.

Server Security

A webserver by default is quite secure, if it wasn't then all servers would be hacked regularly. We see countless attempts daily on all of our servers to gain access, but as far as we know, they are locked up tight as possible as are most servers, like bank vaults.

The security issue arises when you give someone access to that server and in the case of shared hosting that can be 500 or more people on the same server. Each of those people will have an FTP account which is the worst possible security hole imaginable. FTP is not secure, so it is very easy for anyone to gain access to those user names and passwords and have access to the server. With 500 people sharing the same server it only takes one of them to slip up and compromise everyones websites.

I won't go into how hackers get those passwords, but rest assured anyone with a few months of networking and software experience can do it. System like SSH and Secure Shell use encrypted connections so no data can be intercepted or compromised. I am not sure why more companies don't use the secure version of FTP other than most people don't understand how to use it. It is widely used by smaller companies but larger companies like Godaddy stick with the old standard rather than trying to retrain all of the webmasters and website owners.

But even with FTP many companies manage to keep the servers secure from hackers. Unfortunately, the 500 people using each server cannot say the same. They use passwords like "password" or "1234" or maybe their first name or website name.

Hackers are well aware of how people choose their passwords and they are also aware that they use the same password for everything. So when someone signs up for an online forum, the hackers now have your username and password to try to hack into your website. In effect you just gave it to them. You just cannot blame that on the hosting company by any means.

The other issue is the low security passwords like "password". Hackers run automated programs against servers trying to guess any of the 500 passwords that allow access. And with user "joe" using the password "joe" the hackers often have great success. Again, not the website host's fault.

Of course even if you do have a secure password for example "2rGp&@Gg7raEK%$$6yT", what good is that if your neighbor has "joe" and "joe"? So everyone on the server is at the mercy of the most careless person on the server.

Some hosting companies do have requirements for passwords and that helps with security but with users giving away passwords on other websites it is not fool proof.

The next issue is that none of the people on the servers know anything about website programming or security, if they did, they would not be sharing a server with 500 other people. So when they need a website program they download one and install it.

Unfortunately, most free programs and even many paid programs have security holes. Once a security hole is known all a hacker needs to do is do a google search for a web url and they have a site they can quickly get access to. This is the most common way that servers get hacked, poor programing and weak website security.

Of course the website owner does not want to hear that there was a php error in their script which cause the server to be hacked. No they want to blame it on the host. Screaming that the firewall is not good enough.

So lets clear the myths about firewalls. They are basically useless. While the do serve a purpose, it is not one of keeping hackers out. If you can ftp into your website then so can every hacker in the world.

Firewalls only close off ports that are not in use. A firewall can close off an FTP port making it impossible to gain FTP access to a server, but then everyone is blocked including the website owners. Firewalls work to keep people behind the firewall safe and make access to network servers possible only on the local network and not via the web. But all of the hosting clients access their website via the web, so that is wide open for everyone.

I am sure you see TV shows showing that firewalls are unhackable and some are, but once you open a port the firewall is no longer an issue for security.

The reality is, if you need security, don't have your website on a shared server. They are insecure and wide open to all of the other people with accounts on the same server.

The issue is worse than it looks since many of those people collect credit cards and store them on their servers. With virtually no security that is a huge problem which again, the website host gets blamed.

Here at pageBuzz we have done away with FTP access and we do not allow anyone to install programs to the servers, so the likelihood of being hacked is greatly reduced. Our system does handicap the average user that wants FTP access rather than direct web sitebuilder access, but it provides the highest layer of website security that a public hosting company can achive.

We lock off all the security holes that regular customers create daily. Of course, your website could still be compromised if you are foolish enough to set up the username "joe" and password "joe" but that will be your fault and it will not compromise any other website on the network. We also have much tighter security on the logins and block automated bots quickly with proprietary software.

While we would never claim that we are unhackable, we do fend off countless attempts daily on the network. This is a huge issue for all hosts and it is not one they have much control of. We have solved the problem by creating a unique service. Other companies still want to offer FTP access so people can install their own programs and as long as they do, they will have to deal with daily security breaches. Many are small and upcompromising and others wipe out entire servers.

As a hosting customer, make sure you understand your part in the security issue and don't be so quick to blame the hosting company that employs system administrators with decades of experience. If a server was hacked, it is almost definitely the result of what a hosting customer did.
 

©1997 - 2021 Bumblebee Works & The Cyber Web Inc
pageBuzz.com is a subdivision of BumbleBee Works Web Hosting
pageBuzz® and pageBuzz.com® are registered trademarks of The Cyber Web Inc