The major problems faced by websites and blogs that hinder normal functioning include malware, filesystem permission issues on shared servers etc. Most of these issues are by virtue of web hosting company that may put the website at risk.
It is a good idea to be equipped with knowledge that helps you find out if your web hosting company may be putting your website and data at risk and if the risk can be avoided or mitigated. If not, it is important to make a timely decision to move to another hosting company.
Choosing a secure web hosting company depends on a variety of factors. However, if you already have a hosting company, here are some questions you can ask them in order to be sure if your website is secure:
Version history of infrastructure elements such as CPanel, Operating System, Caching Technology, PHP, phpMyAdmin, and MySQL:
The distribution of responsibilities between the site owner and hosting provider is quite an organized one provided you take the pains to understand it. The important thing to know is that the web hosting provider is actually responsible for numerous tasks concerning your website or blog. Only you managing the security aspects of the website doesn't cut it for the web hosting provider needs to do their role efficiently or the security risk prevails.
You need to primarily check the versions of infrastructure elements in order to rule out any older versions with security vulnerabilities. This exposes all the customers of the web hosting provider to hackers and hence data theft.
Additionally, if the company you are dealing with still runs an older version but with backported security fixes, you can stay assured of your security. Backported fixes refer to newer security fixes made on older software versions so the security parameters are at par with the current requirements.
At your part, you must keep track that the themes, plugins, and core be latest and also follow up and make sure that the remaining site software by the web hosting provider is up to date.
Whether individual hosting accounts are independent of each other or are capable to read files in other accounts on the same server?
It has been observed numerous times that some hosting providers do not isolate accounts from each other and there is always a possibility of one account reading the data on the other. This is a major security threat if a fraudulent party gets an account with the same provider, they can access and misuse data of the peers.
Cases have surfaced wherein the attacking account reads the database server address, username, and password using wp-config.php files of other accounts of the same server. The attacker then creates an admin account and uses the target website to the whim and fancy of their malicious intentions.
A good hosting provider will keep all accounts separate and other users on the server will not be able to access your account. This is one of the primary clarifications that you need to take from your hosting provider in order to maintain security.
Duration and availability of server logs?
Another important question to ask your hosting provider is if your server logs are available and the duration for which you can access them. Server logs enable effective and conclusive investigation in case the website is attacked. The problem arises when the affected site either doesn't have access to server logs or the logs are maintained for a duration short enough to not serve any purpose. This makes it impossible to zero down the reason or point where the website was compromised.
A good hosting plan will offer instant access to all logs within the past 24 hours on the server if the need is to retrieve them and the best hosting provider will offer archiving capability up to 30 days.
If the site is being backed up, how is it being backed up and the span of retention of backup files:
It is pretty important to ask the web hosting provider if the website is being backed up and for how long are the logs being retained. Backups are the quickest mode to restore a hacked website. A good backup of the website will help you stay unaffected by the hacking attack. A quick access to the backups saves time, money and effort. As a part of your interrogation, you need to check in the first place if the hosting provider is backing up the website and how long they retain it. You also need to know where it is being stored.
Entry level hosting plans often keep you unaware of what the hosting company is doing in the regard. Some companies may not be doing any backups at all, you must stay wary of such providers.
If the current plan allows HTTPS enabling?
It is very important to log in to a website using a secure connection and if your website doesn't allow that already, you must fix that at the earliest. In absence of secure connection, attackers may keep track of network traffic, access username, and password and gain full control of the website.
Https also helps rank you higher on search engines and protects the data that you log using forms and payment windows. It is highly recommended to switch to https if not doing so already.