Never Ending Security

It starts all here

Considerations when picking a hosting provider


Choosing a hosting provider can be a difficult task, especially to non-technical people. What do all the technical terms mean? Do they matter? Do they matter to me and my project? By outlining some questions you can ask and topics you can discuss with providers, we hope you will be able to make a better, more well informed choice.

Choosing a hosting provider is not about choosing the best provider but about choosing the best provider for you. Your website might have different demands than that of other organizations. This might also mean that your demands for a hosting provider vary from others.


Good communication is very important. Different hosting providers will have different methods of communicating. Which forms of communication matter to you and your organization? Here are some things to keep in mind:

What communication methods does the provider provide?
Some providers might only wish to be contacted via e-mail. Others will gladly talk to you on the phone as well, or via online chat. What communication methods are important to you? Here’s a list of examples to consider:

How can you transfer your website?
Before people can visit your website, you will need to transfer it to the hosting provider. What methods are available to do so? There are many options, but not all options are equal. FTP for example, is an unsafe protocol. Preferably, the provider will allow you to transfer your data over SSH or sFTP.

Does your website require special permissions?
Sometimes web applications might require special permissions to function optimally. For example, if you want users to be able to upload photos, the website will need permission to write information on disk. Not all hosting providers allow for these options or allow for these options in the same way. Checking this with your website developers and hosting providers can prevent a lot of headaches.

How can you manage your services?
Your web application might use some additional services, such as a database and a domain name. Does the hosting provider offer easy to use services that allow you to quickly configure these options yourself, or do you need to contact them to do that for you? Please note that if you’re not very technical, the latter option of them doing it for you might actually be preferable to doing it yourself!


No matter what type of website you’re running, security is always important. Even if it is just a single page website which displays your organization’s information, having that page altered will look bad for you. If your website is about LGBT rights in a country where they are not accepted, your security requirements will most likely increase dramatically. Take a moment to think about your website and what type of negative attention it might attract. Keep that in mind when looking at the following questions:

Does the provider have a security policy?
A security policy is a policy that describes various security related issues, ranging from the earlier mentioned authentication of customers to how to deal with hacked websites. If the hosting provider has such a policy, it is a good indication that they have given serious thought to the matter. This is important to you as a customer as it indicates they will be able to respond quickly and adequately to any security issues that might arise.

Does the provider have an abuse policy?
An abuse policy is a policy that describes various abuse related issues. Abuse is a term for unwanted behavior on your web application. For example, what will the provider do when your website starts sending out a lot of spam? Will they simply shut it down or will they notify you and try to help resolve the problem? How long will they take to verify that you have resolved the abuse issue before they turn your website back on?

How does the provider deal with security incidents?
What if despite your best efforts, someone manages to hack your website? Or that of another customer at your hosting provider? How does the provider deal with such incidents? If the incident involves your website, will they help you resolve the issue or simply shut you down? If it was a breach somewhere else in their network that might have affected you, will they notify you of such an incident? If their customer database is hacked, will they inform you?

What availability can the provider offer and what do I need?
Computers crash. This is no different for the computer that hosts your website. In some cases, it might not be such a big problem if your website doesn’t function for a couple of hours a month. In other cases, it could be a disaster. Ask yourself how critical your website’s availability is and inform the provider. The higher the (guaranteed) availability needs to be, the higher the costs involved.

Does the provider make backups?
If your website is a couple of pages that no one can change, having backups might not be very important since you can back them up on your own machine. If however your website is a web application where users can contribute data or where you will regularly post news and other information, your website will change daily and needs to be backed up. Ask your provider if they create backups, how often they create them and for how long they keep them. If your site doesn’t change that much, a weekly backup that is kept for a month might be fine. If it changes daily, you will want at least daily backups.

How robust is the provider’s infrastructure?
Not every opinion is as popular as loving sunshine or icecream. Hosting websites that advocate certain rights or causes might come under attack from parties who oppose those rights. Often this comes in the form of a so-called Distributed Denial of Service attack, or DDoS. In these types of attacks, your website will be flooded with so many bogus requests it won’t be able to handle the legitimate requests anymore either. Ask your provider if they have systems in place to mitigate these types of attacks and if they can give examples of how they have in the past if you’re running such a website.

Is there an intrusion detection system?
An intrusion detection system is the online version of a home alarm system. It will monitor the network at the provider and will detect certain types of attacks that take place on it. If you’re hosting a website that you fear might come under attack, having an Intrusion Detection System (IDS) can be very helpful in preventing your site from being hacked and perhaps even seeing from where the attacks take place.

How will other customers affect me?
We’ve spoken before about how your website might come under attack, but what if you share a server with other customers that are under attack? This too might impact the availability of your website. Ask your hosting provider how the different customers are separated from each other to ensure these situations will have limited or no impact on the availability of your website.

What privacy policy does the provider have?
Privacy of customers and customer data is important. In some cases, it can even be vital information. Ask your provider about their privacy policy and how they deal with certain requests for information. Do they have a strong privacy policy with strict rules or will they sell your data on to anyone who is willing to pay? Will they give in to any government request or will they require legal documents that force them to do so? Additionally you could ask the following questions:

How is logging being done?
All computers keep logs. Websites for example, keep logs of what computers requested what pages. These logs can be useful for analytical purposes but in the wrong hands they can also reveal exactly what people visited your website. Ask your provider if information is being logged, for what purpose and for how long. Also, who has access to the logs? Are they covered by the earlier mentioned privacy policy? Logging can be very useful to find out what is happening with your website, especially if something went wrong. If you are afraid that people might get in trouble if they are found in your logs, consider turning logging of completely.
Administration options

Where there’s a transaction, there’s administration. Consider these options and their importance to you when choosing a provider:

What payment options are accepted?
How can you pay your provider for the services you buy from them? Banktransfer, creditcards, Paypal, Bitcoins? Take into account what works best for you.

Is anonymous registration and payment an option?
Perhaps the website your hosting is so controversial you do not even want your hosting provider to know who you are. Ask them if it is possible to host the website anonymously and pay anonymously, via Bitcoin for example.

What happens when you stop paying?
Obviously you want to pay for the services you buy. But what if, for whatever reason, you might be unable to pay for a certain period. Will the hosting provider simply delete your website and all its content after missing one payment or will they keep the website up and running for half a year? This might be particularly relevant if you are operating from an environment that is sensitive to financial sanctions from the West or if your operations might be vulnerable to a banking blockade.

Legal matters

Keeping in mind certain legal issues that could arise is important when choosing a hosting provider. Here are some examples:

What jurisdiction covers your provider and their servers?
Your hosting provider might seem a company in your country, but it might actually be a legal entity in another. Similarly, although the hosting provider might seem to be operating in your country, their actual servers might be located somewhere else. This is important to keep in mind, your website might not be in violation of local laws but might violate others. Similarly, if your website is in violation of local laws, hosting it in another country might save you a lot of trouble. Also keep in mind that when dealing with American countries or countries that operate in America, they all need to comply with the US Patriot Act, which forces them to hand over information when requested by the American secret services. This might severely compromise the security and privacy of your users.

Does your hosting provider own and operate their own infrastructure or are they a reseller?
Your hosting provider might not actually be much of a hosting provider. It could be nothing more than an office that is reselling the services of another hosting provider. This severely impacts how they will be able to assist you and how much freedom they have in dealing with certain matters and policies. Knowing if your hosting provider operates their own infrastructure or is a reseller is very important.

What is the notice and take down policy?
Notice & take down is a term used for when your hosting provider is notified that your website is in violation of the law and requested to take it down. This mainly happens in case of copyright infringements but has been known to happen on other bases. Some providers will comply with any notice and take down letter they receive, others will simply ignore them. How your hosting provider deals with these notifications can have important consequences for your website. You don’t want your website taken down because a user uploaded a copyrighted movie, song or picture to it. Asking your provider how they deal with these situations is important.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s