Hosting a website can be complex and is often best left to a specialist provider. You should try to choose a company that is experienced and follows industry-standard best practices, in particular those outlined below. This can give you greater peace of mind when handing over control.
User Access and Passwords
Your web host provider should follow best practice in terms of user access and password management. This includes ensuring that each account holder/user has only the permissions/privileges that are required to carry out their role. Each user should have their own unique login, and there should be no ‘shared’ logins. Upload capability should be restricted by size and file type to prevent outsiders gaining access via executable files.
From a password perspective, a secure password manager should be used, and the users with highest privileges should have the most complex passwords and use multi-factor authentication.
Updates
Best practice in this area involves constantly updating the platform and the associated software. This ensures that all known security issues are tackled. Most systems are able to run updates automatically in the background.
Backups
These should be automated and happen often enough to capture the vast majority of changes to content/layout. A strategy should be used that mixes full-backups with incremental or differential ones. Backups should be stored on a different server to your ‘live’ files (to enable full recovery if needed) and ideally should be mirrored across servers in several geographical locations.
Operating System (OS)
You should be allowed to choose which OS (Operating System) you want on your web server – either Windows or Linux. The best practice for Windows is to limit access by default and only allow Microsoft personnel to access the servers if a security flaw is discovered. For Linux, best practice is to install specific programs to protect against targeted malware.
There are many expert companies offering web hosting solutions – such as those found at https://www.names.co.uk/web-hosting.
Firewalls, Encryption, and DDoS Protection
A web application firewall (or WAF) should be used to monitor HTTP traffic and to prevent SQL injections and cross-site scripting. High-level encryption (via SSL technology) should always be used for any data that is transferred to/from the servers.
DDoS prevention should in place at network level, and servers and websites should be protected using the most advanced mitigation/prevention tools that are available.
