security

Nightmares in web hosting

About six weeks ago I decided to update my web site and upgrade my CMS software. That required having my web host transfer my site to a server that was configured to handle the new features. Upon request the site was moved, but afterward “Support” failed to:

  1. verify the site subsequently was accessible via the domain URL, which it was not.
  2. send the new URL for the site admin access.
  3. send the new settings needed for email.
  4. send the new URL for webmail access.

Support was so unresponsive that within a week I moved to a new web host just to get the site accessible again.

Lesson 1: Check web host reviews to verify whether support is responsive and thorough as well as available.

My admin and I agreed to try a VPS (virtual private server) at the new host, thinking that a virtual machine, which typically is set up within an environment that has already been secured, such as on a PC with malware protection or on a PC or server inside a network firewall, would prevent some issues that caused problems for the previous host.

My web administrator is a veteran of nearly 30 years on UNIX systems who is known for securing them well. The new web host recommended an OS that was somewhat new but assured us, orally as well as via the statements on its web site, that it would “hand-hold” as much as necessary for set up, maintenance and security.

It took several days to build the VPS and the site and to investigate and address every security issue we could identify. Within a week, however,the web host sent a nasty email notifying us that the admin password for the site - which is set through software selected and installed by the web host and which we could neither configure nor replace - had been cracked and the site was being used to send spam.

I took the site offline, got support on chat (phone support, we realized after we moved, was reserved for emergencies only) and repeatedly asked for instructions on how to block hackers. I was told only to change the admin password and make sure all software patches had been applied.

Lesson 2: Make sure phone support is 24/7 for all causes, not just for emergencies.

Read moreTeaser break marker

Subscribe to RSS - security