Security: web hosting and web development

It’s not too surprising that the web is more complicated than most people realize. Some probably still think that there is a single server delivering files that look like any other document.

In reality, the Web is made up of an ecosystem of different hardware and software elements. Most web pages are delivered using a database and lots of software to make them appear correctly in your browser. Once the content is assembled, it is usually cached for future use. The website can be hosted on a physical server or on a virtual server. Busy sites may have many servers spread across various data centers around the world.

Some static content may be delivered via a Content Delivery Network (CDN). This is a special network of servers where you can store your static content which will serve the file that will be fastest for the visitor.

Most small organizations simply don’t know enough about their website to understand all of the interrelated software and services that are involved, and why they should be, unless they’re in the business.

This is important when people start thinking about securing their site. All too often, something is overlooked or not fully understood. We find that when people buy their own hosting solutions, they assume their provider takes care of the upgrades. This is usually not the case, with the competitive nature of web hosting, usually all you can rely on is reliable power and internet access.

The Linux kernel sometimes requires security upgrades that only take effect after you restart the server. Web servers like Apache and Nginx also had to be restarted after certain upgrades. Most organizations would like to have some control over when this happens.

Sometimes the updates have impacts on other elements of the infrastructure. Countless websites have gone down because an upgrade was performed on the server which impacted the sites hosted on it. With the evolution of languages ​​like PHP, it’s not uncommon for functions to change names, have their functionality changed, or be deprecated and removed between releases.

Similarly, CMS upgrades sometimes fail because they require more up-to-date code versions on the server. For example, the performance improvements in PHP 7 are considerable. Many people will want to upgrade to the latest codebase for this reason alone, but don’t expect to be able to run your Drupal 7 site on it just yet.

Web hosting and application development are different fields, and security upgrades cannot simply be outsourced to someone else. No web hosting company can “take care” of your server’s security regardless of the application running on it. Ultimately, someone familiar with your website and its content should be involved in performing security upgrades.

Make sure you know what software you use to market your website and keep it up to date. The need for organizations to understand security has never been so high.

James S. Joseph