5 Oct, 2020

Will Hosting Migration Fix Your Website Security Problems?

When malware removal isn't enough, investigate your website security from your end as well as your web host's end. Here's how to tell whether hosting migration will solve your problems.
If you have chronic website security problems, you might wonder if your hosting is the problem. You're doing everything right, so it must be the hosting provider. Or must it? Sometimes that's the explanation, but more often it isn't. Rather than migrating to another host, with all the inconvenience that involves, make sure first that your own security is top-quality. Quttera's ThreatSign protection can help you to achieve that.

If you have a sub-par hosting service, that's one thing. Some cheap providers neglect their responsibilities. Our experience, though, is that less than 2% of the cleanups we handle indicate a host-level infection. In the other 98%, some weaknesses and vulnerabilities don't fall under the provider's responsibilities.

The most common problem is the use of outdated and vulnerable CMS extensions or themes. They have known problems that hackers can exploit with off-the-shelf software. Before moving to a new host, check if your site has problems of that type. Set up malware protection and monitoring so that you can prevent attacks and catch suspicious behavior quickly. Quttera ThreatSign Website Security will guard your site against malware, regardless of where you host it.
Is your web hosting the problem?
You should make sure your hosting provider is doing its job. These are some of the ways a poor-quality provider could neglect security:

  • Failure to keep hosted software up to date. This includes the operating system, supporting software such as languages and database engines, and the content management system.
  • Poor system security. A breach at the hosting level affects many sites at once. The consequences are usually disastrous.
  • Inadequate isolation of shared hosting accounts. A hosting provider that doesn't handle shared hosting well leaves sites vulnerable to each other's malware.
  • Limitations on your security practices. If the provider doesn't let you set up monitoring and multi-factor authentication, you can't protect your site thoroughly.
  • Unresponsive tech support. If you can't get answers when you need them, your security suffers.
If you face these problems and can't get them fixed, migration to a better host could help your situation.
Should you focus on strengthening your website?
In the large majority of cases, improving the security of your site will accomplish more than migration, and it won't cost you any downtime.

The first step is to know what you are responsible for and what the host takes care of. Do you have to update your CMS when new releases come out? What about the themes and plugins you use? Whatever falls to you, you have to keep it current. If you have vulnerable software as part of your site, migrating it won't keep it from getting re-infected. You'll have the same vulnerabilities wherever you take it.

Check your configuration. Is administrative access as limited as you can reasonably make it? Are you using strong passwords? Do critical accounts use multi-factor authentication?
The simplest way to keep your software up to date is with an auto-update option. It will install patches as they become available. Just be sure you have auto-updating set for all the software on your site. If you can't, keep track of patches that need manual installation.

If you have outdated or vulnerable CMS software, a malware cleanup isn't a permanent fix. Attackers will keep exploiting the vulnerabilities, putting their unwanted code back after you remove it. You need to make sure they can't.
Why is monitoring important?
Keeping your site safe requires monitoring it for unexpected behavior. Sometimes zero-day attacks appear before there is a patch for a vulnerability. There could be problems in your configuration, or an account could be compromised. You try to keep your site as resistant to infection as possible, but sometimes hostile actors will get through.

Repeated hacking with the same malware is a strong sign of an underlying weakness, possibly a backdoor that you haven't found. Every time you remove the malware, the criminals who put it there will put it right back. Probably, they have an automated process that checks your site periodically. It will follow you to a new host. Until you fix whatever is letting them in, you won't be free of the infection.

Auto-updating has its risks. An updated theme may produce unwanted changes in your site or even break it completely. Then you have to spend time fixing the site, perhaps at a very inconvenient time. You have to trade off the risk of incompatible changes against the window of vulnerability from delaying an update. If you have internal and external monitoring of your site, you aren't risking as much.
When you've done all you can, should you migrate?
The best time to consider migration is after you've done everything possible to make your site secure where it is. You have a better idea than of whether your protection is sufficient.

You have various options. One possibility is a better class of hosting with your current provider. If you've chosen the cheapest plan, it doesn't just have the smallest capacity. Most likely, it has fewer protections. It's not as high a priority for the support desk. Upgrading to a higher-level plan could give you better performance and better security at the same time.

A virtual private server (VPS) gives your site better isolation, and you have full control over it. If you want a highly secure site and have the resources to manage it, affordable VPS hosting may be the way to go. You can install anti-malware software and a Quttera WAF for the greatest protection.
Keep in mind that a VPS means more responsibility; you have to take care of everything, including things that a shared hosting provider would do for you. But it doesn't put any limits on the security measures you can install.

Pay attention to your hosting quality, but don't blame it for your problems until you've ruled out issues with your site. As long as your hosting provider doesn't put excessive limits on what you can do, you can protect it with ThreatSign Website Security. If you decide to move to another host later, ThreatSign Security can move with you. You'll be protected wherever you go.