How Vulnerable is Your Web Hosting Provider?

Disclosure: HostScore is reader-supported. When you purchase through our links, we may earn a commission.
Why Web Hosting Security Matters? Financial impact of cyberattacks
Why web hosting security matters? The average cost of a data breach in 2023 being approximately $2.98 million while downtime due to attacks can cost businesses up to $427 per hour. The rising threat of cyber attacks has led to increased costs in cyber insurance premiums, which are projected to reach over $90.6 billion by 2033 as businesses seek coverage against these risks (source).

Hacking attempts on websites are far more common than you might think. These covert attacks primarily target web hosting accounts, often going unnoticed.

Web hosting vulnerabilities fall into two main categories: general vulnerabilities affecting all types of hosting, and those specific to particular hosting plans. Shared hosting, in particular, is often the most susceptible to these security risks.

1. Botnet-Building Attempts

Malicious actors have been known to target entire web servers in their attempts to build Botnets. In these attempts, common targets include web server frameworks and generally involve publicly available exploits. 

These advanced and concentrated efforts can often overcome less resilient web hosting providers. Thankfully, once discovered, the vulnerabilities are typically patched fairly rapidly by most web hosts.

2. DDoS Attacks

Cloudflare's DDoS threat report for 2024 Q1
There was a significant increase in both the quantity and quality of DDoS attacks over the past few years. Cloudflare’s DDoS threat report for 2024 Q1 revealed that the combined number of HTTP DDoS attacks and L3/4 DDoS attack increased by 50% YoY and 18% QoQ.

Distributed Denial of Service (DDoS) isn’t a vulnerability, but as the name implies, is a form of attack. Malicious actors attempt to flood a server (or particular service) with an overwhelming amount of data.

Web hosting services which are not prepared for this can be paralyzed by these attacks. As more resources are consumed, websites on the server are left unable to respond to real queries from visitors. 

More: Recommended web hosting services with DDoS protection.

3. Web Server Misconfigurations

Basic website owners, especially those on low-cost shared hosting, will often have no idea whether their servers have been configured properly or not. A significant number of issues can arise from poorly configured servers. 

For example, the running of unpatched or outdated applications. Although there are error handling mechanisms for technical issues that arise during execution, flaws can remain unseen until exploited.

Inaccurate configuration in the server, can cause the server to not verify access rights correctly. Hiding restricted functions or links to the URL alone is insufficient as hackers can guess the probable parameters, typical locations and then do a brute-force access.

As an example of this, an attacker can make use of something as small and simple as an unprotected JPEG to gain admin access to the server. They modify a simple parameter that points to an object in the system and then they are in.

4. Non-siloed Environments

Shared hosting accounts are like broad pools of data. Although each account is allocated some resources, in general they all reside within a single environment. All files, content and data actually sits on the same space, simply divided by file structure.

Because of this, sites on shared hosting plans are intrinsically linked. If a hacker were to gain access to the main directory, all sites may be at risk. Even if a single account is compromised, attacks which drain resources will have significant impact.

5. Software Vulnerabilities

Although software vulnerabilities exist for all types of hosting accounts, shared servers are typically at far greater risk. Due to the large number of accounts per server, there may be a significant number of varying applications in place – all of which require regular updates.

6. Malware 

ScalaHosting SShield
Example: ScalaHosting SShield protects their hosting users from web attacks and auto-scans for virus and malware > Visit ScalaHosting to learn more.

In a similar fashion to software vulnerabilities, Malware can have a profound impact on a shared hosting server. These malicious programs can find their way onto shared hosting accounts in so many ways.

There are so many types of viruses, trojans, worms, and spyware that anything is possible. Because of the nature of shared hosting, if your neighbor has it – you will likely catch it as well, eventually.

Web host with free malware scanning – ScalaHosting, Cloudways, and Verpex,

7. Shared IP

Shared hosting accounts also share IP addresses. It is usual that multiple sites on shared hosting accounts be identified by a single IP address. This opens up a whole host of potential problems.

For example, should one of the websites behave badly (such as sending spam, etc) it is possible that all other sites sharing the IP end up blacklisted. Removing a blacklisted IP can be immensely challenging. 

8. Cross-site Security Forgery

Also known as cross-site request forgery (CSRF), this flaw is typically observed affecting websites based on poorly secured infrastructure. At times, users save their credentials on certain platforms and this can be risky if the corresponding website does not have a strong infrastructure. 

This is especially common on web hosting accounts which are accessed regularly. In these scenarios, the access is repetitive so credentials are usually saved. Through forgery, users are encouraged to perform an action that they didn’t plan in the first place. 

These techniques have in recent times outlined potential weakness to account takeovers in various popular hosting platforms including Bluehost, Dreamhost, and HostGator.

Consider this:

An example of this can be demonstrated as a typical financial fraud scenario.

Attackers can target CSRF-vulnerable persons visiting a valid URL. An automatically executed masked code snippet on the site can instruct the target’s bank to transfer funds automatically.

The code snippet can be buried behind an image perhaps, using codes such as the following:

<img src=http://example.com/app/transferFunds?amount=1500&destinationAccount=4673243243 width=0 height=0 />

*Note: This is merely an example and the code will not work.

9. SQL Injections

For any website or online platform, the most important constituent is data. It is used for projections, analysis and various other purposes. Secondly, if confidential financial information like credit card pins gets into the wrong hands, it can create massive problems.

Data sent to and from a database server must pass through reliable infrastructure. Hackers will try to send SQL scripts to servers so they can extract data such as customer information. This means you need to scan all queries before they reach the server.

If a secure filtering system is not in place, important customer data can be lost. IT should be noted though that such an implementation will increase the time taken to extract records. 

10. Exploitation of XSS Flaws

Hackers are usually highly code-competent and preparing front end scripts is not a problem. Javascript or other programming languages can be used to inject code. Attacks carried out in this manner typically attack user credentials. 

Harmful XSS-based scripts can either access confidential information or redirect visitors to links targeted by the hacker. In some cases, companies may also use techniques like this to carry out fraudulent business operations.

11. Insecure Cryptography

Cryptography algorithms usually use random number generators but servers are mostly run without much user interaction. This could lead to the possibility of lower sources of randomization. The result may be easily guessable numbers – a point of weakness for encryption.

12. Virtual Machine Escape

Multiple virtual machines are run on top of hypervisors in physical servers. It is possible that an attacker can exploit a hypervisor’s vulnerability remotely. Although rare, in these situations the attacker may be able to gain access to other virtual machines as well.

13. Supply Chain Weakness

While resource distribution is a major advantage of Cloud hosting, it can also be a point of weakness.

If you’ve heard the term “you are only as strong as your weakest link”, that applies perfectly to the Cloud.

Sophisticated attack and rests mainly on the cloud service providers. This is not specific to the Cloud and can happen anywhere else. Downloads from live update servers can be added with malicious functionality. So, imagine the many users who have downloaded this software. Their devices will be infected with this malicious program.

14. Insecure APIs

Application User Interfaces (APIs) are used to help streamline cloud computing processes. If not secured properly they can leave an open channel for hackers to exploit the Cloud’s resources.

With reusable components so popular, it can be difficult to sufficiently safeguard against the use of insecure APIs. To attempt an intrusion, a hacker can simply try basic access attempts over and again – all they need is to find a single unlocked door.

Final Thoughts

When the majority of us think about website security, it is usually from the angle of overcoming the weaknesses of our own websites. Unfortunately, as you can see, it is equally the responsibility of web hosting providers to safeguard against other attacks as well.

While there isn’t much you can do to convince a service provider to protect itself, this awareness can help you make better web hosting choices. For example, by observing the emphasis a web host places on security, you can get a better idea of how secure they keep their own servers.

Some web hosts implement very rudimentary security safeguards – if possible try to avoid those. Others may go so far as to work with notable cybersecurity brands or even develop aggressive in-house security tools and solutions.

The price of web hosting goes beyond the resources allocated to you – so balance your options wisely.

Shared Hosting Vulnerabilities

In a shared hosting environment, it can be said that everyone is sitting in the same boat. Despite each server having potentially hundreds of users, a single attack can sink the entire ship, so to speak.

“All five (web hosting service providers) had at least one serious vulnerability allowing a user account hijack,” Paulos Yibelo, a well-known and respected bug hunter, told TechCrunch, with which he shared his findings before going public.

As Yibelo showed — The attack isn’t through any convoluted attack or busting firewalls. It’s simply through the front door of the site’s host, requiring little effort for the average hacker.

VPS / Cloud Hosting Vulnerabilities

The nature of Virtual Private Server (VPS) or Cloud Hosting means that they are generally more secure than cheap shared hosting servers.

However, the potential of access to more advanced interconnected servers means that the payday for hackers is also more lucrative. As such, more advanced methods of intrusion can be expected.

While a reliable backup system can work wonders, there’s simply no ignoring some vulnerabilities that put entire servers (virtual or not) at risk.

You May Also Be Interested In:


More from HostScore

Estimate Your Cost

How much should you pay for your web hosting? Planning your website budget?

Tell us about your website and we'll help estimate how much you need to pay for your web host for the next 12 months.

HostScore Calculator (Free)

Article by Jerry Low

Jerry Low has immersed himself in web technologies for over a decade and has built many successful sites from scratch. He is a self-professed geek who has made it his life’s ambition to keep the web hosting industry honest. For latest personal updates and news, follow Jerry on Facebook and Twitter.
Photo of author