There are 3 major components for maximizing your hosting security:
HostM’s Security Practices
HostM is responsible for the security of our servers and takes data protection and information security very seriously. In order to safeguard your data, we implement a multi-faceted approach:
These are detailed in the sections below.
Web Developers’ Security Practices
Web developers are responsible for the security of your web app(s) by ensuring that they implement secure coding practices. Care should be taken to significantly reduce or eliminate vulnerabilities in web apps before deployment.
Security threats that need to be addressed by web developers include but are not limited to: cross-site scripting, cross-site request forgery, SQL injection, code injection, path disclosure, arbitrary code execution, memory corruption, data breaches, file inclusion, and buffer overflow.
Account Owners’ and Website Operators’ Security Practices
Account owners and website operators are responsible for the security of their hosting and email account(s). Our guides on how to Secure a Compromised Website or Hosting Account and how to Secure a Compromised Email Account provide important guidelines and security best practices.
For example, account owners and website operators should aim to install only web apps provided by reputable and competent web developers who are committed to web security, and to keep web apps up-to-date at all times so that ongoing security fixes provided by the developers are properly implemented.
Your HostM account comes with many secure hosting features to help protect your websites and email for peace of mind.
Many of our secure hosting features and more specific details are confidential for obvious security reasons, but here is a partial overview:
Server Firewalls, IPS, and IDS
All hosted services are protected by our network and server firewalls, intrusion prevention and detection systems, which prevent many types of unauthorized access to services such as your hosting control panel, FTP, email, and websites.
Web Application Firewall (WAF)
All websites are protected by our Web Application Firewall which stops many types of website hacking attempts in their tracks.
All websites are continually monitored by our anti-malware system and infected files are automatically cleaned or removed where detected. Anti-virus scans can also be run at any time via your hosting account’s cPanel.
Since new forms of malware are being created all the time, it is not technically possible for any anti-malware security system to be able to protect against all forms of malware.
SPF, DKIM and DMARC
All domains hosted at HostM and correctly utilizing our DNS and mail servers are automatically protected by SPF, DKIM and DMARC, minimizing the effects of spammers attempting to spoof your domains.
Hotlink protection can be enabled via your cPanel, preventing other websites from embedding your images and stealing your bandwidth.
Multiple unsuccessful login attempts from the same IP to services such as cPanel, FTP, SSH, and email will cause the security system to temporarily block the IP, greatly limiting the effectiveness of such attempts.
Both incoming and outgoing email messages are automatically scanned and filtered by our anti-spam system. This helps protect you from potentially harmful messages and limits the severity of the loss of your domains’ email and IP reputations.
Our networks, firewalls and LiteSpeed Hosting setup are configured for DDOS mitigation, limiting the effectiveness of such attempts.
Caged File System
Each hosting account is isolated from other hosting accounts on our systems, preventing data access from other hosting users or malicious parties who compromise other hosting accounts.
Encrypted Email Messages
GnuPG can be set up via your hosting account’s cPanel so that email messages are encrypted and can only be decrypted by the intended recipient of a message.
Secure Email Traffic
All email traffic including POP3 and IMAP is encrypted (scrambled) while in transit using TLS/SSL.
Secure cPanel Traffic
All cPanel traffic is encrypted (scrambled) while in transit using TLS/SSL.
Secure FTP Traffic
All FTP traffic is encrypted (scrambled) while in transit using TLS/SSL or SFTP.
Secure Client Lounge
The entire HostM website, including the Client Lounge, is secured using TLS/SSL.
Unlimited HTTPS Hosting
Free or paid SSL certificates can be installed on any or all of your domains, allowing traffic to and from your websites to be encrypted.
HTTPS Web App Installation
Our built-in web app installer allows you to install web apps directly onto HTTPS-enabled domains within your hosting account.
Provides secure compression features and defines a TLS profile that’s required, including the version, a ciphersuit blacklist, and extensions utilized, for HTTPS-enabled domains.
Server Name Indication (SNI)
Allows you to have multiple SSL certificates installed on your HostM hosting account, so that you can secure as many of your hosted domains as you wish.
Strict Transport Security (HSTS)
For HTTPS-enabled domains, this ensures that modern web browsers know to connect via HTTPS right off the bat, without first trying HTTP and then redirecting to HTTPS.
Perfect Forward Secrecy (PFS)
For HTTPS-enabled domains, this prevents past encrypted communications from being retrieved and decrypted should a long-term secret key be comprommised in the future.
Our servers are housed in some of the most secure data center facilities with security features including:
24/7/365 Security Monitoring
All data center facilities are guarded and monitored on a 24/7/365 basis by security personnel.
A video-monitored high-security perimeter surrounds the data center facilities.
Access to the data center facilities is only possible via electronic access control terminals using a transponder key or admission card.
Security Footage Recording
All movements are recorded and security footage is archived for monitoring purposes.
Our backup system keeps the latest nightly copy of your hosting account both locally and remotely. The purpose of our backup system is to allow HostM to restore data if necessary in case of hardware failure or other disasters at our end. With this in mind, the availability of nightly backups older than the latest copy is neither promised nor guaranteed.
The existence of our nightly backup system is not meant to cause users to become complacent and start relying on it for other purposes. We reserve the right to reject, or charge an administrative fee to perform, any user-requested restoration from our nightly backup system.
A free on-demand backup and restoration tool is available via cPanel for hosting account data, and a similar tool is available via Softaculous in cPanel for web apps managed by Softaculous.
Hosting accounts containing abnormally large amounts of data may encounter issues with the various backup mechanisms, including our automated nightly backups. This can affect the integrity of the backup data. We recommend keeping your hosting account(s) as lean as possible to ensure maximal backup and restoration efficiency.
As with any other information system, users are strongly encouraged to perform their own regular backups to guard against issues such as human errors when updating your websites and data loss caused by users or their associates implementing inadequate security measures.
Secure copies of nightly backups are made to off-site locations for additional protection against unexpected events.
Uninterrupted Power Supplies
The data centers are equipped with redundant uninterrupted power supplies, ensuring backup battery capacity. Emergency diesel-generated power is available on standby 24/7/365.
Environmentally-friendly cooling systems are employed and climate control is effected via a raised floor system.
Modern fire detection systems are in place and directly connected to the fire alarm centers of local fire departments.
All personnel are provided with comprehensive internal security training to ensure that they implement good security practices.
Regular audits are performed and reviewed by management to ensure continued compliance by personnel to security protocols.
Personnel have different levels of security clearance, ensuring that they only have access to data that is relevant to the task at hand.
Dedicated Security Team
A dedicated security team is on call 24/7/365 to respond to security alerts and events.