Story of a business owner who's websites were hacked. Hosting Companies - Server Security - Or Maybe Not. If you lost all your data or had a data breach who would be responsible?

Could this happen to you? Ask your web hosting company. How secure is your hosting? If you lost all your data or had a data breach who would be responsible?

Business Owner: I discovered to my cost what it is to have a shared hosting account for my websites. On the shared hosting I had Wordpress websites, they were hacked, and had to be taken offline.

If the server is not secure, it exposes sensitive data to unauthorized access, making it vulnerable to cyberattacks, data breaches, or malware infections.

I was informed after the hacking attack, shared hosting environments often lack robust security measures, making them more vulnerable to attacks.

So why are hosting companies selling shared hosting to people if this is the case?

Most people who buy shared hosting are probably not IT technicians or hosting company support agents.

I was told that to mitigate this risk, I should have considered enhancing my website's security by implementing strong passwords, regularly updating WordPress and its plugins, and using security up-to-date plugins.

So seemingly when a person buys a shared hosting package are they then to become a web hosting IT technician, as well as trying to run their own business? For any person to get into a website folder on a hosting account it has to first breach the server security. Some support agents dispute this. But the website files are actually on the shared hosting space in a folder on the server. However, hosting companies vehemently deny this for some reason, the shared hosting is on their server, nowhere else.

In one instance I had to close down the business completely because of the nature of the attack and the potential of being hacked again. I read that around 60% of businesses who are hacked never trade again.

The Hosting Company

Many hosting companies often face criticism for not taking adequate responsibility for the security of their servers, which can result in vulnerabilities to hacking, data breaches, and other cyber threats. While they typically provide foundational security measures, such as firewalls and antivirus protection, the expectation that clients will implement additional security protocols can lead to significant risks, particularly for smaller businesses lacking IT resources.

The lack of clear accountability can leave customers feeling unprotected and frustrated, highlighting the need for hosting providers to adopt more comprehensive security practices and transparent policies that prioritise client safety.

Many hosting companies have clauses in their terms of service they say limit their liability when it comes to hacked accounts, often stating that users are responsible for maintaining the security of their own accounts. This can leave clients vulnerable, as they may assume some level of protection from their host. This is what happened in my case, days of denial and blaming me for not securing Wordpress websites.

But here is the thing. I set up websites on a shared hosting, on a server owned, not by me, but by a hosting company. In one case I had transferred from one hosting company to another Via cPanel. The hosting company said I imported the malicious files from the previous hosting provider. But of course this is a complete load of BS because if the hosting company taking the file in on the transfer was secure it would have scanned the incoming files, and detected and deleted any malicious files if they were present. At the very least they would have insisted on a scan on the first host to ensure there was no malicious files traveling to their server. But you could still be told that the scan you did was not sufficient, so you can't really win.

The transfer from one cPanel to the other cPanel took a couple of days and everything was working properly. Then one day a few weeks later, I noticed I was not able to access one of my websites, and then not able to access any of the websites. I contacted support to realise I had been hacked and was completely overwhelmed by the sheer devastation it was causing. Days passed talking to the hosting company support and trying to find the cause and damage. I decided to just delete all the website files on the hosting server over the next few days and could not even take a backup as I didn’t know if in fact I would be downloading malicious files to my office computer.

Within a short time the hosting company support agent told me it was my fault that I had imported a malicious file from my previous hosting provider. The hacker then re accessed the file on the new account and continued to infect the whole hosting account for several days. Emails went back and fourth for days to the hosting provided support agents. It was all getting a bit aggressive, going around in circles getting no where, so I decided to cut my losses and just move on.

I was told that I should have mitigated the risk

I was told that I should have mitigated the risk, I should have considered enhancing my website's security by implementing strong passwords, regularly updating WordPress and its plugins, and using security up-to-date plugins. So basically I am being told, I should have been doing the job of the hosting companies IT technicians and support agents. If I was to do their jobs there would be no need for them.

So here is a similar analogy.

If I book a room in a modern day hotel. It will have a reception, it will have automatically closing doors, windows that don’t open fully to avoid break-ins, a digital key, a safe, a night porter, and CCTV and some have security in the car park. They have taken all the measures necessary to secure the hotel and its rooms for it’s guests. So when I book into the hotel I don’t get a briefing on how I should secure the hotel. Nor do I want one.

But this is not the same for hosting companies.

Hosting companies sell you space on their server (shared hosting) and expect you to become an IT expert to secure their unsecured servers.

These companies want you to secure the space they own and have rented to you but put little or no security in place for you and want you to do their job.

In my opinion, it is a fact, that we will see non stop server hacking for years to come until the server owners take responsibility for their property.

If they can’t properly secure their servers they should not be allowed to sell space on these servers to unsuspecting people hosting their business or personal websites. The cost to people who are hacked is just enormous, both mentally and financially. I stress the point again, no Wordpress website or any other website hosted on a server can be hacked without first getting past the server security.

This is not rocket science.We are essentially talking about an operating system with folder and files in those folders on a server. If your IT Technicians and support staff can’t secure your operating system and folder and files on your servers, they should not be employed. Securing an operating system, folders and files is a fundamental aspect of IT support, and effective training and knowledge are essential for IT and support staff to perform their duties properly.

You would imagine that: to be able to insure, cybersecurity practices, regular audits, updates, maintain system integrity, to protect from unauthorized access and breaches has to be the main credentials on a CV of any IT Technician or support staff applicant for a hosting company. Why would they be hired otherwise?

If there are security issues with WordPress "web template or CMS system" these potential breaches should be addressed directly with the owner of these system, Wordpress, cPanel, in this instance.

That doesn’t say that a server couldn’t be hacked resulting in malicious code being put on a server. But if the server itself is properly, and I say, properly monitored, twenty four hours a day in a data centers or wherever, the chances of the malicious code doing any damage would be very limited before detection and deletion.

That security and monitoring of a server is not the job of the people who are buying space on the server. It is the server owners job to secure the server with properly trained IT and support staff in all aspects of cybersecurity. It is very easy for badly trained IT staff or badly supported, support staff to pass on the blame to customers.

There are many legal aspects to saying they can limit their liability for insurance purposes for instances. Writing these limitations into terms and conditions, how legal is the actual limited liability? Negligence does not equate to limited liability. In my opinion, when it comes to responsibility to ensuring your property is properly secured, which in this case is a server, there is no such thing as limited liability, only negligence.

Many customers of hosting companies, because of this lack of security and accountability are at serious risk of loosing their business and livelihoods.

This matter needs to be addressed, on a global scale in fact.

Hosting providers use these and other admin interfaces:

cPanel:  Plesk:   Often referred to as “control panel,” an interface for customizing and making changes to your hosting account..