Web hosting best practices addressed

SenseiSteve

HD Moderator
Staff member
Best practices are defined as “procedures that have been shown by research and experience to produce optimal results and that is established or proposed as a standard suitable for widespread adoption.”

Disaster Recovery

Way too many web hosting clients continue to view RAID configurations as disaster recovery solutions. While different RAID levels do address redundancy and performance factors, they are NOT disaster recovery solutions. Murphy’s Law says that if anything can go wrong, it will go wrong – and at the most inopportune time.

The key to effective disaster recovery solutions is backing up your mission critical data REMOTELY and then testing the restore function to ensure that you’ll be able to bring everything back up in a timely fashion.

Server Hardening

According to the Massachusetts Institute of Technology, “By not applying a patch you might be leaving the door open for a malware attack. Malware exploits flaws in a system in order to do its work. In addition, the time-frame between an exploit and when a patch is released is continually getting shorter.
Defects in clients like web browsers, email programs, image viewers, instant messaging software, and media players may allow malicious websites, etc. to infect or compromise your computer with no action on your part other than viewing or listening to the website, message, or media.”
How would you know if your web hosting provider employs best security practices when hardening your server? At a minimum the base install of all OS and post-OS software should come from a trusted source and that includes being connected to a completely trusted network. Each base install should also include all current service packs and patches.

DDoS Protection

In web hosting, ensuring that your servers and websites are protected from DDoS attacks is critically important as attacks by cybercriminals continues to increase in both scope and volume. An alarming number of web hosting providers still lack adequate DDoS protection services, so it’s incumbent to ask what protection they do provide.

If you’ve purchased DDoS protection from your web hosting provider, do you know what levels of network, application or protocol layers that it protects you from? When they filter attacks, will they allow legitimate traffic to pass through unhindered? Will those services encapsulate DNS, UDP/TCP, SMTP, FTP, SSH and VoIP protections?

Obviously, this just touches the tip of the iceberg for web hosting best practices.

Asking for your take on these or other best practices.
 
Best practices are 'best' for a reason, they should definitely be learned and followed, but they also need to evolve and you shouldn't be afraid to take them as a baseline and build on them.

The backup and disaster recovery one is a huge thing, and it's truly amazing how many people, both individuals, businesses, and hosting companies, are perfectly happy to just make a backup of everything and then store it in another folder on the same server. Obviously this is useful for some things, but any real disaster is going to take them both out.
 
I agree, I have seen it too many times from providers and clients taking backups but not storing them remotely. This is a must and we make an effort to advise clients to do this but often this advice often falls on deaf ears and we see lots of backups just being stored next to their main website files.
 
That's quite an excellent roundup of key measures for protecting your business. Most newbies get into the space with a template and a client management software, and they think they are set for a while. You can never relax, you can never take a backseat. Proactive attitude will separate those that will fold or those that will ensure their own peace of mind.

The only two elements I'd add to this pile is: transactional security and succession planning. Protecting and properly storing client information, including billing, is probably just as important as your operational succession planning, in case of an accident that prevents you from continuing to run the business.
 
Top