WordPress Security Basics Series Pt.3 – Web Hosting Isolation

By 6th April 2015 April 22nd, 2020 Shield Security

WordPressWordPress website security can be achieved with various methods, but we often overlook simple ways to protect our sites.

In this WordPress tutorial I’ll outline how to better protect your websites by isolating them from others in the way that you host them.

More specifically:

  • What is WordPress website hosting isolation exactly?
  • Why you need web hosting isolation.
  • How you can apply the principle of isolation for your WordPress sites.

Read on to discover a great website security practice and secure your sites.

Firstly, what is WordPress website hosting isolation?

Anybody that hosts, or manages the hosting of, more than one website will be familiar with this simple question:

Do I get a new (separate) hosting account for this 2nd (3rd, 4th..) website or use my already existing (combined) accounts and “add-on” the domain?

There are several factors that come into play here for making this decision, namely:

  1. What are the cost implications for separate vs. combined hosting?
  2. What are the management overhead costs for separate vs. combined hosting?
  3. [Rarely considered] What are the security implications of separate vs. combined hosting?

The 3rd point here is rarely, if ever, considered in this decision, but we see this factor as the most critical of the three, and potentially hugely impactful on the 1st and 2nd factors.

With most control panels such as cPanel you have the option to simply use their “Add-On Domain” feature and host more than 1 domain on the same account.

What this means in practice is that the data for 2 or more websites will be stored together, under the same hosting account, with the same file access permissions, and user access credentials.

Website hosting isolation however, is the principle of hosting websites in completely independent environments, as far as possible.

Instead of using the add-on domain feature, you would create a completely new and separate hosting account for any new domain.  This means:

  • separate FTP user account(s)
  • separate login control panel account(s)
  • separate IP (if the hosting account is on a separate server)

This clearly has a slightly higher management overhead, but hardly anything if you’re already using good processes and tools such as password manager to keep your logins secured and easily accessible.

There is also obviously also a cost consideration here – you need to be able set-up a new independent account for the new site.

Why you need web hosting isolation for better WordPress security

Imagine you have 10x add-on domains all bundled together under a single hosting account. Then one day you discover that 1 of those sites has been compromised by a hacker.

This means that all 10 of your sites are compromised.

By combining all your websites into one place, when any one of those sites is compromised, they’re all compromised.

A hacker with file access will be able to access all files and data for all websites under the same hosting account.

In the specific context of WordPress, hackers that gain file system access can see the contents of your wp-config.php file – and therefore your database credentials for your site are immediately exposed.  If your web hosting is combined/shared, unauthorized access through 1 of your sites means unauthorized access to all.

When you host websites independently you limit your risk of cross contamination.  If you have a 1-to-1 ratio of hosting accounts to websites, you can only ever be compromised 1 WordPress at a time.

The more isolation, the more security you build into your hosting.

How can you protect WordPress with the principle of hosting isolation?

The simple answer to this is to isolate your websites under different hosting accounts.

What are some of the options?

If you use the add-on domains features from the likes of cPanel, you have no web hosting isolation.

Instead you should isolate your websites by taking any one of the following approaches:

  1. creating independent web hosting accounts for each domain and WordPress website
  2. hosting each website on an independent Virtual Private Server (VPS).
  3. hosting each site on an independent server.

These 3 options get more expensive as you move down the list, but it’s your choice how you balance cost vs. need.

What are some practical ways you can achieve separate web hosting accounts for each website?

The best and probably simplest way to achieve this, which is a nice balance between cost, manageability, and hosting isolation, is to have a web hosting reseller account.

Reseller hosting accounts are very affordable and you can often host unlimited numbers of domains and websites (within your hosting capacity) on them. They let you easily segregate your website hosting into separate accounts while keeping all management under the same umbrella account.

Another approach is to use Virtual Private Servers for each site.  This offers a high degree of isolation for each website but you will of course incur higher financial, as well as management, costs.

A great provider of cheap, reliable VPSs is Digital Ocean, where prices start from as little as $5!

When/why would you not want to employ web hosting isolation for your WordPress sites?

Honestly, I can’t think of any good reason not to do this. The only real limiting factor here is the financial cost.

If you can afford to get a web hosting reseller account, this is a huge cost saver and immediately affords you simple-to-implement website isolation.

What if your websites are already hosted together under the same account?

Then it’s time to start moving them.  Take one site at a time and migrate it to a fresh new hosting account.

The basic steps to migrating a WordPress site is as follows:

  1. Within DNS, set the Time To Live (TTL) value for the A record of this website URL to 5 minutes.
  2. Wait 24hrs (this ensures that DNS TTL propagates)
  3. Create a brand new web hosting account for the domain name (I’ll assume you have a web hosting reseller account to use for this purpose).
  4. Copy all files for the site from your current hosting to your new hosting account.
  5. Create a new database / database user for use on this new hosting account.
  6. Update the wp-config.php file in your new hosting with the new database details you created in the previous step.
  7. Export the database of this site from your old/current hosting.
  8. Import the database data into the new hosting database you created in step 4.
  9. Switch the DNS – change the IP address of the A record for this site to be that of the new hosting account (if it changed).
  10. Within DNS once again, change the TTL value back to the original value.

Rinse and Repeat.  This will get much easier each time you do it and forms the basis for migrating to any new web hosting provider/account.

What’s your opinion of web hosting isolation as an approach to WordPress security?

Do you think isolation is necessary or important?  Does it even matter that you separate your sites?

Perhaps you think this is a waste of time, or I’ve maybe missed an important factor in all this.  Please leave us a comment below if you have any suggestions or feedback about this principle… I’d love to hear you thought.

Join the discussion 5 Comments

  • Web development services in hyderabad says:

    It is a helpful information.Thank you so much for sharing helpful information

    View Comment
  • Anony-mouse says:

    Nice article with an amazing explanation. And it is very clear and useful too. Thank you for sharing your great thoughts with us.

    View Comment
  • John says:

    How does this isolation relate to shared hosting? If you create a separate account in a shared hosting environment, how much “isolation” are you gaining? Not trying to be difficult, just asking.

    View Comment
    • Paul G. says:

      Hi John,

      Creating a separate account, e.g. cPanel to host another site on a shared server will grant you decent isolation. The permission of the users and accounts with access to 1 account typically do not extend to that of the other virtual hosts (the other accounts) on that server.

      If someone gains unuauthorized access to the filesystem on Site A, they do not necessarily have access to that for Site B.

      View Comment
  • Valentin Born says:

    I have seen hosters, though, where every client had read access to every other client account—that, of course, means only one thing: run!

    View Comment

Leave a Reply

x Logo: ShieldPRO
This Site Is Protected By