Picking a web host can be a bit like dating. Some hosts will promise you the world, whisper sweet nothings about “99.9999999% uptime,”* and dazzle you with rock-bottom prices. But behind the scenes some of them can be a total security nightmare, leaving you vulnerable to cyber attacks, data breaches, and slow-loading websites that make your potential visitors run for the hills.
So, how do you find The One? A secure, reliable host that won’t ghost you when trouble arises? Let’s take a look…
*A friendly reminder that 100% uptime is literally impossible and no one should be promising you that.
The green flags: what a secure web hosting provider should offer
SSL certificates (free & automatic!)
If a host doesn’t offer free SSL, run. This is non-negotiable. SSL (that little padlock in your browser) encrypts data between your site and visitors. These days, SSL should be standard, not an upsell. As much as we like Namecheap, for example, they’re buggers for trying to sell SSL certificates. We’ve spoken about SSL certificates before, if you need a refresher check out this article. You can, and should, get them for free.
Backups
You’d be more than a bit pissed if you spent hours crafting the perfect site only to have it wiped out overnight, and a good web host should offer some form of automatic backups so you can restore your site if things go south. This can be a bit nuanced, and one size may not fit all. But if a host can offer you something then it shows they’re taking things seriously.
You should be taking your own backups as well though. Remember that nothing is truly backed up unless you have three copies of it, in three different places.
Malware scanning & firewall protection
If you identify as a bit of a technophobe then this one is going to sound very jargon-heavy. In extremely layman’s terms, this stuff is a bit like having a basic antivirus on your computer – but at a web hosting level. A secure hosting provider proactively scans for malware (that’s malicious software) and blocks suspicious activity before it becomes a problem. Look for features like Web Application Firewalls (WAFs) and DDoS* protection.
*DDoS stands for Distributed Denial of Service, it’s a type of cyber attack. On a website, a DDoS is when an attacker attempts to overwhelm your website with traffic – so much so that it simply falls over / crashes / can’t cope.
Two-factor authentication (2FA)
We all moan about 2FA; it’s a pain in the backside having to get a SMS code, or find your authenticator. But, at the end of the day, 2FA is an invaluable tool for your security. Good web hosting services require 2FA for logging in. If your host lets anyone with a password waltz right in without extra verification, that’s a red flag.
If you have the option of 2FA on your web hosting, but haven’t set it up yet, take this as your call to action to do so. Go set it up. Now.
SFTP, not just FTP
This is a techy one, so if you don’t know what FTP (or SFTP) is, chances are, you don’t need to know about it. So you can safely skip this one.
FTP = File Transfer Protocol. It’s a system you might use to move files from your computer, to your hosting environment. It was super popular 10+ years ago, and can still be useful today. But, generally, it’s falling out of use.
FTP is the outdated equivalent of sending your password via snail mail, on a postcard. SFTP (Secure FTP) encrypts file transfers, so your data doesn’t get intercepted by shady characters. Chances are you probably don’t need to use FTP much any more, but if you need to make use of it, and your provider isn’t enforcing SFTP, it’s probably best you look for another host.
PHP & software updates
This one is non-negotiable as far as Graham is concerned. If your host is still clinging to PHP 5.6, it’s time to move on (as of writing this article, you should be on 8.2 by now). Outdated software is a hacker’s dream. A responsible host keeps their tech stack (“tech stack” = their underlying software) up to date and secure.
It’s not always possible (or even advised) to jump on the latest updates of a programming language, but you should at least be within security support so you’re getting all the necessary security updates. This is sometimes called an “LTS version” (LTS = long term support).
It gets a bit techy, but a quick Google to check the latest version is always advisable if you’re unsure. Using PHP as an example, we can see what the latest supported versions are here: https://www.php.net/supported-versions.php
Server-level security features
Web hosting companies that actually care about security will have things like Imunify360, ModSecurity, or CloudLinux to prevent hacks at the server level. If your host says, “You’re ultimately responsible for the security of your server, we will not be held accountable” or any words to that effect, then they’re probably not taking security seriously.
This one is actually difficult to explain the importance of to the uninitiated, but take it from us: at the very least, you should have ModSecurity enabled as default on your hosting platform. If you’re not sure if your host has any of these, drop us a line and ask us to take a look and confirm for you.
The red flags: signs your provider doesn’t care about secure web hosting
No mention of security or data centre location on their website
If their homepage brags about “Unlimited Bandwidth” but doesn’t say a word about security, that’s a problem. If you don’t so much as see a mention of SSL certificates then run for the hills. Furthermore, if you can’t find out where your data is going to be hosted (data centre location) then don’t spend another second on their website. The vast majority of our customers are based in the UK, so they need UK-based data centres; EU businesses will want EU-based data centres; US businesses will want US-based data centres, and so on.
By picking a service with a datacentre in the same region as you, you know that your data will be stored and managed in accordance with local data protection regulations. This is extremely important and directly relates to your obligations as a business owner.
Hidden or extra-charge SSL certificates
Some budget hosts love to nickel-and-dime you for basic security. If SSL isn’t included for free, they probably don’t prioritise keeping your site safe.
Slow or unhelpful support
When security issues arise, you need fast, knowledgeable support. If the only way to get help is by submitting a ticket and waiting 48 hours (or longer), that should probably be a dealbreaker. For example, we really like Jolt.co.uk; their support is fantastic, they respond almost immediately, and are always incredibly helpful.
No regular updates or patching
A host that doesn’t update their infrastructure is a hacker’s best friend. If you see outdated software, expect trouble. Continuing to use Jolt as an example, around once every 12 – 18 months we get a blip of downtime while Jolt moves/upgrades the servers we use for hosting. It’s a mild annoyance to have any downtime, but the fact they’re so proactive with their updates means we can sleep soundly knowing they’re ticking all the right boxes.
Sketchy reputation
This one should resonate with everyone, regardless of your technical ability. A quick Google search for “[Hosting Provider] security issues” will tell you a lot. If there are tons of complaints about hacked sites and downtime, believe them! Reviews speak for themselves after all. If you’d search for reviews for a tradesperson working on your house, search for reviews on your web hosting provider too.
Remember: cheapest isn’t always best
Your web host is the foundation of your online presence, and a good one will protect your site like a loyal guard dog cow. A bad one will leave the door open for thieves and hackers.
So before you sign up with a host, do your homework. Look for secure web hosting features, test their customer support, and don’t settle for anything less than a provider that takes security as seriously as you do. Cheapest isn’t always best.
If you need help choosing a good host, or aren’t sure if the supplier you’re looking at ticks the boxes we’ve listed off here, then drop us a message. Our advice is free, so it won’t cost you a penny.