WordPress.org

Codex

Attention Interested in functions, hooks, classes, or methods? Check out the new WordPress Code Reference!

Hosting WordPress

There are many ways to host a self-hosted WordPress.org website. The most popular way to host WordPress is by using a managed hosting provider. You are probably already familiar with some of the more popular companies that provide this service.

In general a managed hosting provider will deploy and maintain the hardware, network, operating system and they will manage load on the system. They will also include services like backups and a management interface like CPanel to deploy new websites and maintain your website.

When using a managed hosting service, the hosting provider is responsible for the following items:

  • Physical security for the network and servers
  • Securing the operating system and applications installed on the servers by installing security updates.
  • Preventing multiple customers on the same server from accessing or modifying each other's data.
  • Ensuring that the web server and database have the required security updates.
  • Setting up database permissions to ensure access for each user is limited to their data only.
  • Configuring filesystem permissions to prevent unauthorized access between hosting accounts.

Some hosting providers will include additional security features. This often comes with additional cost. These include:

  • DDoS protection
  • Anti-virus scanning of all files in your hosting account.
  • A firewall.
  • Virus scanning of requests or files as they arrive at your website.

Qualities of a trusted web host might include:

  • Customer service is easy to access and responsive.
  • The host readily discusses your security concerns and which security features and processes they offer with their hosting.
  • Provides the most recent stable versions of all server software.
  • Provides reliable and easy to understand methods for backup and recovery.

There are many other kinds of hosting available. You can purchase your own dedicated virtual server from a company like Linode. Or you can purchase a more expensive hosting plan that provides you with your own dedicated hardware and some management of the operating system and applications. There are as many hosting options as there are service level agreements.

With each new hosting option, it is important to understand where your responsibility ends and where the hosting provider's responsibility begins. You can find this information in the service level agreement you have with your hosting provider.

Where does a managed website host's responsibility end and yours begin

A good rule of thumb for most managed hosting providers that provide shared hosting for WordPress is that you are responsible for securing the areas that you have control over and which you can change.

You have control over which web applications you install, the version of each web application and which individual files are on your hosting account. Therefore, you are responsible for securing these applications.

You don't have control over the operating system, the version of PHP installed and the version of the database or web server installed. You don't have administrative access to any of these items. Therefore it is not your responsibility to secure or maintain these items.

You do have control over what is stored in the database by your web applications. Therefore you are responsible if your web application inserts something malicious into the database.

You also have control over your hosting account files. If one of your web applications has a security flaw and an attacker is able to write malware onto your filesystem, it is your responsibility to detect and clean that malware. Your hosting provider may provide assistance with this, but ultimately you are responsible for the security of your files.

Hosting provider infrastructure, operating systems and applications are rarely hacked. In general, hosting providers have dedicated operations personel that are available 24/7 to secure their network and take action where needed. Most compromises occur in individual hosting accounts and are caused by a managed hosting customer who has installed an insecure application or has not updated a web application.