This week I had the pleasure of speaking to Ivan Messina, CEO at Supporthost. We delved into their web hosting services and how they stay ahead of their competition.
SD: What motivated you to start Supporthost?
Ivan Messina: I started this journey, like many others, as a webmaster. I was creating websites for Italian clients and every time picking a web hosting was a big deal. There were a variety of providers on the Italian market, but they all had some serious limitations. With one you had to print and sign modules, scan them and email (or send with snail mail). With others you had to wait for days for an answer via email. Or you had to send a cancellation notice via fax or snail mail month in advance. Just a dirty trick to keep the client one more year.
With overseas providers the situation was better, but support was in English, which is unfortunately a problem for many Italians. Servers were overseas, usually in the USA, and that meant slower response times for our websites. In most cases websites were also being slowed down by servers overload, something that still happens with many providers nowadays.
This made me think that there was room for improvement in the web hosting market, first in Italy, then internationally. And that’s how SupportHost was born.
SD: Talking room for improvement in the industry… Can you tell me how your web hosting services ensure cybersecurity?
Ivan Messina: Security is probably the most important thing.
What’s the point of having a fast website, top-notch support, or a cheap service if your website is taken down constantly because you can’t guarantee security to your clients? Our main concern was to avoid spreading the infection from one account to the other. In a shared environment (where more than one website is hosted on the same server) this is one of the major threats. A client gets his website hacked and in no time the attacker spreads the infection to all other websites hosted on the same server.
As you can imagine, this is a situation that has to be avoided at all costs. That is the reason why we use Cloudlinux, CageFS and the Linux permissions to ensure that this will never happen.
In a shared environment, this is a must. Most of the time a website is hacked, it’s because of a user’s fault.
- A nulled theme or plugin (please never use those)
- A malware uploaded by the client
- The use of an insecure password
- The computer used by the client that is infected
- A zip file that contains a full backup of the website and the configuration file
- A file wp-config.php.old
We try to limit these kinds of problems with different types of software. We use Imunify 360, a software that helps us identify and quarantine malware. Among the different functions it has, there is a function that blocks access to the website if you use a password deemed insecure. This is definitely the tool that allows us to patch up the main user-created vulnerabilities:
- Nulled software
- Insecure passwords
CSF is our firewall of choice, which we use to setup many proprietary rules to mitigate brute force attacks before they can do any damage.
Then, there is Clamav, an open source antivirus that we use to scan all files and emails that pass through the server, mainly to avoid that the user receives an email that contains a virus that might threaten his computer.
We also block Xmlrpc by default on WordPress. Most of the users don’t use it, and having it available might cause a security threat. Another thing we block is bad bots in order to save resources on our client’s websites and avoid having them scanned for malicious reasons.
We also noticed that DDoS attacks have become more and more common. We are currently working on a proprietary solution that uses Pfsense and a hardware firewall to provide a more advanced DDoS protection to all our clients. This will enable us to mitigate 99% of DDoS attacks in a matter of minutes.
SD: The competition is quite fierce right now. Web hosting providers popping out like mushrooms. How do you stay ahead of your competition?
Ivan Messina: This is a hard question to answer, but I’ve noticed a pattern.
A new business starts. It gets bigger. It gets more clients than it can manage, starts hiring as fast as possible and the service quality starts to deteriorate, and the first bad reviews start to come in.
Our goal is to offer a great service, no matter if we have 1 client or 1 million. I don’t care about growing the business as fast as possible, that will come with time, because a slow and steady growth is actually better. I care that every client gets the deserved attention, and if we do this correctly they will recommend us to friends and colleagues.
That is why we don’t run ads and don’t offer crazy affiliate commissions. The average client sends us 3 friends, which helps us grow organically, maybe slowly, but always with the certainty of being able to keep our promises.
SD: What do you think are the worst cyber threats to look out for through this pandemic?
Ivan Messina: During the pandemic more and more people moved towards the online world. After all, what else can you do when you’re locked at home?
I think that now more than ever people with no experience are online, and the more inexperienced the webmaster, the easier it is to make mistakes that can result in a hacked website.
Hence, before deciding to start a new online activity or business, one should consider the possible threats that come with it and make sure to avoid at least the basic mistakes that can result in a security problem for your online venture.
SD: And the most important security features to look for in a web host?
Ivan Messina: As I said, the most important thing is to make sure that the provider you choose is able to isolate accounts.
A brute force protection is also important. Sure enough, some WordPress plugins can come handy if the server doesn’t offer this kind of protection. Nonetheless, they do that inefficiently, and usually slow the website down due to an overuse of resources.
This kind of protection should be implemented at the server level, not with a plugin. A DDoS protection, at least a basic one, is a must.
SD: Can you also think of some new cybersecurity trends to keep an eye on in the upcoming years?
Ivan Messina: I already mentioned DDoS a couple of times.
As I said, we’re working on a proprietary DDoS protection that will use Pfsense and a hardware firewall.
While working on these new systems we did some research, and we figured out that nowadays launching a DDoS attack is easier than ever.
I think this may represent a big issue in the future.