We are excited to welcome Tenko Nikolov, CEO of SiteGround hosting. SiteGround has been around since 2003 and host over 250,000 domains all over the world.
SiteGround has been upgrading much of the security infrastructure and we are going to ask them more about that.
SiteGround Interview
- Joomla Hosting Reviews {jhr}
- Tenko Nikolov {tenko}
1. {jhr} Security is always a concern for site owners. Recently SiteGround has made big effort to into enhance security for customers. Can you tell us about that?
{tenko} I assume that by recent you mean the infographic we released a few weeks ago? http://www.siteground.com/keeping_the_siteground_herd_safe.htm
If yes, then you should know those security enhancements are not new at SiteGround. In fact SiteGround is one of the pioneers in terms of security in a shared hosting environment. We were the first to implement a successful Chroot mechanism (also known as account isolation) to all our shared hosting servers.
Our team (and that's me included) is really paranoid when it comes to various security issues and threats. We take customers' accounts and websites security really seriously and try to stay on top of all security releases and patches of the software we and respectively our clients use.
Further to that, whenever there's a security threat with no known patch, SiteGround Operations team goes the extra mile and patches the security hole so that our clients are never exposed for too long to such security risks.
2. {jhr} How are these changes implemented? Does the customer need to do anything to make the change active?
{tenko} All security measures we do are done on a global level - meaning they are applied to each and every account we have. The customers don't have to do anything in order to get the new and more secure environment.
It's users' responsibility to keep their software up to date (eg. Joomla, Wordpress, etc. to be the latest and secure version) though, but it's our responsibility to keep our servers healthy and secure at all times. As I told you, we take that job really seriously.
3. {jhr} How does SiteGround stay informed about the latest threats and viruses? What are some good resources for site owners, so they can learn and stay informed?
{tenko} It’s not an easy task to stay up to date with security nowadays. We use tons of different services (like Apache, ftp, mail server, etc), which get outdated on a daily basis. The Linux distribution we use (CentOS) has frequent updates as well and on top of that, client applications are out of date pretty often.
In order for us to stay on top of that constant security battle, we have a full team of system administrators that do their homework and read every single day about new threats and vulnerabilities. We also have a dedicated person that would also research the same issues all day long, every single working day.
As soon as a new vulnerability is found (or a new version is released, without the old one being insecure), we’d immediately start testing if the new version is compliant with everything else on our environment and if it is, within a couple of days all our servers would already be running it.
Most hosts won’t do that, cause it requires a lot of human work to complete a single task like that – eg. to update your PHP from 5.3.11 to 5.3.12 might be a time consuming job, but doing it on 2000 servers is much more time consuming than you can imagine! But we have strict procedures for updates and over the years we’ve learned how to be efficient in keeping everything up to date on a regular basis.
In terms of what we read to stay updated - the site list in our internal wiki is ENORMOUS, so I won't be giving it all. But site owners can check the following two, they are really popular and helpful:
http://packetstormsecurity.org/
4. {jhr} Some hacks are started from compromised accounts on the same server. What measures has SiteGround put in place to minimize this?
{tenko} As I mentioned, SiteGround is the pioneer in shared web hosting account isolation. We used to have that problem back in the days: one outdated app on a server (say an old Joomla!) gets hacked and all the rest on the server that had 777 permissions were hacked as well within minutes. We started using SuExec in 2004, but that didn’t help much either.
And since we’re always proactive about such problems and try to think out-of-the box for a solution, we created our own virtual environment for every shared server. An environment much more secure than any other shared host had implemented before.
It will isolate an account within its own shell and even if that account is completely hijacked, the attacker won’t have any access to the server or to the other accounts on the server. Later on we even started selling our security platform to a lot of our competitors under a separate brand name (1H – www.1h.com).
Nowadays, a lot of hosting companies have a chroot solution and many of those use our own by the 1H brand. That fact makes me happy, cause our beliefs changed the course of how our industry handles security now. And I’m sure this is for the better!
5. {jhr} Are there any other security measures that SiteGround is announcing in the near future? Anything else you would like to add?
{tenko} We’ve just announced our fully automated Joomla Auto-Updater – an app within our cPanel that would keep your Joomla up-to-date for you, hassle free. As for the future, we have some stuff being cooked, but I won’t spoil it. Let’s say I’m excited about what’s coming and SiteGround will stay on top of security as it has always done!
Thanks Tenko for your time!
