Sharing Is Not Always Caring: Why Shared Hosting Is Not a Safe Bet

The internet is made up of a lot of computers connected to each other. There are multiple ways computers are architected and there are many ways they can be set up to connect us and share data. Shared hosting is the most commonly used type of hosting service, which uses a single machine to host many websites. However, whether you are a website owner from a small or large organization, it’s important to understand what risks and limitations shared hosting pose. 

Shared hosting can be less expensive because anywhere from dozens to hundreds of  websites are hosted on the same physical machine. All these sites share many things. They share the same resources– including CPU, memory, and file system. They share the same IP address. They share server configuration with limited options to customize configuration for individual accounts. In this scenario, they compete for resources in a shared environment. If one website experiences a spike in traffic, or if one site is poorly coded, it will slow down the performance of all websites on the machine. They also share vulnerabilities to attacks even if only one website or account is compromised.

Scaling Limitations

If your website traffic grows gradually and never reaches a high volume of visitors, upgrading the hosting plan may be possible, but resources beyond that are capped by the provider. If you need a higher performance hosting plan, your option is to switch to a different type of hosting for which there typically isn’t an automated way to migrate your website. 

Shared hosting can accommodate a fair amount of outbound traffic from website visitors. However, if your website uploads a lot of files such as video, or does file processing that uses a lot of resources, this will slow down the server and affect all accounts in the shared environment. Shared hosting doesn’t optimize well for these types of inbound traffic. 

Security and Privacy Limitations

Security practices for shared hosting can vary greatly from one hosting company to another.  You don’t know who your neighbors are in a shared hosting environment, so you are placing a great degree of trust in the other clients accessing this machine. For example, another account owner might not have a malicious intent, but they are individually responsible for applying security updates to each CMS they manage. Because all the websites on the machine share an IP address, it is relatively trivial for an attacker to create a list of all websites on the host and then determine which ones are running a CMS with code that has a known vulnerability (the version number for Wordpress or Drupal is often visible in the HTML source) to potentially execute arbitrary code. Or, if an attacker has an account on the same machine they could introduce scripts that can execute arbitrary code without needing to exploit a CMS vulnerability. In either case, this can lead to an attacker doing harm to the server, accessing other hosting accounts, installing spyware, or causing data loss. In all of these scenarios, only one website needs to be targeted to potentially affect all the websites running on that shared machine. 

Shared hosting is a bad choice in particular if you are storing sensitive user data, such as payment information or medical information. There is even a risk of liability and financial penalties with organizations required to follow privacy laws such as the Health Insurance Portability and Accountability Act (HIPAA). If your users represent a sensitive threat model such as with activists, human rights defenders or journalists, online disclosure of any personally identifying information of users, including username, email, phone number, or IP address, shared hosting significantly exposes your site to an increased risk of a data breach. 

Better Hosting Options

There are a growing number of Platform as a Service (PaaS) hosting companies that handle security, scalability and better performance, while simplifying development and deployment of apps and reducing maintenance costs. This is achieved by removing the concern of maintaining the operating systems, software updates, storage, or infrastructure from the developer. Containerization also isolates environments for each client so the security vulnerabilities that shared hosting are known for, wouldn't be a concern with PaaS hosting providers. Some examples of PaaS hosting companies include WP Engine, Acquia and our favorite, Pantheon.  

In conclusion, shared hosting is less expensive and requires less technical skill to launch a website, yet performance, and security limitations increase the chances of unexpected downtime, a hacked website, and privacy breaches. Often website owners don’t understand the risks of shared hosting until it is too late. Hosting alternatives such as VPSs, dedicated servers, and various types of cloud hosting platforms such as PaaS options offer better security, reliability and privacy. These alternatives do cost more, can require more technical skill to set up, and include higher cost of maintenance, but the cost saved from avoiding these risks may outweigh lower upfront cost of shared hosting.