Secure WordPress hosting using account isolation – Why is it needed, and how to do it using OpenShift Origin

Secure WordPress hosting using account isolation – Why is it needed, and how to do it using OpenShift Origin

Studies show that, 26.4% of the internet is powered by WordPress. Now, that’s a big number, and a welcome news to many WordPress design and hosting companies. However, this popularity has given rise to a steep increase in attacks on WordPress websites. Are WordPress hosting companies prepared to defend attacks on such a large scale?

A case for secure WordPress hosting

In a previous post, we covered how to secure WordPress websites and hosting servers. A key take away from that post was to keep WordPress Core and plugins updated at all times. But, in real life, this seldom happens.

Webmasters often maintain multiple websites, some rarely used, and some actively used. Updates are usually applied on the actively used sites, while others are left un-patched. This opens a window for attackers to upload malware into the server.

Secure WordPress Hosting - Blessen Cherian Quote  In our server management services, malware infections are considered a tier 1 threat to server security. In many WordPress hosting servers, websites share the same network IP. If one site is infected, the malware can send out spam, or initiate outbound attacks, thereby disrupting business in all other sites. To prevent such business downtime, we scan the servers daily for vulnerable sites, apply patches, and keep the anti-malware firewalls updated.   

Blessen Cherian
Member of Executive Group, Bobcares

 

 

Custom configured anti-malware firewalls (such as ModSecurity and NAXSI) can block almost all malware infections. But, it is not 100% fool proof. An attacker who has access to the webmaster’s login details (through phishing, drive-by-downloads, etc.), can easily access the website, and inject malicious code in it.

So, it is important to have another layer of defense to protect websites from the ill effects of malware infection in a single account. This is where a security concept called “security by isolation” is useful.

Using account isolation for security

In a shared server, all customers share the same resources, network services, web server, mail server and database server. So, a malware infection in one account can potentially disrupt the business in all other accounts.

Now, what if we can put each account into its own individual silos? What if there’s no sharing of resources or services among multiple accounts? – That is what’s meant by “security by isolation“. The damage in one account is contained to only that account. Others will be safe.

There are a couple of ways to achieve account isolation for WordPress hosting:

  1. Using Virtual Machines such as Xen, KVM, etc.
  2. Using container virtualization solutions such as OpenVZ, Docker, etc.

Account isolation using Virtual Machines

Getting a physical server for each customer would probably be the best way to ensure isolation, but that is a costly proposition. The next best way is to use Virtual Machines like Xen, KVM, or VMWare. Each customer is given a fully isolated server environment, with independent IP, services and operating system. There’s no way that a malware in one account can affect the operations in another.

However, even this solution is still a bit too costly for an average WordPress webmaster. Virtual Machines are resource intensive, and only about 20 customers can be accommodated in a server with 16 GB RAM, Quad core processor and 250 GB HDD. This is a pretty low account density for 1 physical server.

For a WordPress hosting solution to be viable, servers should have better account density.

Isolation through container virtualization

In Virtual Machine systems such as Xen or KVM, the resources are hard limited to each customer, and a full operating system runs out of a disk image. This severely limits how many VMs can run out of a single physical server.

An alternate solution is to use container virtualization (aka OS virutalization) systems like OpenVZ or Docker. These systems use a single operating system to serve all the customers, but file system restrictions are used to effectively isolate each customer. Since there’s no heavy virtualization overhead, up to 5 times more server density can be achieved in comparison to Xen or KVM.

For all practical purposes of regular WordPress hosting, a container virtualization system will work fine. But if security is a prime concern for your hosting service, there’s a weakness you need to be aware of:

In container virutalization, all accounts share the same kernel. So if an attacker can run a kernel exploit, data in the whole server can be accessed.

So, it begets the question – Is there a better way?


 

Get a FREE consultation

Do you spend all day answering technical support queries?

Wish you had more time to focus on your business? Let us help you.

We free up your time by taking care of your customers and servers. Our engineers monitor your servers 24/7, and support your customers over help desk, live chat and phone.

Talk to our technical support specialist today to know how we can keep your service top notch!

TALK TO AN EXPERT NOW!


Bobcares provides Outsourced Hosting Support for online businesses. Our services include Outsourced Web Hosting Support, Outsourced Server Support, Outsourced Help Desk Support, Outsource Live Chat Support and Phone Support Services.

Submit a Comment

Your email address will not be published. Required fields are marked *

Bobcares
Bobcares is a server management company that helps businesses deliver uninterrupted and secure online services. Our engineers manage close to 51,500 servers that include virtualized servers, cloud infrastructure, physical server clusters, and more.
MORE ABOUT BOBCARES