Don’t Assume Your Web Host’s Security Claims Are True

When people ask us about web hosting recommendations we tell them that we don’t provide any since we can’t independently verify a web host’s security practices. Unfortunately what web hosts say about their security isn’t necessarily true, even when it involves things that can easily be double-checked. Something we ran in to recently was a reminder of that.

After we had started making a copy of website’s files over FTP while beginning to work on a hack cleanup recently, the client told us they would need out IP address to whitelist it so that we could connect via FTP. Seeing as we were already connected via FTP, either they had just turned on the whitelisting or it wasn’t working. When we explained that we were already connected, they told us that they hadn’t just turned on whitelisting (in looking over the web host’s documentation, it isn’t even something you can turn on and off), so it wasn’t working.

Later on we asked the client to see if their web host could provide the log of FTP activity so we could see if that could have been the cause of the hack. Right at the beginning of the response from the web host, Nexcess, they claimed that IP addresses would need to be whitelisted to be able to connect, despite that not being true:

You have to whitelist your IP for FTP or you cannot login. This is done by logging into SiteWorx -> Hosting Features -> Firewall Rules.
You’ll need to add your IP and then choose the FTP service. Your IP may have changed or maybe you have never added it.
If your site was compromised, finding the IP’s that did it is likely a useless effort unless you suspect something like foul play from within your own organization or something. Otherwise, It’s likely caused by another compromised by another hacked machine or hacked hosting account as normally seems to be the case.
Compromises happen when security patches are neglected, or plugins are not kept routinely updated. Without these patches or plugin updates, any exploits located within them are not patched when the developers learn of them and release a new version to patch and close these vulnerabilities.

The rest of that response doesn’t really give us a sense they are very knowledgeable about security as they don’t seem to understand that knowing whether or not the hack came through FTP would be useful.

The takeaway from this seems to be that you shouldn’t assume that security claims made by your web hosts are true and if you want to be as secure as possible you should double check that security features are working when you can.