Technical Tips: How to Look into The Security and Performance of a Web Host
Last updated on Aug 17, 2022
A big thank you to Shawn Purdy for providing his technical expertise in this interesting guest post for Review Hell readers.
In this topic we will focus on security and performance. What we will cover in the article you can check fairly easily. It will help you determine if a host cares about its servers, or its clients.
1. Checking the HTTP Header
While you may think this is technically difficult to do it is not. You can easily check the HTTP header with most popular browsers. For example in Google Chrome you can push F12 on your keyboard, reload the web host’s homepage, click the “Network” tab, and look for the first HTTP request (the domain name of the web host). Click on it and you will see the HTTP header information. As seen in the example below. If you prefer using Firefox you can install the Firefox Developer Edition.
(click on the image for a full sized view)
The Important Information is: Server, X-Powered-By, and Accept-encoding
The server field will usually have something like Apache, LiteSpeed, Varnish, or Nginx. The important bit here is that it doesn’t advertise the full version number to the public. While people will argue about which web-server is the fastest, this is really not for this topic, as any host can overload a system. If that is the case the HTTP server used will not matter that much.
You may ask why to not display the version number?
Most updates to server side software are to patch security related issues. By announcing the full version to the public they are giving hackers information that can be used against them. Nothing may happen but it is a very simple feature to turn off within the server configuration so there is just no excuse for taking the chance. Some hosts are not always so quick to update, so if they do run an older version and on top of that advertises it to hackers, then it is just asking for trouble.
The X-Powered-By header will typically have the PHP version. The host can say they use php 5.5, but it’s better not to advertise they are using 5.5.25 for example. There is no need to advertise the full PHP version. Again it is very easy to disable this from the php.ini file on the server.
In some cases the X-Powered-By header will say PleskLin which means the server is using the Plesk Control Panel. I question Parallels reasons for advertising the control panel in this header. In the case of Plesk Control Panel it gives hackers information on the panel you’re using without even visiting your website from a visual point of view. These types of people are not going to look at 1,000’s of host’s websites. They look for information in headers and then know what known exploits to attempt. There is sophisticated software that can do all the work for them (Think Attack Robot). They don’t even need to have a human to do it. So by removing this information you can remove millions of attacks on a busy web-server by not willingly giving this information away.
This means two things. First, you get skipped as a potential target to these robots from those types of attacks. Second, you also remove an unneeded load on your system. You may think that is what a firewall is for. Wrong, a firewall is another layer of defense. Security is about layers not a single solution. The firewall is there for other attacks that are not easy to prevent. Yes the firewall will block those robot attacks, but why make your system work if it doesn’t have to? Prevent the robots from visiting in the first place and if they manually go to your website to attack it then the firewall is there.
This applies for any version information that is output into the HTTP header. It is not needed.
Accept-encoding: gzip, deflate
This section should indicate that gzip/deflate compression is supported. If it’s not displayed, it doesn’t mean it isn’t supported but that the host’s main website maybe isn’t optimized. It is not a clear indication of whether it is supported or not, but if a host doesn’t know how to use gzip compression, I would be wary of their technical abilities.
If a host can pass these tests, than they MAY be worth considering.
2. HTTPS Connection
Does the web host use HTTPS? While it is fairly well known to look at the URL bar I would not only consider this factor. I would run an SSL Test on that website by using Qualys SSL Test. Check to see if the provider can score an A Grade on Qualys SSL Test. If they get an F Grade or anything less than a B Grade you probably don’t want to give out your information to them. Never mind hosting on a server that isn’t configured correctly.
The test can take several minutes to run, but it is worth taking the time to run it. To me if a host doesn’t care enough about their own website, why would they care about yours? Just because a host has an SSL Certificate, even if it is an EV Green bar certificate does not mean that the connection is secure.
3. Page Speed Tests
Run a Google PageSpeed Insights test on the host’s website and also do a GTmetrix test. To me they should at least get a reasonable score of 85+ but you can use your own judgement. You can be a little more lenient with the GTmetrix YSlow portion of the test because not everyone will use a CDN and that test penalizes a lot of the rating for not having one. Anything above 75 may be acceptable. I have fairly high standards, so I would probably be a bit more strict than most people. The numbers above are within a reasonable range (not performance nut range).
Why is this test important?
It shows the host is serious and didn’t slap together the website. It takes time and effort to really score well. A badly optimized website can easily be in the 20’s or 30’s. Seeing a site like this means that whoever built it has no clue what they are doing. Do you want to host with someone that has no clue what they are doing for something not that complex as a website? If they can’t optimize a website they probably can’t optimize a web-server.
4. Beyond Security and Performance
If you’ve made it to tip number 4 then you may consider the host worthy of hosting your website. However there’s more to assessing a web host than security and performance, so don’t forget to look at the rest of ReviewHell’s tips on choosing a hosting provider.
Once you have your hosting account setup you will want to look at a few more important factors to determine if a host is still worth hosting with.
5. PHP Module
The module a host is using to run PHP is important because of performance, security, and isolation.
You can check this by uploading a file to your main website folder (e.g. public_html, httpdocs, etc.)
Create a file called info.php and paste in the following code.
<? phpinfo(); ?>
If you’re not sure how to create a .php file it is very easy. Just open up notepad. Paste in the code above into notepad. Save the file as a .php file instead of a .txt file.
Once you upload the file it will give you an output of the php configuration and modules it uses. You just need to access it from your browser. (yourdomain.com/info.php)
The first 4 lines will be:
- System
- Build Date
- Configure Command
- Server API
The important part here is Server API. You will typically see one of the following in this line: Apache Handler, CGI/FastCGI, LiteSpeed Server, or PHP-FPM
Apache Handler
This handler means Apache is handling PHP requests. While it is a very fast way to run PHP it is not a secure way to run PHP (if the host is not using mod_ruid2).
It provides zero isolation and it also means you will have to use insecure file permissions in order to upload files from a script. For example, if you use WordPress you will have to CHMOD the upload directory 777 in order to upload files. The reason for this is because the Apache handler runs PHP as the Apache user for all domains on the web server. Since your domain directories will not be owned by the Apache user it will not have permission to write to that directory. If it does have permissions than that means Apache is set-up in a extremely dangerous way and you should pack up and leave.
If the host requires insecure folder or file permissions you should pack up and leave as well. However if you have a host with Apache handler you should ask if they are using the mod_ruid2 module which changes the permissions to the the owner of that domain. An easy way to find out yourself is to test an upload script to see if it needs insecure file permissions in order to upload a file. If it does then mod_ruid2 isn’t being used and I would run! Make your backup, find a new host, cancel, and get a refund.
CGI/FastCGI
This means the server is using a popular module to run PHP. Which could be suPHP, fcgid, or fast-cgi. suPHP is by far the slowest way to run PHP. However it does prevent scripts from running with insecure file permissions. suPHP is not a bad handler, but it is very disk i/o intensive. With newer software technology it is quickly being replaced. The other modules such as fcgid and fast-cgi are faster ways to run PHP. All of these options can be safe if setup correctly.
LiteSpeed Server
The LiteSpeed PHP module is one of the faster ways of running PHP. It also provides isolation and is a secure way of running PHP applications. You also get the performance to go with it. Typically this module is seen on LiteSpeed HTTP servers but is also packaged with CloudLinux.
With this handler you may notice a slight delay when you first load a webpage, but a quicker response on extra page views. The reason for this is because this module only keeps a process active for a period of time and kills them off.
So if your website is not that busy it will have to keep forking a new process. Every time a process must be created this creates a slight delay, but in the case of ls_php it is much faster than other alternatives such as fcgid.
PHP-FPM
This is one of the more recent modules. Which is now built into the PHP Core, and is a very fast way to run PHP applications. The major issue with this module as of right now is it runs best when each user account has its own pool of processes.
The configuration for this is more complex than other modules. Most hosts use the popular control panel cPanel and as of right now the kind of optimal configuration for this isn’t built in. This means most hosts don’t offer it but if you have a host using this module this is a good thing.
6. PHP Version
While this may not apply in every single case as some people run older scripts. I would not personally host with a host that supports end of life versions of PHP. As of this article that includes PHP 5.0, 5.1, 5.2, 5.3 and of course older versions of PHP 4 as well. Many hosts still support versions older than 5.4, however if your application does not require these versions I would say to look for a host that is interested in running secure software. All of these versions are end of life which means they won’t get any security patches and some of the older versions are riddled with security bugs.
7. mod_deflate, mod_expires, and mod_headers
These are common Apache modules, which can also be loaded in LiteSpeed. They allow you to set information onto different types of files for controlling browser caching. mod_deflate is a compression module which allows for gzip compression. While this is a useful module it is also useful to tell browsers how long to cache certain file types and you need mod_headers and expires in order to do that. Any host that is interested in providing performance should have these modules available for use.
Paste this simple code below in an .htaccess file, which should function.
# 1 YEAR ExpiresActive On <FilesMatch "\.(otf|ico|pdf|flv)$"> Header set Cache-Control "max-age=29030400, public" ExpiresDefault "access plus 1 years" Header unset Last-Modified Header unset ETag SetOutputFilter DEFLATE </FilesMatch> # 1 MONTHS <FilesMatch "\.(jpg|jpeg|png|gif|swf)$"> Header set Cache-Control "max-age=2419200, public" ExpiresDefault "access plus 1 month" SetOutputFilter DEFLATE </FilesMatch> <FilesMatch "\.(xml|txt|css|js)$"> Header set Cache-Control "max-age=604800, public" ExpiresDefault "access plus 1 week" SetOutputFilter DEFLATE </FilesMatch> # 30 MIN <FilesMatch "\.(html|htm|php)$"> SetOutputFilter DEFLATE </FilesMatch>
Just this bit of code can improve your websites performance by a two to three times. In more extreme cases it could improve it more than that. Keep in mind this configuration applies to HTTP servers that support .htaccess such as LiteSpeed and Apache. Nginx has its own directive which will differ from the code above.
Final Words
While you do get what you pay for in the hosting industry, it is also important to make sure when you are paying for quality, you are actually getting quality. By having a good set of technical tools at your disposal you can weed out the amateurs from the professionals. You don’t need to be an IT professional, you just need to have the information required to make an informed choice.
About The Author: This article is the opinion of Shawn Purdy from PurdyDesigns. Shawn has been in the web hosting and website development industry for over 15 years, and is passionate about educating consumers on improving their websites and hosting solutions.
I would say that judging a host based on their expertise in optimizing websites is rather irrelevant. That’s basically judging the ability of a sysadmin based on his ability as a web developer. With that said, these are all pretty good signs when judging a host.
Adding to the PHP Version, I know some (including ourselves) hide it entirely. This should be seen as alright as well.
Hi,
The idea behind the website optimizing in terms of page speed and gtmetrix is not really to see if they are skilled developers, but if they spent time on their website. I think it shows a level of professionalism. They can hire a professional developer in order to score well. It doesn’t mean they need to do that themselves. At least that is my opinion hence why it is in the article. :)
I get also the way I worded that part that maybe it’s a bit harsh. I tend to sugar coat things a little. :P
And yes hide it entirely is good. :)