Hosting Multiple Sites in ONE Webhosting Account, is it INSECURE? (NO, it’s not)

SECURITY QUESTION:

• Should you host several sites in one hosting account?

Is it insecure? Can all sites be hacked if one is hacked? Should you buy separate webhosting for each site? Is it safer? Or is it a myth?

ANSWER: 

• There’s truth to the sentiment but it doesn’t apply in all scenarios, and the risks are also a bit exaggerated.

History of Shared-container Hosting

Let’s dig into the history of where that saying came from. It originated from the old days of cPanel and other standard hosting environments that allowed multiple sites in each account, thus “sharing” the container or we can also say “shared-accounted hosting”.

Why is shared-account hosting useful?

It’s a matter of practicality. Think about it this way. Suppose you and 2 other siblings wanted to live together. What’s more secure?…renting one big house with one front door?…or getting 3 separate apartments, each with separate doors and separate keys?

You see what I mean? It’s more hassle having more logins and passwords and more things to manage. If anything, I think managing more accounts can add to insecurity issues as you’ll probably get lazier at managing security, choosing easier passwords, and taking shortcuts that you wouldn’t have done had you only have to manage one account.

Just answer the question…is shared-account hosting more insecure?!

Yes, it’s more insecure as they share the same storage container. If a hacker was to break into one site, he (or she) could theoretically plant scripts and backdoor files into the other sites on the same account as well.

But how much of a risk is this? Let’s go back to my roommate analogy from earlier. Are your roommates bringing over shady friends and lots of strangers who don’t make you feel comfortable? Or are they mostly quiet home-bodies who keep to themselves? I think of shared-account in a similar manner.

If you have a handful of well-maintained sites, using updated themes/plugins, and responsible security efforts, you are fine! If you have one hundred sites that are never maintained…guess what, they will ALL be easily broken into regardless of whether they’re on the same hosting account or separate hosting accounts.

Does this mean I have to get a separate hosting accounts for maximum security? 

Maximum security starts with responsible website management, taking proper security measures and keeping your software/extensions updated! Getting a separate hosting account is like getting your own apartment because you don’t trust your roommates to lock the front door.

Hmmm…I’m paranoid and STILL want separate accounts, how do I that?

Lucky for you, there are many options today:

• You still have the old “shared account” style of hosting on cPanel and other control panels. Yes, some developers and users still like to chastise this as being “SO INSECURE AND TERRIBLE”. I think most people complaining don’t manage that many sites at once.
• You also have the newer webhosts that offer separate containers for each site. So even though all sites are sharing the same “webhosting account” per se, they each have their own isolated environment and require a separate FTP login to access the files. The extra isolation may also mean you have to choose exact server settings (php version, db version, server modules) for every site; this can be a pro or con depending on your use.
• Or yes, you can just get a separate webhosting account for each site if you like the old cPanel interface but don’t want to have different sites in the same storage.

Now, I’m torn! What would Johnny do?

I manage a dozen of my own sites across multiple servers, and then also overlook several hundred webhosting client sites.

• I generally like putting all MY sites in the same account as often as possible. It’s more convenient and I’m not afraid of the security “risks”. The 1 or 2 times I’ve been hacked, the hacker only affected the target site and not the other sites in the same account.
• With that said, I do like splitting sites into separate accounts as well. Important business sites are in one account. And less critical, personal sites are in another account. Obviously, I don’t manage the personal ones as often as there’s nothing important if they ever get hacked (which they don’t).
• In terms of my webhosting clients, they all get their own accounts. And if they have their own clients THAT NEED ACCESS, then obviously those end-clients would need their own separate account.

If you want my 2 cents…I rarely see a site hacked because a neighboring site on the same account was hacked. Usually if a site gets hacked, it’s because of its own code vulnerabilities (because of not updating WordPress core, themes, plugins).

I also feel deciding whether a site should get its own account is a more a matter of a personal workflow than security. If you’re managing many sites, having to re-log into everything and also switch quickly between different sites will be such a chore, you’ll hate your life.

With that said, if you have a huge business making millions of dollars and storing thousands of sensitive customer information…yes, it should be on its own account!

Any other useful distinctions between shared-account hosting vs separate-account hosting?

Shared-account hosting (like usual cPanel webhosts):

• Cheaper
• Less management
• Can’t give full account access to clients (since they’d be able to access other sites)

Isolated shared-account hosting (like Cloudways, WPengine, etc):

• Still cheap like shared-account hosting
• But more management(since each site has separate logins)
• Can create different server environments for each site (but more of a developers benefit)
• Can give out limited access to each site

Separate-account hosting (buying separate hosting account for each site):

• Much more expensive (of course)
• Way more management (have to remember webhosting and also server logins)
• Can give out full access for each site to clients or contractors
• Obvious benefits of allow each site to be own its own server environment and even geographical location to fit target visitors.