Getting ready to start setting up the backend for my first-ever e-commerce site, and am concerned about security!!!
While I feel comfortable doing data modeling/database design, I have never really done DBA work, and there are probably lots of things I don’t know about protecting our website, its content, and our customers from “bad guys”!!
Our e-commerce site will likely be hosted on some large webhost (e.g. GoDaddy) until we determine if this business will survive. If we actually make any $$$, then maybe we can buy our own server and have greater control.
I’m not really sure where to begin as far as security goes, and don’t even know what questions need to be asked?! :-/
What kinds of things should I take into account when designing and setting up a backend MySQL database - for an e-commerce site - on a site like GoDaddy.com??
Here is what I do know…
We will definitely NOT be storing credit information
Later on in development, I will need to become an expert on PCI Compliance
Here are some things I don’t know…
Is using GoDaddy safe?
How do I protect our site from “inside” attacks (e.g. Web Host’s employees)
As in all businesses there is always someone offering a better service at a higher price. In general when it comes to hosting, its not always you get a better service by paying more. Though there are companies that excel, but in short what you are getting with those companies are better support and more knowledgeable staff. Personally I would not recommend you to search out any of the more specialized companies until you need a cluster of servers, or if the SLA at your current webhost is not good enough anymore for the websites needs.
Well I was impressed with the staff at Rackspace, but again, too rich for me for now.
IF I ever get our e-commerce site built, then I’ll definitely check out the host you mentioned.
Yes, using a VPS will be the best choice if you can not afford a dedicated server from the start.
Since your able to control everything on your instance you can get PCI Compliant to accept creditcards on your site and then forward them tot he merchant provider through an API. As long as you complete the requirements that is of course.
As in all businesses there is always someone offering a better service at a higher price. In general when it comes to hosting, its not always you get a better service by paying more. Though there are companies that excel, but in short what you are getting with those companies are better support and more knowledgeable staff. Personally I would not recommend you to search out any of the more specialized companies until you need a cluster of servers, or if the SLA at your current webhost is not good enough anymore for the websites needs.
When I used them for a basic account I wasn’t overly impressed, so I guess that is no surprise, although I figured if you upgraded you might get better service.
The main issue I have with them is the same thing that normally difference the bad web hosts from the good web hosts. A cheap web host is perfect as long as the server/service is online, its the second it goes down you can see the actual difference between the hosts.
Understandable.
I dont personally like VPS solutions, I would have gone for a dedicated server right off the bat. But in your case it seems that is not a viable option, and a VPS is the closest you can get to a dedicated server.
And so you are implying that a VPS solution with a good web host would be secure and reliable enough to do e-commerce, right?
A VPS operate in its own area, completely separated from the other VPS instances on the same server. This means, even if you crash your VPS instance the rest will still function. In addition this also means you will have full access to it (or should have) and by that can install the software you require or do any desired changes to the server.
Can you be PCI compliant and use a VPS?
No, I do not work for the company, nor am I “friends” with them other than we host our own servers and have moved most of our clients servers over to them as well. I am just a happy customer.
Just asking, since there is a lot of self-promotion going on here at SitePoint or any other board.
Liquid Web is to my knowledge located in Scottsdale, Arizona. Its a bit difficult to find that information on their website these days, but all of their three data centers should be around that area.
Okay.
The reason we ended up with Liquid Web contra the other web hosts out there, is mainly due to the quality of their support team. I.e. the time it takes from you contact them until the problem is solved. It is also very nice to be able to call them and actually have a technician that are able to solve the problem answer the call. (And not be redirected to a call center in India where you can barely understand what the guy says, and even if the server is down the response is that he need to send the request over to the US support team, and at the same time can not give you the phone number directly to them (Host Gator is a good example of this approach)).
The only web host I was ever impressed with - on the phone - was RackSpace. They seem very competant, however $1,000-$1,500/month for a managed and dedicated server is too rich for my blood until I know our business is making $$$.
Pardon my suspicious nature towards webhosts, but they seem to be “a dime a dozen” and there is no way to know who to use or trust unless you can speak from actual experience. So I am just leery on this topic.
The service they offer is also fully managed, this is an advantage from our side since we dont need to have server technicians on or staff. If we need a application installed on a client server, or a modification done we just contact them and they do it for us.
That would be important to us too.
In regard to your e-commerce question, I must admit I find the question a bit funny. As if your web presence is just a “portfolio” website, then all you would need is a shared host.
I don’t follow you.
I was asking if you have had experience hosting “serious”, business-grade websites or if it was just more information site.
Successfully hosting an e-commerce site seems to be a good indicator of how good a host is since it has higher requirements and usage than say a 20 page website with static webpages.
But to answer your question, all of our clients that we have moved over have sales ranging from the low ten thousand range to a few million dollars per month. Of course the clients we got that makes the most sales dont run their website on only one server.
Well, that qualifies as serious to me!
On a final note, I mean no offense by this comment. Its just meant as a friendly comment/remark.
Ive read a bunch of your posts on the forum lately, and it does not seem like you got the best experience in most of the areas your asking questions.
That is an accurate statement. I have received A LOT of help thanks to the poeple on SitePoint.
My main beef is when people DO NOT READ and when people go off on UNNECESSARY TANGENTS that dilute my original thread.
What might be an issue, is that in most cases you seem to have made up your mind already, and when someone answer something different from that, you try to get the path of discussion back at what you already made up your mind is the “best approach”.
I can’t respond to that without examples, and I am hoping this won’t turn into a “You said this here” and “You did that there” thread.
I may stick to my guns when I have general solution in mind and I want advice on how to implement that solution, but again, my biggest annoyance is when people do not read what I said and then go off on tangents or start lambasting me on things that were never said. (That is clearly their issue and not mine.)
While it is always good to take what someone else says on a forum with a grain of salt, it is also important to listen to and understand what other says even if it is not exactly what you would like to hear, as their post might contain a lot of important information.
I don’t mind opposing views. They help us all to grow. But if/when I have contested a different view it is only because I don’t keep on the “kid gloves” when I debate and play devil’s advocate.
At the end of the day I usually see the “best solution” whether it came from me or someone else…
I wouldn’t spend so much time on here if I didn’t care what other people thought!!
Back on topic, I’ll definitely check out the web host you recommended.
I don’t mind spending $100-$150/month for a hosting solution that will help our site be secure and sound while we get things off the ground. And you are right in that GoDaddy probably isn’t the best first choice!
You hit the nail on the head with your sentence “They supposed offer Dedicated Servers, Managed Hosting, etc.”.
Yes, they are offering different hosting solutions, but that does not mean that they offer the best hosting solutions available at that cost.
It has been a while since we last dealt with their hosting solution (luckily) but off the head I remember that to use curl you had to set it up using proxy settings. In the cases where we dealt with them our clients did also not receive the root password to the VPS/Dedicated server.
The main issue I have with them is the same thing that normally difference the bad web hosts from the good web hosts. A cheap web host is perfect as long as the server/service is online, its the second it goes down you can see the actual difference between the hosts.
Calling Godaddy support when the server/service is down is not really the most pleasant thing to do. The support staff is not really too knowledgeable about the product/service they are selling, and getting the website/server back up can be a though process in it own.
Let me ask you this question, can you trust your employee that is supposed to handle the servers you have setup in the back room?
By choosing the proper webhost according to your needs, you will be able to sleep well at night. I know I have the last few years.
I dont personally like VPS solutions, I would have gone for a dedicated server right off the bat. But in your case it seems that is not a viable option, and a VPS is the closest you can get to a dedicated server.
A VPS operate in its own area, completely separated from the other VPS instances on the same server. This means, even if you crash your VPS instance the rest will still function. In addition this also means you will have full access to it (or should have) and by that can install the software you require or do any desired changes to the server.
On a side note, the cheaper the VPS solution is, the more instances the web host usually put on each server to cover the cost. With other words it kind of becomes like the shared hosting, “crowded”. Sure you will have the promised ram, but the burst able will go to the instance that request it first.
No, I do not work for the company, nor am I “friends” with them other than we host our own servers and have moved most of our clients servers over to them as well. I am just a happy customer.
Liquid Web is to my knowledge located in Scottsdale, Arizona. Its a bit difficult to find that information on their website these days, but all of their three data centers should be around that area.
The reason we ended up with Liquid Web contra the other web hosts out there, is mainly due to the quality of their support team. I.e. the time it takes from you contact them until the problem is solved. It is also very nice to be able to call them and actually have a technician that are able to solve the problem answer the call. (And not be redirected to a call center in India where you can barely understand what the guy says, and even if the server is down the response is that he need to send the request over to the US support team, and at the same time can not give you the phone number directly to them (Host Gator is a good example of this approach)).
Over the years we have used Liquid Web, we have of course had a few servers go down due to hardware issues etc, but in every case the server has been up within or right after their SLA (30 minutes).
The service they offer is also fully managed, this is an advantage from our side since we dont need to have server technicians on or staff. If we need a application installed on a client server, or a modification done we just contact them and they do it for us.
In regard to your e-commerce question, I must admit I find the question a bit funny. As if your web presence is just a “portfolio” website, then all you would need is a shared host. But to answer your question, all of our clients that we have moved over have sales ranging from the low ten thousand range to a few million dollars per month. Of course the clients we got that makes the most sales dont run their website on only one server.
On a final note, I mean no offense by this comment. Its just meant as a friendly comment/remark.
Ive read a bunch of your posts on the forum lately, and it does not seem like you got the best experience in most of the areas your asking questions. This is of course not a issue, and that is why we got these forums allowing us to ask questions and get help from someone that is more experienced in that subject.
What might be an issue, is that in most cases you seem to have made up your mind already, and when someone answer something different from that, you try to get the path of discussion back at what you already made up your mind is the “best approach”. While it is always good to take what someone else says on a forum with a grain of salt, it is also important to listen to and understand what other says even if it is not exactly what you would like to hear, as their post might contain a lot of important information.
What about just using a higher-priced option with a GoDaddy?
They supposed offer Dedicated Servers, Managed Hosting, etc.
Wouldn’t that solve the issues you are alluding to?
You cant really protect from inside attacks, the person doing that will have all the information he/she need to get the data even if you encrypt the data. Due to this you need to pick a web host you feel you can trust, dont go with a shady one just because it cost $XX less a month…
Should I be more concerned about “inside” threats or “outside” threats?
Can you reasonably trust a webhost verus having your own inperson staff and data-center?
Ill be completely honest, if you can not afford to spend money for a VPS package for the hosting at a reliable web host ,then you dont really believe in your business idea and the chance for it to actually earn money is slim.
Why the love of VPS?
I have heard that VPS’s aren’t that much more secure, and that you really need a dedicated server?
(Of course I doubt we can afford a dedicated server without income coming in?!)
You dont want to skip on the hosting, doing that you risk having more downtime, problem reaching someone at support that can help you when there is a problem with the server etc.
While you dont need to pick the most expensive web host, dont pick the cheapest either. There is a reason why they can sell their service that cheap.
Choosing the correct web host is not a easy task, it took us a few years before we found the one we use and recommend our customers to.
Yes, it is an area where I really worry… :o
If you are serious about the ecommerce store, do yourself a favor and get the cheapest VPS from Liquid Web (http://www.liquidweb.com). It will cost you around $60 per month, but you will get security and peace of mind for that cost
Do you work for them or are they your friends?
Or have you actually hosted something serious like an e-comemrce site with them?
Where are they located? (Being in the U.S., I really would refer a U.S. company with U.S. staff.)
Why do you feel they are better than the millions of other webhosts out there?
It is a good call not to store any credit card information, it is much easier and secure to use a payment processor that specialize in this. Though keep in mind the website will still need to be Level 4 PCI Complient at a minimum if you plan to do accept credit cards directly on your website (i.e. sending the data to your merchant provider through an API).
In regard to become an expert on PCI Compliance, if you are thinking to store credit cards in the database at a later point of time, then just forget that right away. It is not worth the stress and cost, unless your ecommerce site becomes as big as Amazon dont even consider it. Instead use a payment processor that allows you to create and manage profiles of customers (and their credit cards), for example Authorize.net.
I would never advice anyone to use hosting provided by GoDaddy, Ive seen too many issues with their service and restrictions.
You cant really protect from inside attacks, the person doing that will have all the information he/she need to get the data even if you encrypt the data. Due to this you need to pick a web host you feel you can trust, dont go with a shady one just because it cost $XX less a month…
For outside attacks, you need to make certain that the website backend code is solid and that it is not vulnerable to any attacks. In addition you need to make certain that the server software is updated as well, this is a task that you can leave to your host if you got a managed package.
Ill be completely honest, if you can not afford to spend money for a VPS package for the hosting at a reliable web host ,then you dont really believe in your business idea and the chance for it to actually earn money is slim.
You dont want to skip on the hosting, doing that you risk having more downtime, problem reaching someone at support that can help you when there is a problem with the server etc.
While you dont need to pick the most expensive web host, dont pick the cheapest either. There is a reason why they can sell their service that cheap.
Choosing the correct web host is not a easy task, it took us a few years before we found the one we use and recommend our customers to.
If you are serious about the ecommerce store, do yourself a favor and get the cheapest VPS from Liquid Web (http://www.liquidweb.com). It will cost you around $60 per month, but you will get security and peace of mind for that cost
)