I have learned a few things here on the DO community. Thus, I thank you.
Things I’ve learned:
It was a struggle at times and I still don’t have the postfix email working correctly. Emails don’t get delivered sent by wordpress. (In case you have any tutorial links, please share :)
Since my websites aren’t getting any significant traffic nor handle any sensitive information, I have not learned nor set up any security for me server yet.
I’m considering teaming up with a wordpress web developer and also offer web hosting to them. My question:
What are the skills, systems and automations I need to consider before doing so?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
When it comes to web hosting, security is always Priority #1, so before diving in to the aspects of providing web hosting services to the public, a firm grasp of basic security principals is where you’ll want to start.
Understanding What You’ve Got
At their core, a Droplet, like any standard VPS, is a blank canvas. You’ve got a chunk of resources and you’ve got the OS – what you do with it and how you set things up is totally and entirely up to you. This applies to Dedicated Servers and Containers as well.
By nature, the security of the server and the OS is limited to what is provided by the OS distributor in their default configuration. These defaults aren’t meant to be all-inclusive nor provide maximum security for multi-user environments. You’re starting with next to nothing (you’ve got the OS, of course) and need to build from there.
Control Panel vs CLI
If you’re looking for a rather simple setup, installing a control panel such as cPanel or Plesk is going to be the route to take, with a few caveats.
1). Control Panels are not the end-all, be-all. Simply installing a control panel does not guarantee or ensure that your server is secure. Too many install cPanel and setup a few websites under the guise that cPanel provides a total security package – it doesn’t. If it were that simple, sysadmins that do business with web hosting providers would lose a decent chunk of their revenue, but they’re still here because at the core, cPanel is simply an overlay that runs as an application on top of the OS. You’ll still need knowledge of the CLI, Security and various other pain and pressure points, otherwise you’ll end up like many who simply install a control panel and run with it (hacked and at a loss).
2). Control Panels often require more resources, thus requiring you to deploy more resources than you would need if you were to manage things from the CLI. For example, cPanel will run on 512MB RAM and 1 CPU, though it’s going to struggle as you’re spreading that very thinly across Apache, MySQL, FTP, PHP and whatever else you choose to install. To start, 2-4GB RAM and 2-4 CPU’s is a base recommendation with 8-12GB RAM and 4-8 CPU’s being optimal for multi-site hosting and for handling traffic spikes. Even then, depending on the number of websites you intend on hosting, you may be better off with between 12-16GB RAM and somewhere between 8-12 CPU’s.
On the other hand, managing things from the CLI is going to be far less resource intensive, allows for far greater customization and prevents vendor-lock caused by the vendor requiring that you use their packages, their configuration and their scripts. You know where software is installed, you know what to edit, and you can modify to suit your needs. If you need “beta” software, which is often not widely supported by control panel distributors (think PHP 7.1.x), you can install it. Try that with cPanel and you’ll most likely break something unless the package you’re installing works well with their API (and OS repositories aren’t going to).
At the end of the day, the CLI wins, but there’s not a “real” GUI in terms of pretty graphics and one-click installers (unless you build a GUI to wrap around custom built scripts), so unless you write your own scripts, API interface and design your own streamline control panel that is resource-easy, you’ve got the terminal GUI and that’s what you’d need to use to manage software, edit configuration and setup websites.
Bash Scripting / Other Programming Languages
What I, as well as many others, find to be a better solution is Bash Scripting or scripting using your preferred programming language (anything that can run from the CLI – bash, python, PHP, NodeJS, python, C/C++, etc). Using your preferred language, you’d write a set of wrapper scripts to automate certain tasks such as creating user accounts (creating the user/group, home directory, etc), securing user accounts, security the system, etc. Using such scripts, you’re no longer entering commands by hand, you can simply
./scriptname.ext, or if setup to take on arguments,
./scriptname.ext -arg1 -arg2and that script will run through the commands you’d normally run from the CLI.
For example (very basic at that), the following could be used on Ubuntu to update the repository packages, upgrade all out of date packages and then install NGINX.
To create the file from the CLI:
Copy & Paste the content to the open file and hit
CTRL + Xand then type
yto save. Now all you need to do is run
chmod +x nano /usr/local/src/example.shto make it executable and you can now run it using:
… which will output what’s happening as each command is run.
Security – The TOP Priority
Security is a requirement, not an option. Failure to maintain proper security will eventually result in an incident that can range from someone logging in as a user (which should, by default, have very limited privileges) all the way up to someone breaking in and running something as simple as
rm -rf /, which will result in the recursive deletion of files & directories, starting at the very root of your server.
In such a case, the OS is shredded and your configuration as well as your users data is gone. Unless you’ve properly planned and have backups readily available, there’s very limited recovery options (most of which are going to be very costly).
Recovering from backups will take time, but backups can reduce downtime and loss of revenue / trust, if they are up to date. Daily + Weekly backups are nice to have, but when it comes to business and any customer data, will day-old data suffice, or will it result in immediate losses?
When it comes to security, you have to think of the OS, the Software (PHP, MySQL, Apache, NGINX), and what you’ll be hosting (WordPress). Each piece of the puzzle is designed to be as secure as it can be, but software, like humans, isn’t perfect. If there’s a hole, someone will exploit it, so your job is to stay up to date on each piece of software you add to your server and in all reality, each piece of software you intend to allow your customers to host.
As @ryanpq said, WordPress is a major target. Way too many WordPress users fail to update, or refuse because the plugins they use simply won’t work because they’ve been abandoned by the author. You have to weigh your options in such a case. If what they use poses a security threat (i.e. has known, publicized security holes), it’s now your job to make one of the toughest calls. You can ask them to upgrade, force them to upgrade or if it’s an immediate threat, suspend the account or ask them to leave (politely and by describing why).
At the end of the day, you have to make the call as to whether one customer is worth potentially endangering the data of X, XX, or XXX+ others.
Sidenote: Even if you do go the control panel route (i.e. cPanel or Plesk), the same still applies. A control panel is still a piece of software that simply bundles other pieces of software together, puts a GUI between them and allows you to simplify some tasks. Even so, a control panel is not proper security maintenance, threat mitigation or even a solution designed to handle what all can happen.
Sorry for the rather large read. I’ve owned 4 web hosting companies/businesses and worked with ~50 others over the last 15 years (mostly private). It still amazes me how many go in to running a web hosting business thinking that once they’ve installed cPanel, their job is done. I don’t want others to make the same mistake.
Feel free to shoot me a message at
jonathan.tittle [at] provisioned.me(replace
@). I didn’t see your message come through on habanero.io, though if you’ll get in touch at the e-mail above, I’ll be more than happy to chat with you!
Want to learn more? Join the DigitalOcean Community!
Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.
Sign up now
I am actually. I’m currently working on two projects, one of which is a web hosting service and the other, a web hosting control panel of sorts. There’s a number of control panels on the market, though most are insecure or introduce vendor-lock (i.e. you’re stuck with what the software vendor tells you that you can use – i.e. cPanel, Plesk and similar). Ive never really been all that fond of being locked in so I decided to begin working on my own solution.