close close the modal

Navigation

Month: March 2015

[quote]”What kind of Web Hosting Do I Need?”[/quote]

The kind of hosting you require will be determined by:

  • Your estimated rate of regular incoming traffic
  • The type of applications that you’ll be running
  • Whether you want to manage your own host yourself

Most small business websites are best hosted on either a shared host or a VPS. This article will describe what shared hosting and VPS’s are, and give an introduction to other types of hosting.

Most hosting companies, including all the major global brands, each offer different three broad categories of hosting divided into their own named products. These categories might be subdivided again into different branded products but they are pretty much the same.

However the quality of these offering differs vastly between different companies.
So if you are new at this and you haven’t bought hosting yet then ask your developer for advice.
Lets say your host is rubbish and you are paying your developer to set up your site on it. If, across the lifetime of development your developer takes an extra 8 hours dealing with your hosting company and you are paying $90 per hour, then that’s an extra $720.

Chances are that your developer has worked with hosting companies and products before and knows best how to choose them.

Shared Hosting

This is the least expensive type: a hosting company can manage multiple hosting accounts across shared hard drive space. Your website (or websites) shares hard drive and computing resources with other companies. Sharing resources means sharing costs. The labour costs of system administration is one of those shared costs, and the hosting company takes responsibility for that, including administration of the security of the underlying server.

You can generally run multiple websites from a single shared server. The exception is for the cheapest shared plans from some hosting companies.

pros

  • Inexpensive
  • Administration taken care of for you
  • Control often granted through a control panel

cons

  • Security is as strong as the weakest link: one lazy customer on the host can compromise all guests
  • Poorly provisioned and configured hosts fail to share resources adequately among all users
  • Some hosts fail to offer tools necessary for developers

The last two ‘cons’ generally apply to cheaper companies working at the bottom end of the market. The last con applies to every shared host in New Zealand. Shared hosting offers in New Zealand generally can’t compete on features with their competitors in the US. It’s a matter of tradeoffs: a more distant host can add valuable response seconds to site response-time. But the better hosts based in the US can offer the tools that developers need even on their inexpensive shared host offerings.

Virtual Private Servers

VPS’s are more costly and offer a great deal more control. They also require hands-on system administration, thus requiring a good deal of knowledge on operating systems and their tools. They are much more flexible but they are not always the best option.

VPS offerings grant direct remote access to a virtual server: an operating system with guaranteed dedicated resources. The server itself doesn’t take up a whole actual physical computer. Rather, physical machines devoted to running VPS’s have their own resources divided up between multiple hosted VPS’s. On each “slice” an entire OS resides, each with it’s own dedicated resources. For one VPS to interfere with a neighbouring VPS is difficult and unlikely. This provides security benefits.

pros

  • Greater assurance of security from “bad neighbours”
  • Much more control then control panels offer
  • Direct remote access to the operating system

cons

  • Enough power to cause damage to your own applications or operating system
  • More responsibility
  • Much more skill required

VPS’s are suitable if you want the control to configure your own web server or database server, configure resource use or customize your operating system. But you have to take on system administration or hire someone to do it. Skilled admins are expensive

Dedicated Hosts

Dedicated hosting is the lease of a physical machine for your own hosting purposes. This can be useful when you want more resources for your applications or sites, you have the administrative skills on hand. Dedicated hosting can be a great deal more expensive then VPS hosting, and accounting for bandwidth infrastructure can become complicated.

Dedicated hosting is a “heavy duty” option suited for businesses that need to devote significant resources to sites and application beyond typical websites. In these cases organisations have engineers devoted to shaping application infrastructure around the available resources and dedicated hosts might be used for different parts of the application.

Although dedi’s still have a strong place in the market, over the last few years new products under the umbrella term Cloud Services have allowed companies to take more fine-grained control of leased infrastructure. I might cover these in another article, but they generally aren’t a concern unless your website or application is very complex and serves tens of thousands requests on an average day.

Cloud Hosting

This is something of an umbrella term that encompasses different kinds of product. Cloud services vary widely in price and in the details of the product. What they have in common is that generally billing is much more finely grained: insteading of leasing infrastructure on a per-month or per-year basis, you pay for the underlying resources. You might pay for the hours of CPU time your website or application uses, along with bytes of traffic and storage capacity.

Cloud hosting suits companies that have dedicated expertise for managing the administration of their cloud services, and when a great amount of flexibility is required.

Under some circumstances leasing cloud services can serve small businesses well. Cost can be managed by skilled administrators. But mistakes can be very costly.

Wherein I compare those things called “frontend frameworks” and hopefully bring Bourbon to the attention of more developers.

Following is a light, comparative review of some frontend frameworks. I give a glimpse into the existing landscape.

Context: Bootstraps Dominance

Presently and for at least two years or so, the most popular “front-end framework” has been bootstrap. It’s everywhere. It’s an industry standard. Job postings all over the web ask for applicants to have “experience using bootstrap”, as if seasoned frontend developers don’t have skills that are transferable to any frontend framework.

Bootstrap has little appreciable competition for mindshare in the webdev world even though there are other frontend frameworks in existence. Zurbs’ Foundation is notable. It’s been around for a long time. It’s mature and people know about it. It’s thought of as “the alternative to bootstrap”.

Pros and (mostly) cons of Foundation

My opinion is conventional: that Bootstrap is easier to simply load and use, and that Foundation takes a little longer to learn. Where I’d stray from conventional opinion is that I don’t think that all bootstrap sites have to look the same. It depends how you use the framework.

zurb's yetiI’ve enjoyed using Foundation in the past. But going back to it, I simply can’t tolerate it’s installation processes. There are three options and all of them are… a bit icky. In theory you can just download the library and pull Foundation components into your project. But it’s not easy to figure out. It’s undocumented. And the installation paths that are documented are done so lightly. You can beat through the thorny path if you are a seasoned Ruby developer. But there’s no sane reason for way you should have to be a seasoned Ruby developer if you just want to install some frontend components.

Foundation promises to make development faster. But the complicated magic dance required to actually get started using it annuls that promised benefit.

Newcomers based on Googles Material Design

mdGoogle Material Design is a pattern language for design. The purpose of which is to encourage UI designers to create beautiful interfaces by using taking improved metaphors for web design into the realm of responsive design.

Google supports its Material Design language with its Web Starter Kit.

I have yet to experiment with Web Starter Kit. But I’m looking forward to it. Another project is Material CSS. It’s a student project out of Carnegie Mellon University. There is also LumX, a toolkit that includes and is geared forAngular.js. I haven’t tried these either, but may well do so in the future. Obviously a huge amount of work has gone into them and they look… delicious.

Bourbon

Bourbon.io provides sets of mixins for sass. That’s all. It’s really that simple.

Like Foundation, you have to the gem installed. Unlike Foundation, the installation of the Bourbon gem doesn’t require the same tightrope-walk and chicken-sacrificing. Combined with it’s sub-projects neat, bitters and refills, it provides most every component that either Foundation or Bootstrap do. And some that they don’t.

I’ve been using bourbon for at longer then I recall and I’m surprised it’s not more popular. It’s dead easy to pull it into an existing project or start your own project around it. My initial attraction was that earlier versions of Bootstrap didn’t have integration with sass, so the only way to use bootstrap was to clutter up the DOM with nonsemantic markup. Bourbon Neat let me use a grid system without cluttering the DOM.

Bourbon itself provides a range of conveniences documented here. It’s sibling libraries, dependent on Bourbon provide a grid system, typography and a collection of compents like headers, footers, navigation bars and tab systems.

Bootstrap also has a sass version, but I’ve found it more difficult to install then Bourbon. With Bootstraps Sass library, you have to pull in the deps with bower. And to tidy your project up before deployment, you’d probably have to handcode a Grunt task to move your files to the right place.

You don’t have to do that work with Bourbon.

In conclusion, Bourbon is easier to install then Foundation but you aren’t compelled to build your whole app around it. It has pretty much all the tooling of either Foundation or Bootstrap, but it’s much easier to get started with and you probably won’t really lose anything.

In my recent post on OWASP Day 2015 I remarked that WordPress.org itself takes security seriously. I mentioned the recently-released WordPress Security White Paper and pointed to the documents on hardening WordPress.

Of course WordPress.org doesn’t exist in a vacuum and has a tight feedback loop with its wider community. This in itself may be one of the secrets of success both of the CMS itself and the ecosystem.

The Problem

Due to it’s popularity in the shared hosting space self-hosted WordPress is capable of running on old, outdated versions of PHP, including version that haven’t been getting security updates for three years. This has been a result of a design decision by core developers: new installations should not break existing websites. It’s both a feature and a bug.

Of course running on old, unsupported versions of PHP creates security liabilities. A professional developer will, at the very least, raise these issues with site owners where such issues exist. But the reality is that some substandard hosts continue to provision older version of PHP. And many existing sites live on old hosts that haven’t been updated.

An Approach to a Solution

A community project called wpupdatephp exist. It provides a PHP library “… to be bundled with WordPress plugins to enforce users to upgrade to PHP 5.4 or higher hosting.” The project also aims to raise awareness of the risks associated with running insecure versions of php among site owners, and furnishes template email content for owners to include in requests to their hosting company.

The core functionality of the plugin can be seen in the readme viewable on github.

 

OWASP (The Open Web Application Security Project) is a volunteer-run, non-corporate global organization devoted to making the web a safer place. It provides resources for developers and business to help them secure their assets. It’s many notable projects include the Owasp Top Ten: the canonical list of the top ten most likely types of threat to web applications.

The New Zealand chapter organized another fantastic, amusing and enthralling OWASP Day, and event aimed mostly at Developers. But also of interest to anyone with responsibility for managing (securing) infrastructure.

If that sounds a little dry, you should have seen the metal-as t-shirts worn by the Insomnia crew.

Observations and Thoughts

Pedro Worcel’s presentation ‘CMS Hell’ made an interesting contrast with Nick von Dadelszen’s presentation.

Pedro discussed his own testing of NZ internet for CMS vulnerabilities. Pedro introduced droopscan, a vulnerability scanner for CMS’s. It looks like a really useful tool, and I’ll definitely be experimenting with it.

Nicks talk involved discussion of Section 252 of the Crimes Act, describing penalties for “accessing computer systems without authorisation”. Nicks was focussed on “passive” scanning for vulnerabilities, thus using techniques that can’t be described as possible violations of the Section 252.

One of my takeaways from these two presentations is that a lot of security research that I and others would consider ethically legitimate could be interpreted as violations of the Crimes Act. Even it the resulting research is capable of making the web safer.

The content of Nicks talk can be attained here. (warning: pdf)

Defending WordPress

Adam Bell from Lateral Security presented a case study that provided a cautionary tale about a failure of Defense In Depth. A notorious and very young system cracker had successfully attacked a site managed by the presenter. Adam introduced the log analyser Splunk and described his forensic strategy.

My takeway was that the weakest link will render the entire chain useless. Something anyone in who works around security already knows. But this can be sobering when we consider the possible effect on business. When customers pay for “security”, they tend not to understand that “security” is a thing that can’t be bought. It can be only be defended. But the old maxim holds true: any attacker with sufficient time and skill will always win.

WordPress itself takes security very seriously. WordPress.org has maintained a document for developers and admins on Hardening WordPress for many years. This week they released the WordPress Security White Paper which I read as overview of the security environment of the wordpress world. It applies the OWASP Top Ten to the wordpress world and is required reading for anyone serious about defending wordpress. (Or for that matter, attacking it)