6

Are you concerned at all with your web host having access to all of your files and being able to essentially download your entire web app? What steps can you take to protect yourself? More specifically, I am interested in knowing how to protect the custom developments I've made to a WordPress powered site?

durron597
  • 31,968
  • 17
  • 99
  • 158
Alexa Green
  • 1,153
  • 4
  • 14
  • 21
  • Leave them, when you don't trust them. The _only_ way, to _really_ make sure, that nobody else can access your files/data is, that you don't give your files/data to someone else. – KingCrunch Aug 22 '11 at 21:49

4 Answers4

9

Are you concerned at all with your web host having access to all of your files and being able to essentially download your entire web app?

No.

What steps can you take to protect yourself?

None.

If you can't trust your web host, you're doomed and need to change providers immediately. It's impossible to protect a web site from the administrator(s) who maintain the server it runs on.

It's like if you are a business hiring a bookkeeper or sysadmin - they can't do their job if they don't have access to the company's financial records, or computer systems, respectively. You have to be able to trust that those people don't steal your company secrets.

I am interested in knowing how to protect the custom developments I've made to a WordPress powered site?

Not to put down the value of your work and all, but chances are nobody cares about them. There's a lot more to a custom development than having the code - you also need somebody who understands it and can work with it. I don't think code theft from commercial hosting platforms is much of an issue.

Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • More a philosopher's answer than an intelligent one. If you can't trust humanity why should you lock your house's door – Viktor Joras Jun 22 '19 at 17:46
  • 1
    @Viktor that's not the right analogy. You lock your door because strangers could harm you. That's common sense. In this scenario, that's the passwords and firewalls that protect the web site. But there are situations in life where you *have* to trust the people you work with to some degree because you can't meaningfully lock the door or hide stuff from them or control their every action. The sysadmin of the server you host stuff on is definitely one of those relationships. – Pekka Jun 22 '19 at 18:20
3

You can encrypt your applications using various encryption engines such as Zend for PHP. Or you could always obfuscate your code before uploading it onto your web host.

  • 4
    Webhost need to support the decrypter for the encryption engine and obfuscation is _never_ any kind of security (or whatever). Its just a waste of time. – KingCrunch Aug 22 '11 at 21:53
  • @KingCrunch mmmm, not entirely. Encryption/obfuscation would at least make sure there is no *usable* code on the host machine. This isn't half bad a suggestion for PHP and JS at least – Pekka Aug 22 '11 at 21:55
  • When its not usable, why should I put it on the machine? ;) Hehe, I know what you mean. #encryption: I don't know _any_ webhost, that supports it. It would work, if its supported, but it in most cases it isn't. #Obfuscation: Maybe, but with modern IDE-support its not really a handicap. – KingCrunch Aug 22 '11 at 21:59
  • The only and right answer. – Viktor Joras Jun 22 '19 at 17:50
2

If you don't trust your webhost, don't use them.

It is impossible to secure code against an enemy who owns the hardware and has administrative permissions on the server.

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
  • 1
    How huge companies like FB a Microsoft do with thousands of employees snooping around? Com'on don't be naive – Viktor Joras Jun 22 '19 at 17:49
  • @ViktorJoras: Huge companies have access controls that prevent employees from accessing user data without business justification (this can be required by law for things like HIPAA). – SLaks Jun 24 '19 at 14:08
  • 1
    Not true. FB uses a custom PHP variant which is compiled prior to being executed. Not to mention the C++ written modules. Twitter uses Scala which is again precompiled. MS developers have access only to their development scope, all the rest is just binary. No source code on shared employee storage. The OP question is crystal clear and he deserves a crystal clear answer too. – Viktor Joras Jun 25 '19 at 02:25
  • @ViktorJoras: The OP is asking about customer code on a host, not internal code. – SLaks Jun 25 '19 at 14:22
  • 1
    No, the OP is asking how to protect exposed PHP code. – Viktor Joras Jun 25 '19 at 14:27
1

There is nothing you can do to stop your web host from being able to see your files. It's their server after all, and they have root access to it.

Generally, nobody cares about your shared-hosting site enough to go poking around in the code. Sorry, but it's true. If you get large enough that it matters, you'll be running your own servers which only you have access to.

The best defense against hosts that might do something sketchy is to look for reviews of the hosting, and solicit recommendations from friends and other trusted colleages.

AgentConundrum
  • 20,288
  • 6
  • 64
  • 99