Here at Aptuitiv we are in the process of planning out a new server architecture for our hosted CMS that will be more secure, scalable and robust. Through this process we have identified an area that causes some security concerns. That area of concern is the fact that we allow custom PHP to be run on client's websites.
It is common for a shared hosting provider to allow custom PHP to be run on a client's website but doing so opens a lot of security holes that are quite frankly, hard to fill. (You may remember some issues that we had last year with a Wordpress site that we hosted getting hacked and causing trouble with other websites.) In a sense we are a shared hosting provider, but we're different from most in that our CMS software is why a majority of our customers come to us. 95% of our client's website are solely using our CMS. About 1% are not using our CMS at all, and the remainder are using our CMS along with other 3rd party software.
What we are proposing is that from this point forward we will no longer allow custom PHP applications to be run on a client's website. Our CMS software would be the only software running on the servers. Again, this isn't to be mean, it's for serious security reasons.
For those clients who already have some 3rd party PHP code running on their website we will do one of two things.
- If the software is something that we feel is secure and doesn't pose any threats then we will make an exception and allow that site to run that code.
- If the software is something that we do not feel is secure (like a Wordpress blog) then we will offer to setup a free Basic hosting account to host that software on a subdomain. That hosting account would be in our cloud hosting environment that we typically use for non Branch CMS customers.
For new websites if you need to have some 3rd party software then either we can host a different website on a subdomain (starting at $11 / month) or you are open to host that software with another provider.
I realize that this is a fairly dramatic change but I hope that you'll understand that our motivation for making this change is solely to create a more secure environment. If we have 100% control of the PHP code being executed on a server then we are able to provide a much more secure hosting environment for your customers.
* Note - we are in no way trying to single out Wordpress or imply that it's insecure. Wordpress is a great blogging platform. However, unless you know what you're doing it's easy to set it up in insecure ways.