Security, Compliance and Trust
Hosting with us means benefiting from a data center and network architecture that are built to meet the requirements of the most security-sensitive organizations.
Threat landscapes change every second. As attackers evolve, vulnerabilities often seem to materialize faster than engineers can patch systems.
Even as the threat landscape undergoes its minute-by-minute evolution, your information security remains our highest priority and of paramount importance to us. Our goal is to provide you with a secure-by-design web hosting infrastructure that should keep you & your applications safe from known & unknown threats.
We see protecting your mission-critical information from accidental or deliberate theft, leakage, integrity compromise, and deletion as a core functional requirement.
We work each day to ensure that our hosting infrastructure can protect your information, identities, applications, and websites while helping you meet core security/compliance requirements, such as data locality.
These below are just a peek at the extent we go to protect you and the applications you have entrusted to our care.
Hosting Account Isolation
We use a virtualized, per-user file system that uniquely isolates each customer, prevents a large number of attacks, including most privilege escalation and information disclosure attacks. Yet, each user's environment is fully functional and completely transparent to you as a customer.
This approach is designed to limit the ability of an insider or adversary to make malicious modifications and also provide a forensic trail from a service back to its source.
We also have a variety of sand-boxing techniques for protecting a service from other services running on the same machine. And part of these techniques include normal Linux user separation, language and kernel-based sandboxes, and hardware virtualization.
Secure Hosting with HTTPS
Each hosting account, website or application we provision has an automatic Secure Sockets Layer/Transport Layer Security ( SSL/TLS ) certificate for use. This eliminates the time-consuming manual process of purchasing, uploading, and renewing SSL/TLS certificates.
SSL, and its successor TLS, are industry standard protocols for encrypting network communications and establishing the identity of websites over the Internet. SSL/TLS provides encryption for sensitive data in transit and authentication using SSL/TLS certificates to establish the identity of your site and secure connections between browsers and applications and your site.
Using an SSL/TLS on your website also helps your organization meet regulatory and compliance requirements for encryption of data in transit.
Data Privacy
We know that customers care deeply about privacy and data security. We are also very much aware that our customers (businesses, educational institutions, government agencies, etc) trust us with some of their most sensitive information.
It is one of the reasons we let you determine where your content will be stored during signing-up, and also secure your data while in transit and at rest. We even e provide you with the option to manage your own encryption keys.
Web Hosting Magic continually monitors the evolving privacy regulatory and legislative landscape to identify changes and determine what tools our customers might need to meet their compliance needs depending upon their applications.
Customers who have signed up for Enterprise Support can reach out to their Technical Account Manager (TAM) who can help customers identify potential risks and potential mitigations.
Disclosure of Customer Content
Web Hosting Magic will not disclose customer content unless required to do so to comply with the law or a binding order of a government body.
If a governmental body sends us demand for customer content, we will review the orders, object to overbroad or otherwise inappropriate ones, and then attempt to redirect the governmental body to request that data directly from the customer. After all, governmental and regulatory bodies need to follow the applicable legal process to obtain valid and binding orders.
If compelled to disclose customer content to a government body, we will give customers reasonable notice of the demand to allow the customer to seek a protective order or other appropriate remedies unless Web Hosting Magic is legally prohibited from doing so. It is also important to point out that our customers can encrypt their customer content, and we provide customers with the option to manage their own encryption keys.
Customer Content
As a customer, you maintain ownership of your content, and you select which of our services can process, store, and host your content. We do not access or use your content for any purpose without your consent. We never use customer content or derive information from it for marketing or advertising.
Denial of Service (DoS) Protection
All Web Hosting Magic customers benefit from the automatic DDoS protection at no additional charge. This defends against the most common, frequently occurring network and transport layer DDoS attacks that target your website or applications.
The sheer scale of our infrastructure partners enables us to simply absorb many DoS attacks. That said, we have multi-tier, multi-layer DoS protections that further reduce the risk of any DoS impact on any service.
We also have in place tools that automatically baselines traffic, identify anomalies, and, as necessary, creates mitigation when DDoS attacks are detected by a system.
Operational Security
Our infrastructure is designed to protect our employees’ machines and credentials, and we defend against threats to the infrastructure from both insiders and external actors. We also have automated tools for automatically detecting security bugs including fuzzers, static analysis tools, and web security scanners.
As a final check, we use manual security reviews that range from quick triages for less risky features to in-depth design and implementation reviews for the most risky features. These reviews are conducted by a team that includes experts across web security, cryptography, and operating system security.
In addition, we run a Vulnerability Rewards Program where we reward anyone who is able to discover and inform us of bugs in our infrastructure or applications./p>
Keeping Employee Devices and Credentials Safe
We make a heavy investment in protecting our employees’ devices and credentials from compromise and also in monitoring activity to discover potential compromises or illicit insider activity. This is a critical part of our investment in ensuring that our infrastructure is operated safely. Sophisticated phishing has been a persistent way to target our employees. To guard against this threat, we have replaced phishable OTP second factors with mandatory use of U2F-compatible Security Keys for our employee accounts.
We make a large investment in monitoring the client devices that our employees use to operate our infrastructure. We ensure that the operating system images for these client devices are up-to-date with security patches and we control the applications that can be installed.
We aggressively limit and actively monitor the activities of employees who have been granted administrative access to the infrastructure and continually work to eliminate the need for privileged access for particular tasks by providing automation that can accomplish the same tasks in a safe and controlled way. We additionally have systems for scanning user-installed apps, downloads, browser extensions, and content browsed from the web for suitability on corp clients.
Intrusion Detection
We use various tools that integrate host-based signals on individual devices, network-based signals from various monitoring points in the infrastructure, and signals from infrastructure services.
Rules and machine intelligence built on top of these pipelines give operational security engineers warnings of possible incidents.
Our investigation and incident response teams triage, investigate, and respond to these potential incidents 24 hours a day, 365 days a year.
Anti-Malware and Blacklist Monitoring
We understand that the price of freedom from malware is eternal vigilance and with the integration of a powerful malware scanner to strengthen our multi-vector threat defenses, we automatically find and fix viruses, scripts, malware, back-doors, web-shells, hacker tools, blackhat SEO, phishing pages, and more.
The new malware scanning engine finds and automatically cleanup solution already infected files.
For web masters, it means you can rid your websites of infection with a single click.
Our domain reputation checking and blacklist monitoring technology has also been integrated and available to customers at no extra cost.
This useful tool checks websites against 60 different blacklists, letting our security team know if a customer website reputation is at risk.
Two-Factor Authentication
Two-factor authentication adds an extra layer of security to your Web Hosting Magic account.
We strongly advise that customers enable 2FA on each account.
With 2FA enabled, even if somebody manages to obtain your password, they will be prevented from logging into your account.
When enabled, you will need a secondary device and a unique security code whenever you log into your cPanel or billing account.
To configure two-factor authentication, you need an authenticator application installed.
Common examples include:
To enable two-factor authentication, log in to your Web Hosting Magic account and select Account Settings.
Go to Security and click Enable Two-Factor Authentication.
To enable two-factor authentication in cPanel, log in to cPanel, scroll down to Security , then Two-Factor Authentication for cPanel.
The system gives you a recovery code you can be used to recover your account in the event you lose access to your authenticator app.
Be sure to save your backup code somewhere other than the device you use to access the authenticator application.
Should you ever lose the ability to generate or access to 2FA codes, let our security team know and we will help you recover your account or data.
Report Bugs and Request Features with Issue Trackers
Web Hosting Magic investigates all reported vulnerabilities, tracks known issues and maintains an internal bug tracking system where bug fixes takes place.
We review every new bug report submitted by users and once a report has been submitted, we will work to validate the reported vulnerability.
If additional information is required in order to validate or reproduce the issue, we will work with you to obtain it.
When the initial investigation is complete, results will be delivered to you along with a plan for resolution and public disclosure.
When we've fixed a bug in production, we'll indicate this and then we'll close the issue.
If you see an issue that needs our prompt attention, please take a look at these pages and then let us know:
- Bug and Vulnerabilities Bounty Program
- Open Bounties For Security Vulnerabilities & Bugs
It is important to point out that in order to protect our customers, we always request that you not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability and informed customers if needed. Also, we respectfully ask that you do not post or share any data belonging to our customers. Addressing a valid reported vulnerability will take time. This will vary based on the severity of the vulnerability and the affected systems.
On a side note, if you suspect that any of our service or resources are being used for suspicious activity, please report the abuse to our security team.
