Is it feasible to self host websites for small businesses? I’m trying to do some research on the amount of infrastructure and stuff you have to know from a security standpoint… I’m fine with building and hosting stuff locally for me but I’m tempted to move to hosting some of my business sites as well.
Does anyone have experience and can give me some advice one way or the other?
Is it feasible to self host websites
yes
for small businesses
NOPE
Well, you say your business sites, so I assume you’re okay with downtime. I would absolutely not self-host sites for someone else’s business, because if something happens to the hosting (ISP outage, power outage, bad update, hardware failure, accidental deletion, misconfiguration, ISP block, flood/fire/storm, theft, I can go on) then it’s my ass on the line. Simple hosting is cheap, spend the few bucks for a lot more peace of mind.
Exactly. It’s not just downtime to worry about, either. It’s disks filling up. It’s hardware failure. It’s DNS outages. It’s random DDoS attacks. It’s automated scans of the internet targeting WordPress. It’s OS, php and database upgrades. It’s setting up graphing, monitoring, alerting and being on-call 24/7 to deal with the issues that come up.
If these businesses are at all serious, pay for professional hosting and spend your time running the business.
Yeah, pay somebody else to be responsible for the server uptime and the bandwidth. Somebody who specializes in providing that.
I think the answer depends a lot on the use case of each business’s website and what the business owner/employees expect from it.
Is the website a storefront? You’ll be spending a lot of time maintaining integration with payment networks and ensuring that the transaction process is secure and can’t be exploited to create fake invoices or spammed with fake orders. Also probably maintaining a database of customer orders with names, emails, physical addresses, credit card info, and payment and order fulfillment records… so now you have to worry about handling and storing PII, maybe PCI DSS compliance, and you’ll end up performing some accounting tasks as well due to controlling the payment processing. HIPAA compliance too if it’s something medical like a small doctor’s office, therapist, dialysis clinic, outpatient care - basically anything that might be billable to health insurance.
Does the business have a private email server? You’ll be spending a lot of time maintaining spam filters and block lists and ensuring that their email server has a good reputation with the major email service providers.
Do the employees need user logins so that they can add or edit content on the website or perform other business tasks? Now you’re not just a web host, you’re also a sysadmin for a small enterprise which means you’ll be handling common end-user support tasks like password resets. Have fun with that.
Do they regularly upload new content? (e.g. product photos and descriptions, customer testimonies, demo videos) Now you’re a database admin too.
Does the website allow the business’s customers to upload information? (comments/reviews/pictures/etc, e.g. is it Web 2.0 in some way) god help you.
You’re going to expose this to the public internet. It will be crawled, and its content scraped by various bots. At some point, someone will try to install a cryptominer on it. Someone will try to use it as a C2 server. Someone will notice that you’re running multiple sites/services from one infrastructure stack and attempt to punch their way out of the webhost VM and into the main server just to poke around and see what else you’ve got there. Someone will install mirai and try to make it part of a DDOS service provider’s network.
What I can tell you, working for a company hosting data for the UK NHS.
Is that hosting is easy, I have a very reliable homelab. I keep things up to date and make sure to secure things the best I can.
But security is hard, there are many things to secure. Blind spots you didn’t even know you had.
The bast way to look at security, it to start with secure and dial things back so that it works.