CELEBRATE EARTH WEEK
Save 40% on eBooks and Web Editions*—use code EARTH now through April 27. Shop now.
Publishers of technology books, eBooks, and videos for creative people
For simplicity sake, let's group the hosting options into two broad categories: shared and dedicated. Shared hosting, the most common type, has multiple users all accessing the same server: running under the same operating system, using the same resources, etc. With a dedicated hosting plan, be it a dedicated server, a colocated server, or a VPS, only a single user is using the server (or in the case of a VPS, the virtual server). The simple fact of the matter is a shared host is less secure than a virtual host. Period.
Having multiple users on the same server is more dangerous in two ways. First, if any of those users has bad intentions, they could quite possibly exploit what your site has to offer. For example, if you have a world-writeable directory within your site, that directory is writable by other users on the server (unless extra steps are taken, see below). Second, if any of those users has good intentions, but is running software or a Web site that has security flaws, your site is also vulnerable. This is not to say that you should never use shared hosting--it's the most appropriate option for the majority of developers and sites, but just that it is inherently less secure. Conversely, with a dedicated server (including a VPS), there are no other users, malicious or not, that can undermine what you're doing.
So if you're using a shared hosting plan, what should you do? First, you need to the greater security risk and scale back the e-commerce site accordingly. For example, although I would generally recommend that you never store customer billing information, you absolutely must not if you're using shared hosting. In fact, you must be that much more careful about anything stored, because anything on the server is more vulnerable. These means, as one concrete example, that you be careful about what gets stored in a session and how. Developers tend to forget about the ramifications as to how sessions work. By default, session data is stored in plain text format in a publicly available directory. In theory, any site on a server could write a PHP script that displays all of the session data being stored by every site on the server! Better security can be had by encrypting session data or by moving it to a database.
Second, if at all possible, have the hosting company enable open_basedir. This PHP setting limits what directories on the server can be accessed. Although it's not foolproof, using it is an appropriate option and can prevent easy access to your site's files and directories.
Third, change your site passwords regularly, which is always a good security step (and use very secure passwords, of course).
Fourth, make regular backups of your site and database, and define a concrete plan for steps to be taken should a security breach occur.
All that being said, there is at least one way in which a shared server could be more secure than a dedicated one. A shared server should have a team of administrators whose job it is to secure, protect, backup, and all-around manage the server. This is their job, and presumably they're good at it. If you're using a dedicated server that you alone are responsible for, then your time, knowledge, and skills must be sufficiently up to that task. For many people, including myself, that's just not the case. So when selecting a dedicated hosting solution, also get an appropriate level of management and support. Other than that, with a dedicated server, the sessions aren't vulnerable the way that they are on a shared host, but proper password management, regular backups, and an action plan are still obligatory. As is keeping the server's software up to date. Never forget that even if you don't make a security mistake, your site is still vulnerable to others that might exist!