WWW FAQs: Should my company host its own web site?


2008-01-16: Usually, no. Thanks to a highly competitive market, web hosting is an extremely competitive business with very low prices for high levels of service. You may have a business case for hosting your own server in the following situations only:
  • Off-color content. In some cases mainstream web hosts, such as pair.com or theplanet, do not allow the type of content you wish to serve. Outside of the adult industry, this is a rare situation. Inside the adult industry, there are alternative companies that will host your content. Search for adult hosting.
  • Serious security concerns. As a general rule, large web hosting companies have a great deal to lose from security breaches and do not make a habit of selling data found on customer servers. Still, if you are in charge of the web server for a bank or mortgage company, you should probably arrange to host your servers internally in order to provide your own security guarantees and reassure your customers.

    Most of the negative reputation of security in a web hosting environment comes from experiences on shared servers, the least expensive web hosting option. In this situation you are sharing a hard drive with other hosting clients, and this does have negative security implications— often the web server runs in a single security context for all clients, which leads to serious risks. But this is not the only type of third-party hosting available. Web hosting companies also offer reasonably secure "virtual machine" servers for as little as $50/month and highly secure dedicated servers for $100/month or less. A dedicated server is a physically distinct rack-mounted computer in the web hosting facility which is used only by you— you have the root password, and no one else has access. Of course, you still must trust the ethics of the hosting company itself.

    Note that hosting your own servers can actually make your site less secure unless you follow good security practices. Most importantly, you must purchase a fully supported Linux distribution and ensure that software updates are actually taking place on a nightly basis. You must also avoid building packages from source code unless you are committed to personally keeping tabs on any and all security updates released for those packages. Otherwise, external hackers will take down your "secure" site very quickly. Hosting on Windows is also a valid option of course, but if you "mix and match" by installing Apache and PHP, you must maintain them with the latest security fixes.

  • Phenomenally popular sites. Keep in mind that web hosting companies can and do host many highly popular sites. However, if your needs are outstripping what even a pair of load-balanced servers provided by a web host can do, it may be worth your while to build your own data center, buy your own rackmount servers, hire full-time system administrators and sign contracts for high-speed connections in order to match the quality of service a good web host would otherwise provide to you.

    If this sounds very expensive, you're right! But the economies of scale do pay off for sites such as MySpace, Facebook, and Google.

  • Your boss insists on it. If your boss absolutely insists on an internally hosted web site, even though the above situations do not apply to you, I recommend you take the following steps:

    1. Make sure you're on the record supporting an externally hosted site.

    2. Insist that a system administrator be hired to maintain and secure the site full-time.

    3. If your boss refuses to hire a separate system administrator, go with a low-maintenance solution. Purchase Red Hat Enterprise Linux, or another commercially supported Linux distribution such as Novell. Install all recommended updates and optional packages required for your work via the provided package manager— don't build anything from source as you do not have time to maintain those packages yourself. If you really must have something "bleeding edge" on your site, commit to keeping track of security updates released for that package— once you build and install something from source, you're "off radar" as far as the package manager is concerned, and you must continue to keep it up to date yourself or risk a security lapse.

    4. Don't forget the network connection! Flaky residential-grade DSL or cable modem is no place for your company's web server. Arrange for redundant connections at T1 speed or higher. If that isn't in the budget, you must at least arrange for one T1-grade line to provide reasonable performance at peak times for a moderately popular site. I suggest working with speakeasy.net or a similar company. Larger sites may be able to contract directly with backbone ISPs such as Sprint.net.

Conclusion

Hosting your company's site internally is usually a bad idea. It is sometimes justified by serious security concerns, off-color content or a very large-scale site. A dedicated server in a hosting facility is a great middle ground which provides a very high degree of security as long as the hosting company itself is reputable. I recommend (and use) this solution myself.

Legal Note: yes, you may use sample HTML, Javascript, PHP and other code presented above in your own projects. You may not reproduce large portions of the text of the article without our express permission.

Got a LiveJournal account? Keep up with the latest articles in this FAQ by adding our syndicated feed to your friends list!