What Secure Hosting Actually Means

Security in hosting operates across four layers. Physical security — the datacenter is secured against physical access. Network security — traffic is filtered and DDoS-protected. Server security — the OS and system software are patched and hardened. Application security — the code, plugins, credentials, and data handling are secure.

The host is responsible for the first three layers. The user is responsible for the fourth. This distribution is consistent across virtually all hosting products — even fully managed WordPress platforms that handle WordPress updates are not responsible for a compromised admin password or a custom plugin with injected code.

The most common hosting security failures occur at the application layer — the layer the host doesn't control. Outdated plugins with known vulnerabilities. Weak or reused passwords. Insecure custom code. Themes downloaded from unofficial sources. These are the actual attack vectors in most WordPress compromises, and they exist regardless of how good the server-layer security is.

Network-layer security: DDoS mitigation absorbs volumetric attacks that would otherwise overwhelm the server. Web application firewalls (WAF) filter requests matching known attack patterns before they reach the application. These are effective against broad attacks; they don't protect against targeted attacks that use legitimate-looking requests.

Server-layer security: OS and software patching closes known vulnerabilities at the infrastructure level. File system monitoring detects unexpected changes. Process isolation (container-based hosting) limits the blast radius of a compromised account. These are platform-maintained and effective within their scope.

Application-layer security: WordPress core and plugin updates patch vulnerabilities in the application code. Strong authentication (strong passwords, two-factor authentication) prevents credential-based access. Access logging and anomaly detection at the application layer identifies suspicious activity. These are almost entirely user-owned.

Security fails when users assume server-layer protection extends to application-layer vulnerabilities. A site with strong server security and an outdated plugin with a known SQL injection vulnerability is not secure. The server is doing its job; the application is the attack surface.

Security also fails when SSL is treated as comprehensive security. SSL encrypts traffic between browser and server. It does not protect against server compromise, application vulnerabilities, credential theft, or any attack that doesn't depend on intercepting traffic. 'SSL included' is a standard feature, not a security posture.

Budget shared hosting: network and basic server security provided. Application security entirely user-owned. The 'free SSL' and 'DDoS protection' describe server-layer features; the application attack surface is unaddressed.

Managed WordPress: server security plus WordPress application-layer management — automatic core and plugin updates, security scanning for known malware. Reduces the most common attack vectors. Does not address credential security or custom code vulnerabilities.

Container-isolated hosting: server-layer isolation limits the blast radius of a successful compromise — a compromised site doesn't affect neighboring sites. The site itself is still vulnerable to application-layer attacks; the damage is contained.