It’s ever more apparent that self-hosting is inappropriate for most small organizations. Why? Security.
Hacking is no longer a possibility, it’s an eventuality in cases where sites are inconsistently managed.
In this case an NPO/NGO hired someone with PC-based prepackaged web development software (Adobe, MS, there are others) to slap together a PhP site. GoDaddy’s least expensive hosting package completes the picture.
Based on a survey of the history (in just the logs) it’s evident that the site was hacked almost from inception. This means it operated for YEARS and no one knew about the abuse.
What surprises us most perhaps is that with the depth of analytics available to hosting enterprises in the present age, how something this simple and obvious could go unnoticed.
If a human in one minute looking at access logs can discover the website’s been hacked? Who’s more at fault? The Host or the site owner.
The problem and conflict emerges when Internet business sell websites that anyone can build and access — anyone can self-publish self-hosted sites if they have software.
The option? Shared hosting with agencies like GoDaddy.com, WordPress.com, Web.com … where the Host retains security management across all of the websites.
Hacking in this case (that NPO) was discovered as part of the due diligence any professional should conduct prior to making archives of old sites.
Before FTP’ing a snapshot of an old website, an engineer should assess the code. Is it safe to keep?!
No one would have known otherwise.