I wasn’t able to log in directly to my Bluehost account just recently, and in this case its actually a good thing…
Hosting accounts are an incredibly popular target for hackers and spammer who need a server they can use that won’t be tracked back to them, so if you use insecure passwords or leave outdated scripts with known vulnerabilities running on your host its just a matter of time before someone finds the vulnerability and exploits it. Trust me, I know all about it – in a bad way.
Now, I wouldn’t wish such a fate on my worst enemy and certainly Bluehost doesn’t want that happening to their customers. While they were able to help me out and eventually restore the security of my site, this was time their customer service guys, security team, and tech support all had to take out of their schedule because I had personally been irresponsible with site security. Obviously, cutting these incidents down will reduce the costs of hosting in the aggregate.
March 2010 – Bluehost security update
The new security measures are kind of “common sense,” but its nice to see how they’re implementing common sense in a mandatory way.
Strong passwords – What’s a strong password? Well its definitely not your nickname or girlfriend’s name or your favorite pet. A strong password is utter gibberish: some combination of letters, numbers, and especially the special characters like !@#$%^&*(). Some places won’t even let you use non-alphanumeric characters, but a host that’s serious about security like Bluehost will insist on it.
Preferred IP login – You can also assign a preferred IP address to your hosting logon if you’re using a dedicated IP with your internet service provider. When and if this security feature is activated, anyone who tries to log in from a differing IP address will have to answer an extra question. Remember though, you’ll need to remember your secret question and answer if you’re going to be working on the sites when you’re away from home!
More Security Control Options – If you’re running multiple users under your account, you can also set minimum password strength limits for them, or set maximum password ages so that they have to keep the passwords fresh.
Obviously, this isn’t going to protect everyone who hosts a website on Bluehost. Password hacks are probably less common than vulnerabilities in the code of dynamic websites, but its a small step to reduce the total number of compromised accounts and anything that can improve that marginal cost is a good deal for everyone involved.
Alright now, you’ll have to excuse me. I have some passwords to change!