Enindu Alahapperuma
Software Engineer
Sri Lanka
I'm a back-end engineer, system administrator, and website security expert.
This isn't just another article explaining shared hosting. Instead, I'll break it down from a system administrator's perspective—why you should never use shared hosting, even for a small web application, and what better alternatives exist. If you're looking for affordable hosting solutions, this will be a comprehensive guide, much like my previous article on web development. Let's dive in!
Before diving into what shared hosting is, I have an interesting backstory to share—actually, two. These experiences are the reason I'm writing this article.
This happened some time ago. There's a well-known shared hosting provider in Sri Lanka, popular for its cheap pricing plans. I have no intention of harming their business or reputation, so I won't disclose their identity. However, I've already shared my rating on various platforms.
One of my clients needed affordable web hosting but didn't have the budget for a VPS. Previously, his website was hosted on a VPS that I managed, with email functionality—such as SMTP—handled by an external service. Since he was looking for a cheaper alternative, I recommended a well-known hosting provider popular for its low-cost plans. I then migrated the website and database while keeping the existing email server, as it wasn't an issue for my client.
The website had an inquiry form that sent an email to my client upon submission. After the migration, I noticed that the form was broken because the shared hosting provider didn't allow the use of an external SMTP server. Since shared hosting lacks low-level access, I reached out to their support team and opened a ticket to see if they could make an exception.
What happened next was almost comical. When I explained the issue, the support agent asked me whether I was using SMTP or PHPMailer to send emails. At that point, I didn't need to continue the conversation—you get the idea.
The second story also involves the same hosting provider, and it's a short one. One of my clients purchased their hosting and managed his websites independently. After some time, he started facing email issues and asked me to look into it, as I offer troubleshooting services. Upon investigation, I found that the SMTP server's IP address was blacklisted on multiple lists. I informed my client and advised him to report it to the hosting provider. Their official response? “It is what it is.” That was it.
These are just two random stories, and you probably have plenty of your own. But the real question is—why does this happen so often with shared hosting? Does it mean shared hosting is inherently bad? Well, yes! Even for something as simple as hosting a static website. However, the problem isn't always with the concept of shared hosting itself. In most cases, it comes down to the lack of expertise from the service providers.
The irony is that you carefully evaluate factors like experience, past work, and expertise before choosing a developer for your website—but when it comes to hosting, you rarely question the provider's experience or expertise. Many assume all hosting services are the same, and that's a huge mistake. Let me explain what can go wrong with shared hosting.
Let's start with a simple definition of shared hosting that everyone can understand. As the name suggests, shared hosting means that a single server is shared among hundreds or even thousands of websites. The exact number of websites depends on the hosting provider. In essence, shared hosting is just a regular dedicated server, but the resources are divided among multiple users. On most Linux servers, you'll find cPanel or a custom control panel like Hostinger's hPanel, which allows non-technical users to manage basic functions like file uploads and DNS management with minimal knowledge of the operating system.
Assuming cPanel is installed, when you purchase shared hosting, you'll get a dedicated cPanel with your own user space. However, it's not truly dedicated—it's isolated. There are various techniques to achieve this isolation, and it largely depends on the expertise of your service provider. This brings us to the first point in understanding why not all shared hosting is the same. Depending on the provider's level of expertise, this isolation can expose your website to potential security threats at the operating system level.
Let's look at it this way. I mentioned that shared hosting means your website is hosted on a server that's shared by hundreds or even thousands of other websites—not yours. You already know that not all developers are equal, and even experienced ones can make mistakes. Now, imagine if an attacker or hacker gains access to the server through a vulnerable website. Poor isolation techniques can easily put your website and data at risk. In fact, with weak isolation, you could even gain access to other users' files within your own user space. All it takes is a bit of programming knowledge and a hacker's mindset. I'll cover this topic in more detail in another article.
As I mentioned earlier, shared hosting means that the server is shared among hundreds or even thousands of websites. While each website is not isolated, each user account is. Some user accounts may only host a single website, while others may host several. But do both types of user accounts live on the same server? Well, that depends on your service provider. Many hosting providers offer different shared hosting plans. A reputable provider will allocate dedicated servers for each plan, while others may use the same server for multiple plans. This brings us to the second point of understanding why not all shared hosting is the same. Some providers do this to maximize profit because maintaining multiple servers comes at a higher cost. All of this is part of their business strategy. The problem, however, is that having many user accounts and websites on a single server can negatively impact both performance and security. You need to realize that not everything is truly isolated in shared hosting.
A shared server not only means the infrastructure is shared between hundreds or thousands of websites, but it also means that all these websites share the same IP address. Now, imagine that due to the irresponsible actions of another website on the same server, the IP address gets flagged as suspicious or even blacklisted. Even if you had nothing to do with it, your website could end up blacklisted too. This can break essential functionality like email services or even cause your domain to be blocked. Once a domain is flagged, getting it back into good standing is no easy task. It could severely damage your company's reputation. You already know how valuable your domain is to your business.
As I mentioned earlier, shared servers are essentially dedicated servers. Most service providers don't manage bare metal servers themselves, meaning they lack the expertise or resources to maintain servers independently. Instead, they purchase dedicated servers from cheaper service providers, apply basic isolation techniques, and then resell these isolated environments to their clients. This is why, when you purchase shared hosting, you often find that the servers are located in another country. These servers are originally installed and maintained by people you don't even know. Now, here's the third point: the speed of your shared hosting is largely determined by the location of the server. In general, shared hosting providers don't offer techniques like load balancing, which would help distribute traffic efficiently. Load balancing is something that could be implemented easily with other types of hosting, but not in shared hosting. So, it's completely dependent on your service provider. Depending on where your visitors are located geographically, this can lead to performance issues. I know of a few service providers in Sri Lanka who handle their own bare metal servers, and their servers are located within the country, specifically with SLT and Dialog. However, I'm not sure whether they offer shared hosting. Interestingly, almost all government and banking websites in Sri Lanka are hosted on those servers.
When a shared hosting server is packed with thousands of websites, the responsibility of the service provider grows significantly. As mentioned earlier, some aspects, such as IP addresses, operating systems, and certain software, aren't fully isolated. A small change or vulnerability on the server can potentially impact all the websites hosted there. Due to this, many shared hosting environments have outdated operating systems and software. It's not uncommon to encounter outdated software running on these servers. This happens because many service providers lack the expertise or resources to keep everything updated. As a result, they don't always provide the latest updates or patches, which can leave the server vulnerable to security risks. This brings us to our fourth point: the lack of up-to-date software and operating systems in shared hosting environments, which is a significant drawback for both performance and security.
Now, let's consider a scenario where a website hosted on the same server experiences a sudden surge in traffic. This spike could happen for a variety of reasons: the website might have gained unexpected visitors through a marketing campaign, or an attacker could be flooding the server with requests. Regardless of the cause, such traffic will quickly consume all available server resources, potentially leading to a crash if the server is poorly configured. With the right techniques, like rate limiting and DDoS prevention, this kind of situation can be easily managed on more advanced hosting solutions. However, shared hosting servers generally don't support these features. This means that if the service provider has stacked thousands of websites on a single server to maximize profit, the server will quickly become overwhelmed and chaotic. This brings us to our fifth point: If a hosting provider crams too many websites onto a single server without proper safeguards, it can lead to performance issues and security vulnerabilities.
There's so much more I could discuss about shared hosting, and this is just scratching the surface. Additionally, you lack low-level access, have limited control over operating system functions, experience poor performance that can impact SEO, and face subpar database performance for dynamic websites, among other issues. Now, let me summarize the key points for you.
Now you understand, even if you choose the best developer and build a website without any vulnerabilities, hosting it on a shared server where neither you nor your developer have low-level access makes your website vulnerable by default. It's beyond your control. From a system administrator's perspective, shared servers are poor infrastructure.
Unfortunately, there aren't any cheap alternatives to this. You have two primary options, but both will cost you more than shared hosting.
I also offer managed cloud services at an extremely affordable rate. My lowest package starts at just $5 per month. Click this link to view my pricing plans.
Now you understand that shared hosting was never intended for production servers, but rather for testing environments. So, the next time you consider purchasing shared hosting, think twice before risking your data and reputation.