Advice Needed On VPS Hosting

I have a pretty active e-commerce site, on shared hosting, that needs a new host because it's presently failing monthly PCI compliance scans, due exclusively to issues -- very few, in fact -- pertaining to the server environment -- none pertaining to the site itself or any of it's scripts. The current host will not help address these issues and has told me I am in violation of the user agreement by allowing the server to be scanned.

Consequently, I'm now looking into VPS hosting with a host that will work with me to resolve all server-related PCI compliance issues. But I've never had a VPS-hosted site before. And while I'm pretty "on the ball" technically, I may be averse to increasing the time it takes to run my site -- by which I mean I don't want to have to take on new obligations, such as having to manage a server, or pretty much anything else beyond... well, running my site.

My understanding is that a so called "fully managed" VPS hosting plan will enable me to simply continue running my site, with the host there to deal with all the server management issues that I've never had to deal with on shared hosting. My understanding is that I'll be able to become involved in managing the server if I wish to, but that there will otherwise be no need for this. My hope is that once the server is brought into compliance, I can continue worrying about only the same things I'd be worrying about if the site was still on shared hosting.

(I must sound like an incurious imbecile! But, really, I just want to make sure I know what I'm doing before taking this leap.)

Is my understanding correct, or will moving the site to a fully managed VPS require a new learning curve and that I take time for things I'm not currently aware of?

Jonathan GreenbergAsked:
Who is Participating?
Scott Fell, EE MVEConnect With a Mentor Developer & EE ModeratorCommented:
First, on those PCI scans, I swear they are programmed to find things that have no bearing on security but they need to find things to prove their costs.    For those small picky items, you can typically respond back with a reasonable excuse for a waiver of that item.

If you want to stay on some type of shared plan, newtek has always been pci compliant and they have shared windows and linux  24/7 email/phone support.  I like them for shared services.

When you make the jump to VPS or Dedicated, "Fully Managed" typically means the server has a control panel like Plesk or cPanel.  It does not typically mean it's on the same system as their shared service where the updates are overseen and people come running when there is intrusion detected.    

I made the jump because I needed more database power and the shared sql servers were not cutting it.  My experience with VPS at that time was there was not enough memory as the max was 2 gigs and I had a lot of issues with neighbors hogging CPU even though that was not supposed to happen.  The fix was either getting your slice moved or they shut down the naughty neighbor.    Using windows, my slice kept crashing because sql server wanted more memory so I jumped to dedicated.   After trying out a few services, I settled with for price/service.

If your site has been working out ok on our current shared service, it would be worth checking out  But if you need a private db, then you will need to go vps or dedicated.  By the way, some VPS hosting is not much different in price then low end dedicated...
Jonathan GreenbergAuthor Commented:
Hi, padas. Thanks so much for your response!

I haven't had any particular complaints about the scans, really.  I was easily able to address the detected vulnerabilities that resulted from my scripts, and the server-related issues mainly seem to pertain to simple things, such as keeping openSSH up to date.  I think I just need a host who is willing to work with me in addressing such issues.

So I think you're suggesting that if I don't want to have to deal with any new headaches, such as general server security and updates, then I need to stick with shared hosting.  OK, got it.

I'll check out Newtek.  Their Linux hosting plans' "security features" include "PCI-Compliant Facility," which would seem to indicate that they'll do whatever is needed to help me pass my PCI compliance scans.  I'll contact them and ask about this.  Their plans also include cPanel and "24/7/365 U.S.-based phone, email, and live chat customer support," which would be great.

Can you tell me about their support?  I've been with Rochen for the last couple of years.  Rochen is technically very much on their game, but they can be complete assholes to deal with, and I really don't want to have to pull any more hair out of my head dealing with anything other than competent, polite, helpful tech support people.  Are they smart, on the ball, and easy to deal with at Newtek?  This is critical to me.

Lastly, you mention that if I "need a private db," then I "will need to go vps or dedicated."  I'm not sure what you mean by that.  My site runs Joomla, so it's db powers that, along with a few custom web apps that I've developed.  It contains no credit card data, but it certainly needs to be protected and what I would refer to as "private."  But I don't see why the db would need to be on anything more secure than a reasonably well maintained shared hosting platform.  Do you mean something other than that?

Thanks very much, again, for your help, padas!

Scott Fell, EE MVEConnect With a Mentor Developer & EE ModeratorCommented:
I have used newtek since about 1999.  Their support has always been great all hours.  I don't rely on them as much as I only have a handful of clients I have left on their shared service.  Most of my action is on my dedicated.  

I have run ecommerce on their shared servers without issue.  They have been very good to work with and helpful and feel confortable recommending.  

What I meant by private db is on your server rather then a shared db that comes with the shared plan. But if you are already used to that, then you are good.

Let them know what problems you are having.  You may not need to use an outside scan service if they can provide the documentation.   However, I would doubt if a scan found some obscure thing and that obscure thing would effect everybody else, it may or may not be able to be taken care of.  That would be true of any shared service.  

They use smartermail for email and I believe the folks that wrote smartermail started at newtek when it was crystaltech.  And I think the smartermail office is accross the street still.  So getting email server issues was always good with the exception of spam.  They use a couple of larger anti spam companies but I always had a few people that were spam magnets that nothing would fix.  Now I just force everybody to use google apps for business for their email and I never hear any complaints about too much spam.
Jonathan GreenbergAuthor Commented:
Thanks for your help, padas!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.