Self host websites
Is it feasible to self host websites for small businesses? I'm trying to do some research on the amount of infrastructure and stuff you have to know from a security standpoint... I'm fine with building and hosting stuff locally for me but I'm tempted to move to hosting some of my business sites as well.
Does anyone have experience and can give me some advice one way or the other?
I think the answer depends a lot on the use case of each business's website and what the business owner/employees expect from it.
Is the website a storefront? You'll be spending a lot of time maintaining integration with payment networks and ensuring that the transaction process is secure and can't be exploited to create fake invoices or spammed with fake orders. Also probably maintaining a database of customer orders with names, emails, physical addresses, credit card info, and payment and order fulfillment records... so now you have to worry about handling and storing PII, maybe PCI DSS compliance, and you'll end up performing some accounting tasks as well due to controlling the payment processing. HIPAA compliance too if it's something medical like a small doctor's office, therapist, dialysis clinic, outpatient care - basically anything that might be billable to health insurance.
Does the business have a private email server? You'll be spending a lot of time maintaining spam filters and block lists and ensuring that their email server has a good reputation with the major email service providers.
Do the employees need user logins so that they can add or edit content on the website or perform other business tasks? Now you're not just a web host, you're also a sysadmin for a small enterprise which means you'll be handling common end-user support tasks like password resets. Have fun with that.
Do they regularly upload new content? (e.g. product photos and descriptions, customer testimonies, demo videos) Now you're a database admin too.
Does the website allow the business's customers to upload information? (comments/reviews/pictures/etc, e.g. is it Web 2.0 in some way) god help you.
You're going to expose this to the public internet. It will be crawled, and its content scraped by various bots. At some point, someone will try to install a cryptominer on it. Someone will try to use it as a C2 server. Someone will notice that you're running multiple sites/services from one infrastructure stack and attempt to punch their way out of the webhost VM and into the main server just to poke around and see what else you've got there. Someone will install mirai and try to make it part of a DDOS service provider's network.
Is it feasible to self host websites
yes
for small businesses
NOPE
Well, you say your business sites, so I assume you're okay with downtime. I would absolutely not self-host sites for someone else's business, because if something happens to the hosting (ISP outage, power outage, bad update, hardware failure, accidental deletion, misconfiguration, ISP block, flood/fire/storm, theft, I can go on) then it's my ass on the line. Simple hosting is cheap, spend the few bucks for a lot more peace of mind.
What I can tell you, working for a company hosting data for the UK NHS.
Is that hosting is easy, I have a very reliable homelab. I keep things up to date and make sure to secure things the best I can.
But security is hard, there are many things to secure. Blind spots you didn't even know you had.
The bast way to look at security, it to start with secure and dial things back so that it works.
If you're very comfortable with containerization, networking, and security practices, plus you are a pretty decent full stack web dev, sure.
It's pretty trivial to set up a separate business internet line from your local ISP. Depending on the volume of traffic, a basic load manager and reverse proxy, combined with strong firewalls and container safety would be sufficient for most SMB needs.
You don't need much power to host a basic website. Setting up a local box with a low-impact distro, Docker, and some solid control-plane MGMT software should be plenty to host several dozen SMB websites.
There are a lot of technical and even legal considerations though. Do these small businesses need a web app on their site? Do they need a storefront? What about member-only content locked securely behind an authentication layer? Does your local ISP have rate limitations? Does your city/state/country have restrictions on offering business services like that? What is your liability if your setup gets hacked and your client's data is stolen/exposed?
Ultimately, you have to answer the question: Why shouldn't those businesses just go with an easy pre-made hosting solution like Squarespace, Wix, etc? Not saying there aren't good answers to that, but from a business perspective, the businesses will want to know that.
As with anything in business, ask yourself, what are you able to offer that they can't get easily somewhere else? I used to work for a tiny MSP that offered in-house data backups. Our clients paid a good chunk of money to have us backup their data to our own servers. I didn't say anything at the time, but our clients could have gotten much more secure and faster backup services for cheaper using something like Backblaze or Synology's S2 cloud backups.
Don't find yourself unable to clearly and concisely explain to your clients what you can give them that they cannot easily get somewhere else. If it's purely the principle of the thing, that's totally valid, but make sure that's what you're selling to them, and also what they are looking for.
If its just a simple static page. Just use cloudflare pages. It scales to zero and would probably be completely free for your use case.
Vercel is even easier to setup but they don't allow businesses on the free tier so it would be $20 a month for pro plan.
It’ll be vastly cheaper and easier to just get hosting somewhere.
Wordpress hosting (edit: THIRD PARTY Wordpress hosting, Bluehost and Hostinger are decent I think, see below) is fine for most small businesses and starts at about $10/mo. You can go fancier and more reliable and go up to $30/mo or something, or if you really need your own VPS you can go with Vultr or Hostinger and get a pretty similar price range for pretty much whatever you want to do.
I think the only reason to self-host is if you have some crazy special hardware or legal issue, or your own dev stuff that you don’t want/need to push to “the cloud” to put it online. Otherwise it’s such a buyer’s-choice market that it’s hard to justify.
Yeah... and unless you really, really enjoy configuring your own stuff and tinkering, a hosting service is much easier.
I happen to be insane, and enjoy that stuff. And it's not a business server (well, not anything big anyway).
Yeah. I've run plenty of services from a computer sitting in someone's office, or in my living room, while they're in-production-while-in-development. Sometimes it makes sense. But it's just not something you want to deliberately aim for as the solution. What if the power goes out? What if your motherboard dies? What if the toilet overflows when you're not there, and floods the place?
Just get a dedicated service and pay them their $10/month and have them worry about all that crap for you.
FWIW, it might be better to avoid wordpress hosting UNLESS you go with hosting from wordpress.com, since there’s kind of an all out war in the wordpress world right now and the fallout to people who just want their websites to work is unknown.
The tl;dr is that Matt Mullenweg, wordpress founder and owner/CEO of Automattic (which is the company that runs wordpress.com), has engaged in a Trumpish crazy war with wordpress hosting engine WPEngine, and in doing so has arbitrarily (in the name of his war) been doing crazy shit with the open source wordpress project.
EDIT: To be clear, I am NOT recommending wordpress.com. My logic in saying what I said above is that Mullenweg is being very hostile towards other hosting companies, specifically WPEngine. For a time he had cut WPEngine off from wordpress.org, which meant thousands of regular people and business running wordpress couldn't update their plugins or wordpress core because they had no access to the .org registries.
It's pretty unlikely that Mullenweg would cut his own for profit wordpress hosting company (wordpress.com) off from wordpress.org (the open source repo for the wordpress software and a vast majority of the plugins). And to be clear, I think Mullenweg is a piece of shit, and if it were me making this decision, I'd rent a vps and host it myself. It's really not that difficult.
Yes yes this is a very good point, stay well clear of Wordpress.com, Automattic, or any similar nonsense. All I meant by "Wordpress hosting" was managed hosting from some third-party place like Bluehost or Hostinger. The software is fine, it's all open source and the worst that will happen is 6 months from now, it's not getting a lot of feature updates because the core company that was making it has imploded completely, and someone from the community has taken over security updates.
But yes you need to stay clear of the clusterfuck while it's going on. Don't use Wordpress.com or anything adjacent to it.
Edit: Wait, I didn't even read closely enough. Why would Wordpress.com be safe? I had some vague impression it was connected with Automattic in some way, although I'm not sure, maybe it is just one of the third-party companies. I just feel like anything that's in any way adjacent to Automattic or anything "official" about Wordpress would be best avoided for a while.
What are you trying to run? a VPS is pennies, and a phyiscal server isn't much more. We have a bunch of servers that are $40 a month each and they come with 5 usable IPs, 32 gigs of ram, 1tb SSD etc. The cost of getting a static IP for home will be almost as much as a server. If you want less you can get less for a lot less money.
I've self hosted my own personal website for years now and it's not really an issue outside of the power going out and my IP changing. I just update DNS and move on. But if this is for an actual work? Just pay the $10 a month, not having to worry about it is worth that money.
where are you getting servers that cheap
This is one.
If you're in Canada, Rogers (nee Shaw) and Telus small business plans both offer 'static' IPs (Shaw's residential plans aren't officially static, but they rarely change on a residential modem unless you are always switching out hardware). Telus business fibre 1GB plan offers up to 5 static IP addresses.
Then you must purchase one or more domain names and assign them to your IP address... depending on your business's needs even small consumer hardware can run a web server just fine.
Have a backup strategy though! And be sure you actually test the restore procedure on a periodic basis!
Linux backups can range from home-grown 'rsync' scripts and hot-plug external drives as backup, to more fancy 'Time Machine' like backup things (I honestly forget what's out there for Linux right now, I have my own rsync scripts to back up to external drives).
My home server is my own, but if money is on the line you want proper backup and failover even. Most Linux distributions are easy-peasy to set up with Apache or nginx web servers but if you've never set those up you'll need to study lots of tutorials and manual pages.
If you don't want to tend to security and backups yourself though, it might be best to find a hosting service.
Well I hope everyone here has some experience.
I spent $200 on a mini PC. The only thing business is essentially a landing page.
Yunohost handles the security and really the majority of technical stuff for me but it's still going to require some learning. I'm happy to help as much as I can.