Jake Charman

Resident Geek of Nitrous Junkie Racing

8 Reasons Why I Would Never Self Host A Website…

Sat 26 Dec 2015

So I’ve stated in a few forums I frequent that I strongly recommend against hosting websites from home. Especially when the person asking states that they have little or no knowledge in the area. My reasons why are mostly security based but there are also a few reasons that hosting from home is just worse than  web hosting services.

1) Network Security
So this one is fairly obvious, there are some risks associated with opening a port on your home network. It essentially allows public access to a particular part of the network. By doing this the attack surface becomes larger due to the extra vulnerability allowing a “way in” so to speak where attacks can begin. In my experience, this is made worse when a domain name is attached to the network. I’m not sure exactly why but I’m guessing that the very public nature of domain names as compared to the IP address you’d use for other tasks including port forwarding is a big factor. When using a hosing service this isn’t really a problem however on your home network, one cock up in a firewall and any network shares or other network resources are left vulnerable. 
2) Bandwidth 
Not so much a problem for someone messing about building themselves a site on the cheap but still worth noting. Depending on the traffic to your website, your home internet speed may be affected. So if the site gets popular, you may be left with ridiculously slow internet as a result. The average home internet connection (at least here in the UK) certainly can’t compete with the connection speeds offered by hosting companies anyway so you may end up with slow internet and a slow site on top.
3) DDOS Attacks
This kind of ties in with network security but not enough to be in the same section. DDOS attacks seem to have become popular again recently, probably because of the ease and low cost of carrying them out. From what I can see these attacks seem to be mostly carried out on a completely random basis. I would guess the same way cold calls are. If you don’t know, a DDOS attack is essentially flooding a server with packets until it stops responding. Most large companies can take DDOS attacks all day long and only lose a negligible amount of speed. However these web servers are likely running the latest software on the latest most powerful hardware. And even then there’s more than one. In some cases a whole data centre full serving one site. In the case of a self hosted site however, I’d imagine the internet connection would immediately die on it’s arse losing all connection speed. If the packets do make it through though, the server is likely (depending of course on hardware and software) do the same. Especially since by far the most popular solution I get asked about is the Raspberry Pi. 
4) The Logistics
So if you don’t care about any of my technical reasons then this is the one that puts off most people. To even be taken remotely seriously your site needs to be online 24/7 meaning that the server needs to be running 24/7. I have a server right next to my bed, it’s an AMD Athlon 64 x2 with 5GB of RAM and I’m pretty much used to it. It’s been there for about 3 years, possibly more. While I can hear the server, there is nothing happening at night, so all I’m hearing is a little fan and hard drive noise. A gentle whirr. It’s only a gentle whirr while there’s nothing happening though. If I remote into any of the VMs running on it, the disks start grinding away like any other PC. So with people accessing the server 24/7 the disks are going to make noise all the time. 
5) Uptime
Segwaying on nicely, most companies will guarantee you 99% uptime at least. I would challenge anyone on a tight budget to compete with that. In fact looking at PRTG Network Monitor my internet connection only has 99.96% uptime. So 100% which is offered by some companies is completely unobtainable by me. There’s also no failover if the server should die. In fact just this morning my home server needed a reboot and decided it wasn’t going to boot after running fine for the last month. The likelihood is also that there will be no UPS or generator in the case of a power outage and no redundancy in the case of a hardware failure. 
6) Security (Of A Different Kind)
If you wanted to run anything but a simple web page then you can probably forget about it now. I mean to begin with, who is going to trust an email address and password to a random box in some guys house? In fact, when I wanted to test PHPBB on my web server hosted by a company I asked a few friends to sign up. The response was almost entirely “no, you can probably see the password” despite the fact I showed them the completely encrypted data in the SQL server. On top of this, storing any sort of data that isn’t yours without a real off-site backup probably isn’t something you want to do. Not only because your home address is visible in WHOIS ready for angry people with pitchforks and so is your home IP ready for DDOS attacks but it’s probably against some sort of data protection law.
7) Maintenance Is A Pain
As I said in the start, a lot of the people asking this in forums state in the question that they are very inexperienced in IT. The downside of self hosting from a learning standpoint is that especially in a Linux environment which a web server is likely to be, if the web server breaks, the user will be stuck at a shell knowing nothing. I learned what I know now by using the friendly GUI of a web hosting company. This taught me the terminology and now if I were to get stuck I’d at least have one or two words to Google to find an answer. But starting right at the server, you’ll get “[email protected] ~#” and nothing more.
8) Dynamic IPs
In the UK, it is standard practise for ISPs to assign dynamic IPs to their customers and a static IP often costs extra. For web hosting, a static IP introduces a new problem. When you point the A record of the domain to the IP, it has no way of knowing if the IP has changed which for the most part they frequently do. The generally accepted way around this is to use a dynamic DNS service like NoIp or DynDNS. These often cost as much as standard web hosting and in my eyes are just another component which can go down and reduce your uptime. While most routers now have the facility to update the dynamic DNS when the IP changes, on older networks a PC (usually only Windows is supported) may be required to run 24/7 and update the DNS. The dynamic DNS service will also provide a domain name like something.provider.com which just opens another public URL pointing towards your network.