Web hosting security: biggest threats and how service providers are addressing them

A litany of issues is blighting web hosting providers – but how are they addressing the problems?

When a record-breaking 7.3-terabit-per-second DDoS blast slammed into Cloudflare this May, the platform’s automated defences absorbed the traffic.

Thankfully, no human had to jump in.

Engineers later published a millisecond-by-millisecond post-mortem, and the incident now stands as the largest DDoS on record. But it also signalled two years in which hyper-volumetric attacks have surged significantly.

Size, though, is only half the equation. There are plenty of other threats that service providers have to face and fend off. France-based OVHcloud faced an April 2024 assault that hit 840 million packets per second, a rate designed to topple routers rather than saturate bandwidth. “Packet rate, not terabits, became the killer metric” an OVHcloud engineer said after the attack.

Ransomware crews have learned to finish the job when denial-of-service fails. In August 2023, Danish host CloudNordic admitted that a migration-day breach wiped both production systems and backups. The firm wrote: “The majority of our customers have thus lost all data with us.”

Other weaknesses

Control panel software is another weak seam. A libcurl/OpenSSL flaw in September 2023 forced emergency rebuilds and affected millions of cPanel servers before it could be exploited. Twenty months on, a Roundcube bug (CVE-2025-49113) compelled Plesk to back-port fixes to its older 1.4 and 1.6 branches, sparking debate over whether the patch train had gone far enough.

But even those fully patched sites can be duped and hacked. In December 2023, premium WordPress host Kinsta warned that look-alike Google Ads were mirroring its login page and harvesting credentials.

Regulators are starting to notice. In January 2025, the US Federal Trade Commission finalised an order against GoDaddy for weak multi-factor authentication and overstated security claims.

The consent decree mandates third-party audits and bars “security-by-marketing” – a strong indication the watchdog’s patience is thinning.

Building defences… where possible

Providers are rebuilding their defences on several fronts. Cloudflare now fingerprints attacks inside eBPF programs running in 477 data centres, deciding within microseconds whether a packet lives or dies.

OVHcloud has added more telemetry after realising routers, not transit links, were the new bottleneck. Route Origin Authorisation is spreading too: APNIC logged a 36% year-on-year rise in valid ROAs during 2023, curbing the BGP hijacks that once rerouted traffic for hours.

As a result, risk is shifting up the stack. Cloudflare’s Firewall for AI, launched in March 2024, aims to sandbox prompt-injection and model-tampering attacks as large-language-model hosting goes mainstream. Still, gaps persist.

As we’ve learned, one unpatched Roundcube instance can still expose hundreds of tenants; Google’s ad-review pipeline continues to trail phishing copycats; and only a quarter of global traffic travels under RPKI validation, according to APNIC.

Smaller hosts, priced out of hyperscale options, are forced to lean on upstream carriers whose capacity is steadily outgrown by botnets commandeering misconfigured MikroTik routers and end-of-life IoT devices.

What’s the future?

To try and tackle the ongoing issues, security, regulation and criminal innovation remain locked in a vicious feedback loop. Bigger botnets being launched by hackers are pushing bigger networks to raise the bar, while tougher audits drive crooks toward smarter social engineering. Every emergency patch released helps seed the next exploit kit.

Two years of escalating floods and data losses have made hosting security a board-level and regulatory concern. While those attacks will continue, there are always innovations coming around the corner.

The industry is bracing for the next wave. It could be a 10-terabit flood piggybacking on compromised 5G base stations, a zero-day in a neglected WordPress plugin, or a deep-fake voice ad that appears just as a site owner renews a certificate.

Although specifics on that are hard to come by, one thing is agreed by all: few insiders expect quieter times ahead. The pause between storms is more likely to shrink. And because of that, the infrastructure once hidden in far-away server rooms is now a carefully watched frontline.