What Are The Top Node.js Hosting Platforms?

Struggling to find the top hosting platform for Node.js on the market? Have questions about where to host Node.js? Don’t worry. We have all the information you need for hosting Node.js effectively right here.

As one of the biggest runtime environments for JavaScript, Node.js is invaluable to countless developers all over the world. This immense popularity has grown consistently since Node.js launched in 2009, thanks in large part to the huge community of companies leveraging it daily.

Anyone with experience of Node.js will understand exactly why it’s so popular. It’s ideal for everything from full end-to-end app development to the intricate creation of an individual component within a complex application.

Research shows that businesses primarily utilize Node.js for back-end, full stack, and front-end development. For organizations revolving around rapid environments and aiming to maximize productivity, Node.js is an outstanding option. It’s designed to be incredibly scalable for growing businesses, and is fantastic for creating cutting-edge applications for diverse users. It scales to a high standard with no need to invest in a lot of expensive hardware.

On top of this, Node.js offers support for the popular NPM (Node Package Manager). Developers can take advantage of the package to build their applications easily, due to the extensive portfolio of modules included within it.

But it can be a major challenge to find a dependable, safe platform for Node.js (when compared to, say, WordPress and similar PHP apps). There are two popular methods of hosting Node.js apps:

  • Managed: This enables you to concentrate on the application’s code and a service provider takes responsibility for maintaining the infrastructure.
  • Cloud VM: You can utilize your preferred OS and take charge of installing, deploying, and managing everything independently.

So, two different options — but which is right for you?

If you would rather avoid the complexities of system administration, a managed platform is typically recommended for a more streamlined process. But if you’re willing to invest considerable time into installing and administering, the cloud VM may be the better option.

With this in mind, let’s look at the platforms available — which will you choose?

DigitalOcean

With DigitalOcean, you can take advantage of a streamlined one-click install and deployment process for your Node.js. This is a famous option in the development community, and it’s extremely cost-effective, with deals starting from just $5 each month.

Want to install Node.js by yourself? DigitalOcean allows for plain droplet requests and a selection of OS options for self-installation. Multiple infrastructure services include object storage, load balancer, firewall, and more. Users can build enterprise-ready applications with ease.

Organizations using DigitalOcean have the freedom to scale up and down as they see fit. Being able to pay for the droplet (VM) size you choose means that the fees are predictable, for easier finance management.

AWS

It should come as no surprise that this market leader is regarded as one of the strongest contenders for hosting modern applications to a high standard. AWS offers a wealth of services to satisfy all users’ needs. You have the option to provision a suitable VM and install your Node.js and all related software (or you can choose Elastic Beanstalk).

This supports the following roster of languages:

  • JS
  • Ruby
  • Python
  • .Net
  • Go
  • Java

This is by no means an exhaustive list — it supports many more.

The biggest benefit of leveraging Elastic Beanstalk is that there’s no need to worry about your infrastructure. You’re free to deploy applications using your preferred tools for efficient development release.

The key factors of this Node.js hosting platform include:

  • Integrates easily and effectively with additional AWS services
  • Application can be scaled to your goals and requirements thanks to auto-scaling and load balancing
  • Pay as you go structure

You can get started with AWS without charge, via the free tier.

Heroku

Heroku is known for being particularly friendly to developers, as it’s designed to support numerous languages (e.g. Node.js) and environments. It’s part of Salesforce, a major brand with a solid reputation.

Heroku provides a free package with 512MB of memory, and one web or worker to help you get started.

The key elements of this hosting platform for Node.js include:

  • Integrate third-party software seamlessly
  • Multi-region app deployment
  • Packaged with many services and plugins
  • Documentation suited well to beginners and seasoned developers

Redhat OpenShift

This PaaS (platform as a service) is available to start using for free. Redhat OpenShift provides users with automatic scaling, so apps won’t run slower because of increased traffic. You can use a native privacy feature to access your own database securely, and host up to three applications for free.

OpenShift is a great option for newcomers looking to experiment with their new Node.js apps, and you can set up a custom domain as part of the free plan as well. It’s a solid option for enterprises and individual developers alike.

Google Cloud

Using Google Cloud, you can host an application wherever the powerhouse brand’s products appear. Choose from four options:

  • App Engine: Google manages your infrastructure on your behalf with this PaaS service
  • Compute Engine: Utilize a VM with your preferred OS, to install it however you like; you can take full control, managing the server yourself
  • Kubernetes Engine: This enables you to run a Node.js app within containers
  • Cloud Functions: This option lets you make your function to execute on the Google infrastructure; this solution is serverless and you’ll pay for the code runs

Like the sound of Google Cloud? It provides as much as $300 in credit for users looking to try it, and it’s ideal if you want to make enterprise-ready apps.

Platform.sh

This Node.js hosting platform is fully automated and managed. It’s designed for hosting Node.js applications within clusters, for a higher standard of performance and improved availability.

This is optimized for the latest development frameworks, and other highlights of this Node.js hosting platform include:

  • Integration for Git
  • Suitable for agile scaling
  • SSL certificates are free
  • Ready for micro services
  • 24/7 support

Azure

Microsoft Azure is an obvious addition to this list, as it’s one of the market’s biggest cloud computing platforms and has data centres throughout 54 different regions. You can choose from various options, as with other major AWS and GCP solutions. Pick from:

  • Virtual machines: Environment setups with Windows or Linux
  • App Service: This is fully-managed — you deploy your code and Azure handles the rest
  • Functions: This is serverless computing for scaling and meeting your specific demands
  • Cost-effective structure: You only pay for whatever you actually use

NodeChef

Still wondering where to host Node.js? NodeChef is another high-quality option. This Node.js hosting platform for mobile and web applications supports a number of other languages, such as Java, PHP, and more.

You can use NodeChef for hosting applications within a docker container, and you can pick from SQL and NoSQL database. Its highlights include:

  • Real-time logging
  • One-click scalability
  • Deployment with one click
  • SSL provisioning automatically
  • Numerous locations for data centers
  • Metric monitoring

NodeChef is billed hourly and prices start from $9 each month.

Node.Js Hosting with Plesk

Plesk is an innovative web hosting platform for automating hosting routine tasks and scaling hosting business. It is compatible with Linux and Windows operating systems, has ecosystem of 100+ extensions and supports various web development environments including Node.Js. To use Node.Js with Plesk it is enough to have Plesk-driven VPS server, install there Node.Js extension and follow these instructions.

Final Thoughts

We hope that this guide helps you to find the right hosting Node.js option for your goals. It’s worth making the most of free credit or free trial deals, to try multiple platforms without risk. Make sure you run a scan of your Node.js app to identify security weaknesses when your code goes live.

Tools To Scan For Security Vulnerabilities and Malware

Web security is something we should all be doing nowadays, because there are literally hundreds of different potential ways that any site can become compromised. You should regularly scan security vulnerabilities to stay safe from these sorts of potential problems – cross site scripting,  vulnerable components, DOM-based vulnerabilities, SQL injections, cross site request forgery and crlf/xxe/http injections

Let’s face it, we don’t always scan security vulnerabilities as much as we should. It’s an easy task to overlook because so much needs to go into designing, testing, and marketing a website. We’re often more focused on success than safety, but that really is a false economy. It’s like building a fabulous house but forgetting to put a lock on the front door. Security underpins everything else you do with your property, so you can’t afford to let it slip. If you don’t scan security vulnerabilities, then the chances are good that someone, somewhere will find a way in and cause havoc. If you feel put off from thinking about security because it seems complicated, don’t worry. There are plenty of tools out there that will scan website security vulnerabilities for you. Some of them even offer free trials so you can road test them to see if they’re going to work for you:

SUCURI

SUCURI is free and its used widely to scan website for malware. It’s great at tracking down malware and scanning for security issues, and it will report on malware blacklisting status, show you points where SPAM has been injected, and point out instances where someone has made unwelcome changes to your site. If you’re using popular platforms such as WordPress, Joomla, Magento, Drupal, phpBB, then it’s going to work just fine for you.

Quttera

Quttera can scan website for malware and possible exploits. It combs your website for potentially malicious and suspicious files, using PhishTank, Safe Browsing (Google, Yandex), and Malware domain list.

Qualys

SSL Server Test by Qualys looks for SSL/TLS that has been configured wrongly and also for inherent weaknesses on your site. It can check your https:// URL including the date expires, its overall rating, cipher, SSL/TLS version, do a handshake simulation, look for protocol details, BEAST and other things too.

It’s important to run the Qualys test every time you make a change to SSL/TLS. It can scan security vulnerabilities or scan website for malware, so you’ll be assured that any changes you’ve made are safe.

Intruder

Intruder is based in the cloud and it looks for weaknesses in the whole web app set-up. It’s engineered to deliver a level of security protection that makes it suitable for governments, banks and similar enterprises that call for high-end safety, and its scanning engine is simple to use as well.

Its comprehensive security features allow it to identify:

  • absent patches
  • incorrect configurations
  • web application issues including SQL injection and cross-site scripting
  • CMS problems

Intruder can scan website security vulnerabilities and put results in order of priority according to their context to save you time. It can also proactively scan your systems for the most recently identified weaknesses. It can integrate with major cloud providers (AWS, GCP, Azure) as well as Slack and Jira.

Detectify

Ethical hackers lend their expertise to ensure Detectify keeps your website and web apps secure with automatic security and monitoring of assets. It can identify upwards of 1500 potential threats.

It can scan for vulnerable points with OWASP Top 10, CORS, Amazon S3 Bucket, and misconfigured DNS. It has Asset Monitoring and it keeps a non-stop eye on your subdomains, searching for takeovers and alerting you if anything anomalous is picked up.

Detectify’s pricing plans come in three flavors, called Starter, Professional, and Enterprise and they all come with a two-week free trial, no credit card needed.

UpGuard

UpGuard Web Scan can assess risk using information that’s publicly available. It can organize test results into these groupings:

  • website threats
  • email threats
  • network security
  • malware and phishing
  • brand defense

It’s great at quickly giving you insights about where your website is at the moment, security-wise.

Pentest-Tools

This scanner is just one of many tools on offer from Pentest-Tools. It can gather information, test web apps, CMS, infrastructure, and SSL. Its main purpose is to find the most frequently-occurring web app vulnerabilities and problems with server configuration.

There’s a basic version that does passive web security scanning, and it’s adept at finding things like unsafe cookie settings, unsafe HTTP headers, and out-of-date server software. It will grant you two full scans for free, and that will be enough to give you a very good overview of any problems with things like local file inclusion, SQL injection, OS command injection, and XSS, for example.

Observatory

Mozilla has launched Observatory, which can scan website for malware and has other security features. It validates the security of OWASP headers, checks TLS best practices and carries out third-party tests from SSL Labs, High-Tech Bridge, Security Headers, HSTS Preload, and others.

Conclusion

All of these powerful tools can give you a great deal of insight into the kind of vulnerabilities that might affect your website, and enough of them have free offers that you’ll be able to decide which of them will serve you best.

Comprehensive Guide on Open Source Databases

Data plays a crucial part in running a successful organization today, across all industries. And this means that databases are incredibly important for effective, efficient data management. But what are the best options for your goals and budget? To help you find the best open source databases for your upcoming project, we’ve explored the top 11 options on the market right now.

Which is the Top Open Source DBMS?

There seems to be a huge variety of database suites available, with newcomers arriving despite the long-term popularity of powerhouse names like SQL Server and Oracle. A key driver of this ongoing innovation in database design is the freedom which open source brings: enabling developers with talent, skill, and time to create a product they’re genuinely passionate about.

Of course, we can’t overlook the creation of newer business models which allow companies to run community versions of products. This facilitates access to mind share and pivotal traction, while delivering a commercial offering.

As a result, there’s a bigger selection of databases than developers may be able to keep up with — dozens of options now exist. That creates the potential for solo developers and teams to become seriously confused. And that’s not to mention the immense documentation to explore.

When you have a project coming up, you want to find the best database for your goals and requirements with minimal fuss. Just get what you need, get in, get out.

That’s why we’ve taken the time to explore 11 of the best databases you can take advantage of for enhancing your own or someone else’s solutions.

First, though, let’s clear a few things up:

MySQL is NOT in this list. We’ve decided to leave MySQL off this list, despite it being regarded as the most popular open source database on the market. We feel that it’s so ubiquitous, so well-known, and so easy to learn about, there’s just no point in exploring it with you here.

And remember: the open source DBMS products we’ll cover below aren’t necessarily to be considered as MySQL alternatives. Yes, they might serve that function in certain cases, but they could be a totally different solution in other situations. We’ll get into that more when appropriate.

Another point to explain is compatibility. It’s worth keeping this in mind if you’re starting a project which supports a specific database engine only. For example, if you were using WordPress, this guide might not be the best read for you. And if you’re running JAMStack static sites, again, these alternatives may be outside your field of interest.

Ultimately, it’s down to you to make sense of the compatibility situation, but if your slate’s blank and you’re flexible with architecture, you’ll find some terrific recommendations below.

PostgreSQL

Never heard of PostgreSQL? This might seem like an odd option if most of your experience comes from PHP solutions like Magento and WordPress. But this database is nothing new — it’s been in operation since the mid-90s.

It’s a go-to option for such communities as Python and Ruby. Actually, plenty of developers upgrade to PostgreSQL based on the range of features available and its well-known stability. Yes, you might not be converted to it based on a short piece of coverage like this, but it’s fair to say that PostgreSQL is made incredibly well and offers reliable performance.

You can choose from some solid SQL clients for connecting to the database, for effective development and administration.

What are the key features of PostgreSQL?

This open source DBMS boasts some outstanding features compared to others (particularly MySQL). They include:

  • In-built data types for Range, Geolocation, and more
  • Scriptable in Python, PL, etc.
  • Replication that’s both synchronous and asynchronous
  • Full text searchability

The strongest of these features could be the geolocation engine, which reduces the frustration that sometimes comes with location-based applications). The array support is a big advantage, too.

When should you use PostgreSQL?

PostgreSQL can be considered a better option than alternative relational databases, especially if you’re launching a fresh project with no experience of MySQL. Developers have been known to quit due to MySQL’s negative aspects and switch to an easier option instead.

This is also fantastic if you’re looking for partial NoSQL functions for a hybrid data model. As key-value storage and documents are supported natively, there’s no need to go looking for learning, installing, or maintaining different database options.

When is PostgreSQL not right for you?

This option is unlikely to work for you when you don’t have a relational data model and clear-cut requirements for your architecture. So, for example, with analytics, in which fresh reports are created with existing data regularly, systems such as these can suffer with enforced strict schemas.

While PostgreSQL benefits from a storage engine for documents, things can become complicated when handling datasets on a large scale. PostgreSQL, then, is ideal for anyone with anything less than total confidence in what they’re doing.

MariaDB

This was built as a MySQL replacement ( please read MariaDB vs MySQL comparison ), and comes from the mind of the person responsible for the development of MySQL!

MySQL was acquired by Oracle years ago, and its developer launched their own open source project — MariaDB. It was made using the same code base (a process known as forking), which is why MariaDB became known as a valuable drop-in alternative to MySQL.

So, if you want to migrate from MySQL to MariaDB, rest assured: it’s a quick, easy process. However, you can’t go back to MySQL once you’ve migrated to MariaDB.

What are the key features of MariaDB?

MariaDB could be considered a MySQL clone, but there are a number of differences between the two. Anyone considering switching to MariaDB should think about it carefully, though, but fortunately, there are a wealth of new features that make MariaDB more appealing:

  • There’s no licensing issues or similar “corporate” interruptions to worry about, as MariaDB is open and free
  • MariaDB is faster than MySQL, thanks to the Aria storage engine which handles complicated queries
  • More storage engines, such as ColumnStore and Spider
  • Stronger capabilities for replication, including multi-source
  • Numerous JSON functions

When should you use MariaDB?

MariaDB is a fantastic, authentic replacement for MySQL, but you have to be sure you’re not going to want to go back to MySQL before committing to it. An example usage is relying on new MariaDB storage engines to align with your project’s current relational data model.

When is MariaDB not right for you?

The only issue here is MySQL compatibility, but it’s less problematic as Joomla, WordPress, etc. have begun to offer MariaDB support. It’s best to avoid MariaDB as a way to trick your CMS if it doesn’t support it — there are numerous database tricks that can cause your system to crash.

CockroachDB

Cockroach is named so because it’s built for survival, like the insect by which it’s inspired. Cockroaches find ways to survive all manner of situations, and this solution is made to do the same.

CockroachDB comes from a team comprising former engineers at Google, who were irritated by restrictions imposed by traditional SQL options when working on larger scales. Generally, SQL solutions have always been intended for single-machine hosting, and there was no option to create a database cluster running SQL. That’s why MongoDB earned a lot of notice.

While PostgreSQL, MariaDB, and MySQL have all offered clustering and replication, the results have been less than impressive. But CockroachDB is made to offer a stronger alternative, delivering smoother clustering, shading, and availability for SQL.

When should you use CockroachDB?

This is perfect for system architects: anyone who loves SQL and is fixated on MongoDB’s scalability options is sure to be amazed by CockroachDB. It lets you set up clusters and process queries efficiently.

When is CockroachDB not right for you?

Is your RDBMS doing its job well for you right now? Can you handle any of its scalability problems? Then you might be happy to stay with it for the time being. While CockroachDB is a work of genius, it’s still a new option and you don’t want to find yourself struggling to use it down the line.

SQL compatibility is another potential stumbling block, as if you’re performing complex SQL and depend on it for crucial things, CockroachDB can be said to bring a higher number of edge cases than you might like.

From this point on, we’ll look at NoSQL database options for users with highly-specialized requirements.

Neo4j

Connected data is one of the biggest, most important developments within the past 10 years. We all know the world isn’t separated into neat tables — it’s a colossal mess in which almost everything is connected. One great example of this is social media, and creating a data model that’s similar with SQL (or document based databases) can be a formidable challenge.

Why? Because the graph is the perfect data structure for these, and that’s a totally different thing altogether. For this, you’d be best with a graph database — which is where Neo4j comes in.

A data model in which many users or entities are connected is incredibly difficult to build with SQL, due to the struggle of avoiding memory overruns and infinite loops.

What are the key features of Neo4j?

  • Graph analytics and transactional application support
  • Specialized query language used to query the database (Cypher)
  • Features for discovery and visualization
  • Digest complex tabular data into a graph form with data transformation functions

We won’t go into the “when to use” and “when not to use” points here — if you’re looking for graph-based data relationships, Neo4j is your best option.

MongoDB

We mentioned MongoDB above, and it’s an incredibly important database. This was the first of the non-relational databases to create an impact within the technology industry, and it remains a firm favorite today.

This is different to relational databases, as it’s a document database designed to store related data together in chunks. For example, a user’s contact information and access levels are located within one object. When you fetch the user object, you fetch all related data automatically with no join concept.

What are the key features of MongoDB?

A number of MongoDB’s features have inspired experienced architects to quit relational databases and choose this alternative instead. These include:

  • Add or remove nodes from clusters with ease
  • Distributed transactional locks
  • Flexible schema for different, specialized use cases
  • Optimized for quick writes, ideal as a caching system for analytics

NoSQL’s data modelling can be daunting at first, but when architects get to grips with it, they might find it’s always the best alternative to a table based schema.

When should you use MongoDB?

MongoDB is a fantastic entry point for those switching from the regimented SQL world. MongoDB is ideal for creating prototypes due to the lack of schema, and it’s great for scaling.

There are use cases in which SQL options are ineffective. When building a product in which users can make designs that are arbitrarily complex and edit them down the line, relational databases are not the best option.

When is MongoDB not right for you?

For users who don’t know quite what they’re doing, MongoDB’s lack of schema can make it difficult. Such issues include empty fields which shouldn’t be empty, data mismatches, and more. MongoDB users have to remember that the application code must take responsibility for the maintenance of data integrity.

RethinkDB

Why is this named RehinkDB? Because it takes a fresh approach to a database’s capabilities when working on real-time applications. When databases are updated, the app has no way to know, and the traditional approach is that the app launches notifications when an update occurs.

This is typically brought to the front end via a complex route, but RethinkDB is designed to bring updates to the front end from the database directly. This is ideal for building real-time apps — including games, analytics tools, etc. — and makes things a little simpler.

Again, no need to go into reasons to use or not to use. If you need RethinkDB, you’ll know!

Redis

Some might have overlooked Redis, as it’s an in-memory database used primarily for caching and other support functions.

Redis is fairly quick and easy to learn. It’s a user-friendly key value store, able to store strings with a variable point of expiry (which can be tweaked to be infinite!). While it doesn’t have the biggest portfolio of features on the market, Redis is still an impressive option based on its performance and wide-ranging utility. It lives completely in RAM, which means its read and write speeds are jaw-droppingly fast.

So, if you’re running a project which might benefit as a result of caching or a distribution of components, Redis is well worth a look.

SQLite

Okay, so we might have claimed that relational databases wouldn’t feature on this list again, but we’re going to cheat a little with SQLite.

This C library provides users with a relational database storage engine, and everything included within the database is able to exist in one file using a .sqlite extension. As a result, you can place these wherever in your filesystem you like.

With SQLite, there’s no service to worry about connecting to and no software for installation either.

What are the key features of SQLite?

SQLite might be a fairly lightweight option, especially when compared to something like MySQL, but it’s a solid package. Its features include:

  • Support for thousands of columns in a table (up to 32,000)
  • Complete transactional support (ROLLBACK, BEGIN, and more)
  • Support for JSON
  • Database size reaches a maximum of 140TB
  • Faster (by 35 percent) than file I/O

When should you use SQLite?

SQLite is specialized and designed for a hassle-free, focused methodology. So, if you’re working on an app that’s fairly simple and want a smooth process without relying on a traditional database, SQLite is a worthy option. It can work well for small or medium CMS or demo apps.

When is SQLite not right for you?

SQLite may be solid, but it doesn’t have all of the features that standard SQL or other high-quality database engines offer. For example, it lacks scripting extensions, stored procedures, and clustering. Furthermore, it’s missing a client for connecting, querying, and exploring throughout the database. Performance is known to decrease as applications increase in size too.

Cassandra

Ever heard that Java is reaching the end of its road? Well, it’s a common claim, but from time to time, something comes along to challenge it. Something like Cassandra.

This is part of what can be considered the columnar group of databases, and Cassandra’s storage abstraction is a column instead of a row. The aim is to keep all data stored within a column physically based on the disk to reduce the seek time as much as possible.

What are the key features of Cassandra?

Cassandra was built for a specific kind of use case: handling write-heavy loads with no tolerance for disruptive downtime. The main points include:

  • Scalability is linear, so you’re free to add any number of nodes to clusters as you like with no increase in brittleness or complexity
  • Write performance is incredibly fast, and Cassandra is the quickest database for heavy write loads
  • Partition tolerance is unmatched, so if a number of nodes within a Cassandra cluster fail, the database is made to continue performing with no integrity loss

When should you use Cassandra?

Two of the strongest Cassandra use cases are analytics and logging. On top of this, huge amounts of data can be handled with no downtime, accommodating projects on all scales.

When is Cassandra not right for you?

Cassandra’s column storage setup has its fair share of drawbacks. For a start, the data model is somewhat flat and high availability is only achieved at the cost of consistency. As a result, Cassandra could be considered as less effective for systems which demand high accuracy in reading.

Timescale

Timescale is one of the strongest open source databases for the IoT (Internet of Things) age. Timescale is known as a ‘time series’ database, which differs from traditional ones in that time is the main factor. Visualization and analytics of large amounts of data is crucial.

These time-focused databases infrequently spot an adjustment to existing data, such as temperature information from climate sensors. New data is gathered on a second by second basis, ideal for analytics and subsequent reports.

But why would anyone choose to use this rather than a standard database featuring a timestamp field? There are two core reasons why. First, traditional databases made for general purposes aren’t optimized to function with data revolving around time. They’ll be far slower when dealing with lots of data.

Second, the database has to handle plenty of data as it continues to be generated, and removing or altering schema isn’t an option down the line.

What are the key features of Timescale?

This has a range of impressive features which help it stand out from alternatives in its category:

  • As Timescale is built on PostgreSQL, which is considered the best open source relational database available, it’ll fit in brilliantly if your project utilizes PostgreSQL already
  • Write speeds are extremely fast, with potentially millions of inserts each second
  • Timescale can handle billions of data rows
  • Select relational or schema-less based on your unique requirements

We won’t cover when you should or shouldn’t utilize Timescale here. If you’re working in IoT or looking for similar characteristics in a database, Timescale could be right for you.

CouchDB

This is a well-made database that might not be as well-known as others, but it’s designed to handle such issues as network loss and eventual data resolution (developers would rather abandon tasks than try to deal with this themselves).

You could consider a CouchDB cluster to be a distributed set of nodes of different sizes (including some offline). Whenever nodes go online, they transmit data to the cluster, so that it’s digested gradually until it’s available for the whole cluster.

What are the key features of CouchDB?

  • High reliability and resistant to crashes
  • Simple clustering and redundant data storage
  • Specialized mobile and web versions (e.g. PouchDB)
  • Capable of offline-first syncing of data

When should you use CouchDB?

This was designed for offline tolerance, and is still unparalleled here. An example of a standard use case would be a mobile app in which the portion of data is located on a CouchDB instance on a user’s device.

As the user’s device can’t be connected constantly, the database must be ready to resolve updates which may conflict at a later point. This is where the innovative Couch Replication Protocol comes into play.

When is CouchDB not right for you?

Anyone attempting to use CouchDB for a purpose beyond the use case intended is likely to encounter serious issues. It demands a higher amount of storage than others on the market, mainly as it has to maintain redundant data copies and results of conflict resolutions.

This means that its write speeds tend to be incredibly slow, too. CouchDB is unsuitable as a schema engine for general purposes, as it doesn’t cope with schema changes too well.

Final Thoughts

Do you think this list may be missing some solid candidates? That’s because it’s designed to guide you rather than command you — we’re here to inform and advise, not dictate.

Hopefully, you’ve discovered an extensive range of database options that help you achieve your goals to a high standard. Take your time before choosing your open source DBMS and you should be satisfied with the results.

Open Source Databases in Plesk

Plesk represents a fully featured web hosting platform for automating web hosting business and daily sysadmin tasks. This hosting platform is compatible with Linux and Windows operating systems and supports certain database management systems. On Linux Plesk officially supports MariaDB, MySQL and PostgreSQL database servers. Plesk for Windows has full support of non-open source Microsoft SQL DBMS as well as open source MariaDB and MySQL. Although MongoDB is not officially supported – there are  workarounds on how to make them working together.

Next Level Ops Podcast: Using Cloud Services for Your Hosting or Website with Lukas Hertig

Hello Pleskians! This week we’re back with the sixth episode of the Official Plesk Podcast: Next Level Ops. In this installment, Superhost Joe welcomes back Lukas Hertig, our Highest Order Pleskian, to have a chat about hyperscale cloud services.

In This Episode: Cloud-Washing, Competing in a Hyperscale Cloud Environment and Specializing Your Niche

What do we mean when we’re talking about cloud services? What is a hyperscale cloud provider? How can hosting companies compete in a hyperscale cloud environment? Joe and Lukas get the ball rolling on cloud computing in this week’s Next Level Ops. “Unfortunately, there is a lot of “cloud-washing” out there in the market,” says Lukas.

“If you want to use cloud services, it depends highly on your use case or your business. All the great stuff that we’re personally using today - Netflix, Uber, Shopify - is backed by cloud services.”

Lukas Hertig

The main idea behind cloud computing is that it lets you share resources. Amazon was the first to consider this idea when it wanted to scale its services back in the 2000s. Companies can now run their applications on top of technology infrastructure provided by Amazon Web Services. These days, cloud computing is available globally. And a few big competitors have entered the market. One of the biggest advantages cloud services provide is that you can keep your data and your services where your customers are.

That said, in what circumstances can a company use cloud services? “If you want to use cloud services, it depends highly on your use case or your business,” says Lukas. “All the great stuff that we’re personally using today – Netflix, Uber, Shopify – is backed by cloud services.”

Key Takeaways

  • Advantages of using cloud services. There has been concern among European companies about privacy in the cloud. However, today cloud providers are fully compliant with GDPR and local privacy regulations. This has made it easier for businesses to use such services. Using cloud services also depends on your use case. If you are a large enterprise, it allows you to spin up servers closest to your customers at the click of a button. When you are a start-up, it allows you to scale your services very fast.
  • Competing in a hyperscale cloud environment. Hyperscale cloud providers have made cloud infrastructure a commodity. So you need to find new ways to compete on a different layer, not just at the infrastructure level. For hosting companies that means moving from “generalist” to “specialist” managed services. Hosting companies should investigate what niche their customers belong to. This will enable them to provide more targeted technologies and services to their end users.
  • Partnering with hyperscale cloud providers. You can partner with companies like AWS and DigitalOcean using their partner programs and build on top of their hyperscale cloud. These companies are huge but they’re also human! It’s not all about competing but using existing services and building strategic relationships for growth.
  • Benefiting from hyperscale cloud technology. The rise of the platform plays a role here, i.e. look at platforms like Wix and Shopify who are actually using hyperscale cloud infrastructure to provide services to their users. Companies can develop more customized solutions using technology from hyperscalers. These solutions may not even be possible without hyperscaler technology!

…Alright Pleskians, it’s time to hit the play button if you want to hear the rest. If you’re interested in hearing more from Lukas, check out this episode. If you’re interested in knowing more about cloud service models, take a look at this guide. Remember you can find all episodes of the official Plesk Podcast here and here. And if you liked this episode, don’t forget to subscribe and leave a rating and review in Apple Podcast. We’ll be back soon with the next installment.

The Official Plesk Podcast: Next Level Ops Featuring

Joe Casabona

Joe is a college-accredited course developer. He is the founder of Creator Courses.

Lukas Hertig

Lukas is the SVP Business Development & Strategic Alliances at Plesk.

As always, remember to update your daily podcast playlist with Next Level Ops. And stay on the lookout for our next episode!

Announcing Plesk WordPress Toolkit 4.8 Release

Plesk WordPress Toolkit 4.8 is the fourth major WordPress Toolkit update in 2020. In this release, we focused on several customer-requested features. Including Smart Updates CLI, new notifications for outdated plugins, choosing the default WordPress installation language, and more. Read on to learn what’s new in this release.

Find out more about Plesk WordPress Toolkit

Choosing the Default WordPress Installation Language

When users install WordPress via WordPress Toolkit, there’s some magic happening behind the scenes. In particular, we are selecting default WordPress language based on the language of the user who is getting this WordPress installation. So, for example, if my Plesk is switched to Italian when I install WordPress, it will offer Italian as the default WordPress language. If the server admin is using Plesk in English and installs WordPress for a user whose Plesk is in German, the default WordPress language selected on the installation form will be German.

Apparently, either this logic doesn’t work all the time (although we weren’t able to conclusively confirm this). Or some people simply want to use a very specific language by default in all cases. The request from several customers was heard loud and clear. So we delivered this functionality in WordPress Toolkit 4.8. Now server administrators can open global WordPress Toolkit settings and choose a language that should be selected for all WordPress installations on the server by default. Users installing WordPress can choose a different language if they want, obviously.

Let’s take a closer look:

To return the old behavior which selected the language automatically, simply choose the “Same as user language” option (it’s right on top of the list of languages). Oh, and if you’re wondering what’s “Deutch (Österreich)” on the screenshot above, and why you can’t find this language in Plesk, here’s the answer: we’re taking the list of languages from WordPress itself. And it’s bigger than the list of languages supported by Plesk.

Adding CLI for Smart Updates

We’re slowly but surely adding CLI for existing features. And this time it’s Smart Updates feature that gets some love. WordPress Toolkit 4.8 adds the first part of Smart Updates CLI, allowing hosters to enable and disable Smart Updates on a particular site. The second part of Smart Updates CLI will come later. And it will include the ability to fetch Smart Update procedure status and confirm or reject the update.

Here’s the brief usage info for the current CLI command:

plesk ext wp-toolkit --smart-update

    -instance-id INSTANCE_ID|-main-domain-id DOMAIN_ID -path PATH

    [-format raw|json]

Arguments:

instance-id: WordPress installation ID

main-domain-id: Main domain ID

path: The relative path from the domain's document root directory. Example: /subdirectory

format: Outputs the data in a particular format. By default, all data is shown in the raw format. Supported formats: json, raw

Inability to Update Paid Plugins or Themes Notification

You probably remember that in WordPress Toolkit 4.7 we added support for updates of paid plugins and themes. Announcing this change, I’ve mentioned a disclaimer. It’s about WordPress Toolkit not letting users know about certain plugins & themes requiring a license for automatic updates. Starting with WordPress Toolking 4.8, users will be notified about this. That’s if WordPress Toolkit can’t update a plugin or theme and we suspect that it’s because its license is missing.

Unfortunately, there’s no way to notify users about this before the update. So we had to settle for the post-factum message.

Our Research

We’re always researching various things when working on a release. But these activities are never mentioned outside the team for some reason. And I figured it’s time to have a quick glimpse into our investigations. 

Here are some of the more interesting things we looked into:

  • Which issues prevent us from properly supporting CloudLinux on both Plesk and cPanel (spoiler: mostly panel-related things).
  • What is the performance impact of running Smart Updates on dozens of sites simultaneously (spoiler: could be worse).
  • Whether WordPress Toolkit is compatible with the so-called “Must-Use” plugins (spoiler: not really).

We’ll continue our research efforts in WordPress Toolkit 4.9. And I will continue keeping you in the loop.

What’s On the Future

We fixed several customer-reported bugs in WordPress Toolkit 4.8. And we improved product reliability in several places. Our bug-fixing activities will continue in WordPress Toolkit 4.9, alongside with internal improvements. 

During the 4.8 release, we also made WordPress Toolkit on cPanel almost feature-complete. Adding the Data Copy feature, enabling the rest of the security checkers, and so on. We still have quite a lot of things to do before WordPress Toolkit for cPanel is available for the general public. But the finish line is getting closer every day. Besides cPanel stuff, bugfixes, and improvements, WordPress Toolkit 4.9 will also include a couple of customer features. We’re looking at candidates right now. And I think our Uservoice voters should be quite happy with our choices. 

Thank you for reading up to here. And thanks to the whole team for their hard work. Meanwhile, we’ll continue to improve our beloved WordPress Toolkit. See you next time!

Web Application Injection Attack Types Guide

Online attacks have evolved since the internet’s earliest days. Back then, brute force was a go-to solution for bots or individuals with the time to try countless login combinations before they stumbled upon the right ones to enter an application.

However, such brutish attacks pose no issue to users today, due to the proliferation of complex password policies, captchas, etc. Still, cybercriminals still work hard to identify system vulnerabilities and exploit them via new attack types.

This is how injection attacks emerged not so long ago: hackers found that text fields on website pages or applications could be tricked by typing (or “injecting”) unexpected data into them. This would lead the application to take an action it wasn’t meant to.

These injection attack techniques can be employed to enter an application without key access details, and to release personal data. Hackers may even use injection attacks to hijack servers for their own nefarious goals.

That’s why injection attacks pose a threat to applications and those users whose information is contained within. Other connected services or applications could be at risk, too.

In this post, we explore the nine most popular types of injections to help you stay vigilant.

Types of injection attacks

Code injection

A code injection is one of the most popular types of injection attack endangering businesses’ and users’ data. Any hackers which know a web application’s framework, programming language, OS, or database can enter a malicious code into available fields. This enables them to make the webserver behave as they’d like it to.

Code injections tend to be viable on applications with no validation for data entered into a text field. If it allows users to put any information they like into a field, the application can be exploited. That’s why applications have to control what details users can submit as much as possible.

Such tactics may involve limiting the characters accepted or checking the format in which data is entered. Vulnerability to code injection can be simple to identify by inputting different forms of content into a text field. If a hacker is able to exploit a weakness in the code, they may compromise the application’s performance, data confidentiality, and more.

SQL injection

Attackers perform SQL injections by putting an SQL script into a text field, which is passed on to the application and executed. This means attackers can get through entry screens and even gain access to confidential data from an application’s database. They might be able to conduct administrative tasks and change or destroy information.

Applications based on ASP or PHP tend to be at risk of SQL injections because their interfaces are less sophisticated than more updated alternatives (such as ASP.Net or J2EE builds). Attackers can wreak major havoc on applications when they find SQL injection opportunities.

Command injection

Hackers can take advantage of weak validation on input data for command injections, which are different from code injections because the attacker uses system commands rather than scripts or code.

This means that the cybercriminal responsible has no requirement to understand the application’s programming language or that of the database itself. However, hackers do have to be familiar with the hosting server’s OS to be successful.

Any commands inserted will be executed by the OS. As a result, attackers can expose various forms of data, adjust passwords to leave users locked out, and more. However, companies can prevent such attacks with a sysadmin, tweaking the access level for applications running on their server.

Cross-site scripting

Any application which inserts user input in its output without encoding or validating it first creates a chance for a hacker to distribute malicious code to a different user — a move known as cross-site scripting.

Otherwise known as XSS attacks, these involve seizing opportunities to inject harmful scripts into websites which have trust and ultimately sending them to an application’s different users.

For those on the receiving end, their browser will go on to execute the harmful script. Both the user and the browser will have no idea that the script is dangerous. All cookies, sensitive data, and more can be accessed. HTML files may even be targeted, with malicious scripts potentially rewriting some of their content before the user realizes anything’s wrong.

Typically, cross-site scripting attacks can be considered “stored” or “reflected”. In the former, a harmful script lurks on a permanent basis, whether in a server, forum, database, etc., until the browser processes a request for the data stored.

In the latter type, harmful scripts are reflected in responses which include input transmitted to the target server, in the form of a search result or warning message.

XPath injection

Hackers can employ this type of cybersecurity attack when an application utilizes a user’s information to create an XPath query for XML data. These function in a similar manner to the SQL injections covered above — an attacker will distribute corrupted data to an application to identify the way in which its XML data is built. They use a subsequent attack to access the XML data.

As with SQL, XPath is a language in which attackers can specify which attributes they wish to find. Applications utilize a user’s input to create a pattern which the data is supposed to match, and turn this into a process which the hacker aims to apply to the relevant data.

However, unlike SQL, XPath injections can be used on applications relying on XML, no matter how it’s implemented. As a result, hackers can use automated attacks and work towards any number of goals.

Mail command injection

Cybercriminals may choose to leverage this form of attack to take advantage of email applications or servers which build SMTP or IMAP statements with user input which has not been validated effectively.

This is because both types of servers often lack adequate defenses against hackers, and by gaining access to systems via email servers, attackers can avoid security measures (captchas, for example).

So, how do attackers exploit SMTP servers for their own gain? They require a working email account to distribute messages containing injected commands. Vulnerable servers tend to respond to these requests and allow them to override restrictions. Hackers can use it to bombard recipients with spam, further expanding their reach.

With IMAP injection, attackers can exploit applications’ message-read capabilities. All they have to do is submit a URL with relevant injected commands into a web browser’s bar.

CRLF injection

This occurs when an attacker inserts a carriage return and line feed characters (CRLF) in fields on website forms. Those characters (which are invisible) show command or line ends in most standard protocols, including NNTP and HTTP.

As an example, inserting a CRLF and some specific HTML code into an HTTP request could lead a website’s visitors to see custom pages. Attackers can target vulnerable applications which fail to filter user input effectively. This opens a site up to other injection attacks (code injections, XSS) and may lead to it becoming hijacked.

Host header injection

Host headers are essential for servers which host a large number of applications or websites, to identify which of them should process requests coming in. A header’s value informs the server which of the sites or applications should receive the request.

When an invalid host header goes to a server, this is typically sent to the first application or website on the list. This creates a weakness which attackers can leverage to send host headers and manipulate systems.

This is most common with PHP applications, but it can be performed with a variety of web development technologies too. Host header attacks open the door for other attack types, including web-cache poisoning, and could cause negative effects like resetting passwords.

LDAP injection

Finally, let’s talk about LDAP injection.

This is a protocol built to enable resource searching within a network, such as browsing files, devices, etc. Intranets, for example, benefit from this. When applied as a component in a single sign-on system, LDAP injection facilitates the storage of individual passwords and usernames.

An LDAP query involves using specific characters to affect its control, and hackers can transform a query’s behavior by adding their own characters. This is down to ineffective validated user input: if a user enters text into an application before it’s been sanitized, the resulting query may bring up a user list for an attacker to see.

All they’d have to do is place an asterisk in a particular place within an input string.

How to defend against popular types of injections

Injection attacks are targeted at applications and servers with open access to online users, and so application developers and server admins must take responsibility for taking preventative measures.

Developers must recognize dangers related to ineffective user input validation and the best ways to sanitize input to prevent risks. Server admins have to conduct regular audits to pinpoint weaknesses and address them.

DDos Attack Types Guide

DDoS (Distributed Denial of Service) attacks are a common danger for businesses in the digital age, but how do they work?

A DDoS attack is a cybersecurity attack designed to restrict access to an internet service, rendering targeted platforms, websites, or tools useless. Malicious attackers may achieve this by triggering a temporary interruption or suspension of the hosting server’s services, with wide-ranging impacts.

DDoS attacks are typically launched from multiple devices which have been compromised by the hackers. These tend to have global distribution, as part of what is generally known as a “botnet”. This is different to other denial of service (DoS) attack types, which depend on just one device connected to the internet to send a flood of overwhelming traffic to the targeted website, network, etc. There are three types of DDoS attacks:

Application layer attacks

This type of attack is intended to crash a victim’s web server using requests which appear legitimate and non-malicious. It includes GET/POST, low and slow attacks, and more forms of disruption.

Volume-based attacks

With a volume-based attack, hackers aim to saturate a target website’s bandwidth through ICMP (or Ping) or UDP floods.

Protocol attacks

A protocol attack puts strain on resources (servers, firewalls, load balancers) through fragmented packets, Smurf DDoS, and other attacks.

DDoS types which commonly target businesses

Below, we explore some of the types of DDoS attacks that pose a risk to companies in different sectors.

ICMP flood

An ICMP (or Ping) flood is made to overwhelm a targeted resource with ICMP Echo Request packets. Essentially, unlike other DDoS types, this one sends a high number of packets as quickly as possible — but without taking time to wait for any replies.

As a result, ICMP flood attacks may consume a business’s incoming and outgoing bandwidth as servers will try to use ICMP Echo Reply packets to reply. This can ultimately cause major slowdown in systems.

UDP (User Datagram Protocol) flood

Essentially, a UDP flood is a DDoS attack which causes a storm of UDP packets with an intent to cause floods in a remote host’s ports randomly.

Such an attack can cause hosts to continually search for application listening in certain ports. When applications aren’t located, the host will reply with an ICMP “destination unreachable” packet — which consumes resources and potentially causes inaccessibility.

SYN flood

This DDoS attack type is unleashed to take advantage of a vulnerability in the TCP connect sequence, in which a SYN request to trigger a TCP connection to the target host needs to be responded to with a SYN-ACK reply. It is then to be confirmed by the requester’s ACK response.

In this DDoS attack type, a requester would launch a number of SYN requests but doesn’t respond to the SYN-ACK response or triggers the requests from a spoofed address. In any case, the host system is left waiting for each request’s acknowledgement — leaving resources bound until no fresh connections can be initiated. This leads to a denial of service.

Slowloris

A Slowloris is an attack designed to help one web server bring another down without having an effect on other ports or services within the network targeted. How? By keeping as many of the target server’s connections open for as long as it can, by making connections to the server but sending just partial requests.

So, a Slowloris keeps sending HTTP headers without ever completing a request, and the server keeps all of them open. Eventually, this creates an overflow in the connection pool and causes denial of additional connections from innocent clients.

POD (Ping of Death)

The so-called ping of death is a DDoS attack type which involves sending several malicious pings to a target computer, giving recipient hosts oversized packets, which overflows those memory buffers which have been allocated for the received packet. This leads to denial of service for any packets which may be legitimate.

This works on the basis that an IP packet’s maximum length is 65,535 bytes, but Data Link Layers typically impose limits on a maximum frame size. In ping of death attacks, a massive packet becomes separated across more than one, causing the recipient host to reassemble it into the oversized packet.

HTTP flood

Attackers use HTTP floods to target an application or web server by taking advantage of HTTP GET or POST requests which may appear genuine.

This type of attack doesn’t involve malformed packets or spoofing, and puts less strain on bandwidth than other DDoS types. HTTP floods tend to be most impactful when forcing an application or server to allocate all of the resources available in response to all requests.

Zero day

Zero day types of DDos attacks refers to all new or unknown forms of threats, which depend on vulnerabilities for which patches are yet to be issued. Hackers usually exchange zero day opportunities regularly.

NTP amplification

Attackers use an NTP amplification to target Network Time Protocol servers and overwhelm them with UDP traffic. These DDoS attacks are described as “amplification”-based because of the query to response ratio.

This tends to be between 1:20 and 1:200 or higher, enabling attackers to achieve major disruptions if they have access to multiple open Network Time Protocols.

What causes hackers to launch DDoS attacks?

In a relatively short period, the types of DDoS attacks covered above have become the most common form of cybersecurity risk. Both their number and volume have grown in the past few years: while briefer attacks are the norm, they often involve a larger packet-per-second volume overall.

So, what drives the attackers?

Industry rivalries

Businesses may leverage some of these DDoS attack types to disrupt a competitor’s service or website, to improve their own market performance. For example, one online retailer may employ a DDoS attacker to bring a rival site down ahead of a crucial Black Friday or Cyber Monday sale event.

Divergent beliefs

Some hackers, referred to as “hacktivists”, launch DDoS attacks to disrupt businesses they may disagree with (in terms of workers’ rights, for example).

Cyber attacks on enemy nations

A government may authorize a DDoS attack to cause issues for other countries’ infrastructures or websites, for their own gain.

Extorting money

DDoS attacks may be initiated as a means to secure money from a business, such as through ransomware.

For thrills

Hackers could create and launch their own DDoS attacks to get a short-term rush, with no sympathy for the people they affect.