Many shared hosting sites execute any active content web page code with a common user ID, typically that of the web server, "httpd", "apache", or "nobody".
While that approach avoids the overhead of changing user ID before executing code, it creates a very insecure environment for two reasons:
- It makes it necessary for you to allow public write permissions for any file that needs to be updated from the web.
- If a hacker compromises one site because of bad code, they instantly have access to every site on the server.
We execute all of your dynamic content with your user ID. The means that only weaknesses in your own code can compromise your website. Weaknesses in other customers code won't affect yours.
It also means that your data files do not have to be writable by the world, they can and should be set to only be writable by your own user ID. This protects them from modification by other clients or hackers that have compromised other clients web sites.
The overhead of changing user IDs does not significantly hamper the speed of our server because we've used fast hardware and in-memory caching facilities with enough memory to allow almost everything to execute from memory rather than disk.
Our average page load speed is 56ms, and worst-case is around 180ms. This is significantly faster than the majority of Internet sites in spite of the added security.