Blog

  • Hidden Data in The Spanish Economic Crisis

    Spain has been all over the press this weekend with a 100 Billion euro bailout agreed to by   Eurozone finance ministers. I spent the last three days in Spain and I find the coverage I’m reading somewhat disconnected with reality.

    I drove down to Madrid from where I live in Southern France and spent Thursday, Friday and Saturday morning there, then drove back home and spent Saturday evening in Pamplona where the San Fermin festival starts in a month with the running of the bulls.

    Madrid is a shining jewel in Europe. The city is immaculately clean and has a wonderful mix of new buildings like the Cuatro Torres that make for a spectacular modern skyline juxtaposed against gorgeous old buildings like the Royal Palace.

    Walking in the Parque del Oeste where the Egyptian temple of Debod was moved to save it from the Aswan Dam, the park is filled with locals who have come out at night for their evening walk. Kids playing, groups of older women or men walking together, lovers in a quiet secluded spot in the park. Everyone is happy and full of life.

    Driving around Spain there is an incredible amount of active road construction and the roads that aren’t being worked on are in great condition with many spectacular bridges.

    Pamplona was absolutely heaving with party-goers on Saturday night including a huge Spanish rock festival, packed bars and pubs and streets literally filled from wall to wall in the older part of town – and the newer part was full of locals out for their evening walk. I visited a heavy metal bar with an Iron Maiden cover band doing a terrible rendition of Maiden’s older stuff and the standing-room-only crowd loving every second of it.

    While in Madrid I got chatting to a local shopkeeper and went out on a limb and asked her about the informal or under-the-table economy in Spain. She explained that many people are employed off the books. I asked why, speculating that the tax in Spain is very high. She explained yes that’s one reason, but taxes are higher in Italy where she’s originally from. Another reason is to keep getting social benefits like a housing benefit. She also said it’s popular to pay someone only 70% of what they’re really paid into their bank account and the rest in cash to avoid tax.

    More evidence that there’s a thriving off-the-books economy is that when we stayed in Madrid, we rented self catering accommodation. The proprietor asked that we pay the roughly 200 euros bill in cash.

    All the economic indicators used to describe the “Spanish crisis” and provide rationales for bailing out spain or to predict how bad the “coming collapse” will be don’t take the informal economy into account. It also makes it difficult to understand the needs of the Spanish people, what the GDP really is, how dependent they really are on social programs and what Spain’s real ability is to service it’s debt.

    To some the informal economy in Spain may seem to be immoral because conventional wisdom holds that one should “pay your taxes” and put your money in a safe place like a bank. But the Spanish people seem to be discovering a way to live without banks and government visibility on how much they earn or what they do with their money. I suspect many of the government assistance programs are over subscribed and do little to serve their intended targets.

    It makes one wonder who the Eurozone is really bailing out.

  • Introducing Wordfence, the Ultimate WordPress security plugin.

    Exec Summary: Last year this WordPress blog was hacked which led me to discover the timthumb vulnerability you may have heard of. I fixed timthumb and worked with Ben, the author to release timthumb 2.0. Then I started work on Wordfence, what I hope will be the best security plugin in the business for WordPress. Wordfence is now completing beta testing. Install it, it’s free and it will help protect your site and keep you off Google’s malware list and in the search results. For beginners: you install Wordfence by going to your WordPress blog’s “Plugins” menu, clicking “Add New” and searching for “Wordfence”.

    Full Post:

    Last year on August 1, this WordPress blog was hacked. Thankfully I caught it quick enough to stay of Google’s malware list. I retraced the hacker’s steps and discovered a zero day vulnerability in many WordPress themes and plugins in the form of a popular image resizer called timthumb.php.

    So I rewrote timthumb.php and worked with the author of timthumb and some of the WordPress team to merge my code into timthumb and we launched it as timthumb version 2.0.

    But getting hacked made me realize that as awesome as WordPress is, it can do security better.

    So I dropped everything and spent the last few months writing what I hope will be the last word in WordPress security.

    A few days ago I quietly released Wordfence into the WordPress plugin repository. Since then I’ve been working with some amazing WordPress publishers to make Wordfence even better and I’ve been rapidly rolling out improvements, enhancements and (yes, believe it or not) a few bug fixes. I’d say Wordfence is getting close to finishing Beta testing at this point.

    Except for two (rather minor) features, Wordfence is completely free. It is also backed up by a cluster of cloud based scanning servers that do most of the heavy lifting to keep your site running super fast.

    Here are some of the more notable ways Wordfence enhances your WordPress security:

    • Scans your core files against a reference copy which I maintain in our cloud servers.
    • Lets you see what has changed, how the file has changed and even repair it.
    • Scans your comments, posts and all files including core, themes, plugins and everything else under your WordPress root directory for malware, virus signatures, vulnerabilities and (very importantly) URL’s that are known to host malware or viruses.
    • I want to re-emphasize the last point. Wordfence keeps known dangerous URL’s, including ALL URL’s that are on Googles’ safe browsing list, out of your comments, pages, posts and files. This is by far my favorite feature because it’s virtually gauranteed to keep you off the dreaded red-page-of-death-malware-list that Chrome and Google use to ban sites.
    • Wordfence comes with a complete firewall that lets you set up rules based on the type of traffic and either throttle or block offenders with an SEO safe 503 (come back later) HTTP message.
    • Another favorite feature of mine is that you can block fake Google crawlers. I actually added this after I tested Wordfence on this site because I couldn’t believe how many scrapers were pretending to be Googlebot. So now they are all instantly blocked.
    • Wordfence uses Google’s recommended reverse-forward DNS verification to sift the fake Googlebots from the real ones.
    • It includes login security against every form of brute force attack out there including abusing your lost-password form.
    • And what’s the point of having all this awesome security if you can’t see who is visiting, who’s getting blocked and what humans and robots are doing? So Wordfence includes real-time traffic that wait..for…it…
    • …Includes crawlers, scrapers, robots and all non-human traffic. Something you can’t get from Google Analytics or any other Javascript based analytics package.
    • I’ve even broken out Googlebot, other crawlers, 404 errors, humans and there’s an All Hits view.
    • And of course it includes commercial grade city-level geolocation which is another feature that comes from our cloud servers.
    • Wordfence is also built using much of the knowledge I’ve gained building Feedjit’s real-time analytics so it is careful to minimize any impact on network, website and mysql database performance and keep your website running super-fast.

    Most importantly, Wordfence comes with a commercial license if you prefer first-class support and support forums for free users including a generic WordPress security forum where I’m happy to answer general config questions.

    Improving WordPress security is going to be a marathon, not a sprint. I’m in this for the long haul. So check out Wordfence now by installing it on your blog and work with me to make the Web and WordPress more secure.

     

  • Life without privacy

    If one were to extrapolate where we will be 100 years from now, I think the most profound difference between then and now may be an almost complete absence of privacy.

    Arthur C Clarke collaborated with Stephen Baxter on a novel called “The Light of Other Days” which describes the development of a camera for consumers based on wormhole technology that allows anyone to see anywhere in 3 dimensional space, and to also move the camera backwards or forwards in time. So besides witnessing the birth of Jesus, one can see what your neighbor was doing three weeks ago in their bathroom.

    They explore how the impact of this technology modifies social behavior and accepted norms.

    We’re heading into this world at a pace that defies belief. Your cellphone contains a GPS that tells the world where you are at any moment, whether you like it or not. If you are one of the 845 million active users on Facebook, there is a record of who you are, your history and your relationships that puts to shame every national security database that ever existed. We have Google maps providing satellite coverage of most of the planet with street level views constantly updated.

    The latest development that has the potential to make Google’s coverage of the Earth real-time is that the FAA will integrate unmanned drones into United States airspace by 2015. To put this in perspective, the lowest low earth orbiting satellites are roughly 100 miles (160km) above Earth. All Google satellite imagery you see is taken from at least that distance and only on a cloud free day. Unmanned drones can reduce that to 500 feet (150 meters) or less, depending on how the FAA decides to regulate them. They can also take photos at a far more acute angle, providing images similar to Google’s street level.

    Consider the amount of street level coverage Google has provided by manually driving vans around the USA and the rest of the world, and then remove need for a human driver, increase the speed and add three dimensional space with it’s lack of traffic signals, greater space and point to point navigation.

    Privacy may become similar to music and movies. The RIAA and MPAA are trying to enforce a value system that worked before digital media became instantly reproducible and redistributable. What if we find ourselves trying to enforce a societal value system that worked before information about individuals became instantly and always available?

    Eric Schmidt’s comments back in ’09 that “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place,” may prove to be the new social norm we live by 100 years from now.

  • Blogger to customers: Your blog will now run on multiple domains so we can censor it

    The worlds largest blog host by a wide margin, Blogger (or Blogspot.com) has now actively started redirecting visitors to top level country domains (ccTLD’s) based on which country they are in.

    I run a real-time analytics service and we have roughly 700,000 Blogspot customers. At 1AM on January 30th (UTC time) we saw a huge number of new domains appearing on our radar. Most of these were new blogspot domains ending in the .in top level country domain and we saw several others.

    The way this new configuration works is as follows. If you have example.blogspot.com as your blog:

    • If visitors arrive from a country in which this is not enabled by Blogger, they will see example.blogspot.com as per usual.
    • If visitors arrive from a country that has requested, or may request in future, that Google censor content, the visitor is redirected to example.blogspot.ccTLD, where ccTLD is replaced with a country top level domain. This is example.blogspot.in in India or example.blogspot.com.au in Australia, for example.

    The effect of this is:

    1. Blog owners are likely to be looking at their blog on a different domain to their visitors. E.g. you will see your blog on example.blogspot.co.nz if you are in New Zealand and your visitors will be visiting your blog using domains like example.blogspot.co.za, example.blogspot.in, example.blogspot.com.au, etc.
    2. Because your blog now lives on multiple domains, your content is duplicated on the Web. Google claim they deal with this by setting a canonical tag in your HTML content that points to the .com domain so crawlers will not be confused.
    3. Your visitors are now spread across as many websites as Google has top level country domains for Blogger. Rather than having a single page about bordeaux wines, you instantly have 10 or 20 pages about bordeaux wines, they’re all identical in every way except the URL and your visits are spread evenly across them.

    A URL or Uniform Resource Locator has always been a canonical string that represents the location of a page on the Web. Modifying the worlds largest blog hosting service to break this convention in order to enable Web censorship, by Google no less, leaves me deeply concerned. I can only speculate that either Google is throwing Blogspot under the bus, or Google’s view of their company and its role on the Web has become deeply flawed.

  • Everyone has a plan until they get hit

    “Everyone has a plan until they get hit.”

    ~Mike Tyson.

    Studying French for 1.5 months and then arriving in France thinking I’m a badass knowing how to sling a few sentences together was a notion rudely trussed, cooked, carved up and served back to me on a giant silver platter called humility by a certain French checkout girl yesterday at Decathlon.

    I’d already been to the Bordeaux Apple Store (which is awesome), Animal’s World for pet supplies (also awesome), Orange and Ikea and flattered by people taking my money into thinking that I’m doing OK. Standing at the back of the line at Decathlon at the end of the day a checkout girl hurls a handful of words at me and waits while the entire line turns around and stares at me. I completely froze and couldn’t utter a word of french. I leaned over and in squeaky english said “I don’t speak french” and wanted to die. She gesticulated wildly at the line next to me and I walked over there and she stopped gesticulating. I still have no idea what she said.

    I started today screwing up my first verb “parlez” instead of “je parle” after I was sure I’d at least get that right. Learning French and actually speaking it is like going from boxerobics to Mike Tyson swinging at your head.

  • France Notes Day #1

    I’ve moved to South Western France for a year (The Bordeaux region) and will be keeping a few concise notes on my experience getting here and living here. Mostly bullet form and you’re welcome to ask me anything in the comments.

    • French embassy in San Francisco is great for visas but make sure you have absolutely all paperwork presented exactly as they ask for it. It took us roughly 4 weeks after our appointment to get a long stay visa granted.
    • Getting pets into europe means you need to get a USDA certified rabies vaccination certificate for all of them. It cost us over $1000 to get all this done. We got domestic health certs too even though we didn’t strictly need them.
    • The folks at Delta or on the US side didn’t ask for any of the pet certs.
    • We transported the two cats in the cabin under the seats in front of us, although putting them under my legs turned out to be more comfy.
    • We used this pet carrier for the cats after much research – size large. it’s 12 X 12 by 18, the largest delta takes, and it changes shape so you can smoosh it into place. Here’s a product link.
    • Joey travelled in a medium sized crate in the hold. I used ice as usual in his water bowl so it wouldn’t spill during loading. Two absorbent pads, one for pets in the base, his cushions, then adult incontenence pads on top of his mattress.
    • None of the pets used the loo on the 10 hour flight from SLC to CDG in Paris.
    • On the French side customs didn’t even take a second look at us as we walked into the customs hall with 3 pets. I walked up to the desk. Got completely ignored, so walked onto french soil with my 3 pets and $1000 of documentation not being examined at all.
    • Both the Delta, Salt Lake City TSA folks, French Delta and French airline and security staff were really amazing about letting us watch our dog board and deplane, and just being really friendly and helpful.
    • We hired a van and drove down to Blaye, a small town outside Bordeaux where we’re spending the next year. Eurocar was unbelievably slow and it’s not because we’re special, they have a reputation with just about anyone who has rented a car at CDG in Paris.
    • The GPS in the van caused more trouble than it helped – next time I’ll just use the blue signs.
    • French cars are unbelievably fuel efficient, this was a large diesel van and the 5 hour drive from Paris to Bordeaux only used half a tank of gas. Americans take note.
    • As far as I can tell there are no photo speed cameras on the A10, they manually pull you over, but I’ll let you know in a few weeks as the tickets arrive.
    • As usual the French roll up the sidewalks at 9pm, and small towns are dead off-season after 7pm, so absolutely nothing was open when we rolled into Blaye at around 8pm.

    I was in Blaye for 3 weeks about 2 months ago and knew no French. It was really frustrating in the sense that I wasn’t able to really communicate with all the people I met. And in a small town where everyone is really friendly, it’s doubly frustrating.

    So I threw myself into learning French starting about 1.5 months ago. I’m using Michel Thomas beginner, advanced and language builder tapes. He’s a former Nazi prisoner of war, then turned interrogator of Nazi guards, then language tutor to Hollywood stars. Towards the end of his life (he died in 2005) he put his lessons on CD’s which are truly amazing for learning a language, particularly French. I’ve worked through all the basic and intermediate material he created and am working on advanced verb forms, grammar etc. Arriving in France this time around and being able to have a basic conversation in my peasant French is an amazing experience.

    Here’s an amazon link to a few of his products. There seem to be 10 CD sets that I don’t recognize, but just get the beginner audio program which is at least 8 CD’s. I’ve used the 8 CD beginner/intermediate program and I’m halfway through the 4 CD advanced program. I intend to do the language builder at some point, but I’m building up my vocab on my own time.

    If you have doubts about how amazing this program is, check out the BBC documentary on YouTube titled “Michel Thomas, language master”. Here is:

    We need to visit the OFII in the next week or so to register as residents. I’ll keep taking notes that will hopefully help someone else who decides to spend some time here. I’ll also be writing an entry on working remotely including french bandwidth, cell networks, etc.

     

  • To borrow or not to borrow: Thoughts on US government debt

    A reputable investment bank approaches you and says they’ll lend you as much money as you want for a very low interest rate. The rate depends on how long you want to hang onto the cash:

    • 1 Month will cost you 0.01% APR interest
    • 6 months: 0.07%
    • 1 years: 0.11%
    • 5 years: 0.88%
    • 10 years: 2.02%

    If you earn 3.5% on the money over 5 years which simply keeps pace with US inflation, when you pay back the principle you will be able to keep a 2.62% annual return on whatever you borrowed, based on the 5 year borrowing rate above. So if you borrow 1 million over 5 years you earn $138,046.62 in pure interest over 5 years (compounded annually).

    Sounds like a pretty good deal right? $138K earned 5 years from now for nothing. I’d take it, assuming I could find somewhere to invest the money that would give me a 3.5% return, which shouldn’t be too hard.

    However, if I’m fiscally irresponsible and rather than investing the cash I’m likely to spend it on hookers and blow, then it’s probably a bad idea for me to borrow as much as I can.

    However, if I am that irresponsible and have a history of being a nut job, the interest rate that the investment bank charges me on my borrowings will reflect my lifestyle and will be more like 30% APR which is what many credit card companies charge once you’ve missed a payment.

    The interest rates above are what America currently pays to borrow money. It’s the treasury yield curve rates. They are below inflation which means that the rest of the world pays the United States to store their money. And the United States makes money if they can get a very moderate return on any of that cash they invest. If the return simply keeps pace with inflation, they’re rolling in dough.

    The interest rate the United States gets charged reflects how investment banks, sovereign wealth funds, companies and individuals feel about the United States “lifestyle” or fiscal and monetary level of responsibility.

    So the question is: Can our country borrow trillions of dollars, put it to work in a responsible way and make out like a bandit? Or will it spend it all on hookers and blow and leave our grandkids in the hole struggling to pay off the principle?

    Footnote: The answer to this question is usually along ideological lines. Keynsian economists like Paul Krugman who dominate the Democratic party will say Hell Yes! Government knows best and should borrow like there’s no tomorrow. Hayekian economists like Russ Roberts and economic conservatives on the other hand will tell you that the private sector knows best, government should limit it’s size and balance sheet and should never engage in massive borrowing no matter how low the interest rate or the potential return on investment, because it’s not government’s place to act like an investment bank.

    Footnote2: I’m still feeling pretty good about my bull market prediction yesterday and am now long Apple (AAPL). I’m expecting it to churn during the next 6 months and have a 18 to 24 month price target of $550 (bought at $418).

  • Bull On.

    I am long the stock market. I’ve been accumulating stock in businesses I understand for the last month or two. Why? I’m predicting a bull market starting in the next 12 months.

    My reason for writing this is purely selfish. I want to be able to say I told you so. I’ve also been predicting armageddon for the last 10 years in the USA and it’s getting boring.

    Here’s why a bull market is imminent:

    • We’ve so far dealt with a crisis in housing, money markets, mortgage backed securities, credit default swaps, commercial real-estate, municipal bonds, hedge funds collapsing due to over-exposure, the collapse of many small banks and collapse or almost-collapse of many larger ones, the risk of the FDIC running out of cash, our own country’s budget crises, legislative deadlock and sovereign debt crises both in the USA and Europe.
    • We’ve shone sunlight on all financial crises and there appears to be nothing coming down the pipeline except the latest report that China isn’t going to grow as fast as it was. Oh poo. Hell, the municipal bond crisis in the USA turned out to be the best performing fixed income investment in 2011 returning over 10%. Turns out local governments managed to cut costs, increase revenue and actually pay their debts.
    • American consumers have been paying down debt since 2008 and are flush with cash.
    • The DOW has been flat for 10 years. If you invested in the DOW 10 years ago your money is now worth 20% to 30% less in inflation adjusted terms.
    • Housing has flattened out and even Schiller is beginning to sound mildly optimistic that house values will start heading up within 12 months.
    • In real terms (inflation adjusted terms) housing isn’t down 30%, it’s down more like 45%. There isn’t anywhere else to go.
    • US corporations are more profitable than they’ve ever been and are priced attractively by any measure: P/E, P/S, Price/Book, etc. Companies like Intel are getting so frustrated at the crappy valuations they’re getting that they’re borrowing money to buy back their own stock and are paying 3% on debt rather than a 4%  to 5% dividend yield.
    • Europe doesn’t really matter and isn’t that bad. To use a recent example from James Altucher, Greece to the European economy is like Rhode Island to the USA. It just doesn’t matter.
    • Unemployment is 8.5%. During the great depression it was 25% so enough with this “things are so bad” bull. Even if you assume 16% real unemployment if you factor in those that have stopped looking for work, it’s still nowhere near great depression levels.
    • Besides reducing our debt, everyone I know has been living frugally and actually accumulating cash.

    When I say I’m long the market, I’m long specific stocks that are awesome businesses, have growth potential, have a monopolistic like advantage that makes them very hard to compete against. Two examples:

    • Intel (INTC): Basically they have a monopoly on server CPU’s world wide. I’m betting that the massive growth in data centers world-wide is going to continue to drive record revenue at Intel. The machine you’re reading this on has a 90% chance of having an Intel CPU inside. More importantly, the data center that served this page is full of Intel CPU’s and it keeps growing.
    • Amazon (AMZN): I love Jeff Bezos. There, I said it. He almost literally gives investors the finger and just puts his head down and keeps growing. Amazon’s revenue growth in the last 10 years has been stellar and consistent. Bezos is investing heavily for the future, including building his own platform and app store to compete with Apple and Google and continuing to expand warehouse capacity. The business is also wonderfully diversified into retail, cloud services and digital media. AMZN is valued using Price/Sales since it doesn’t have net income to speak of or dividend yield, and in historical terms the P/S is low right now.
    • Apple (AAPL): So I was avoiding this stock just because there’s way too much hype around it, but turns out it’s undervalued in historical terms. Check out AAPL’s P/E for example. Also check out Apples market cap relative to Microsoft’s peak market cap in late 99 early 2000’s. If Apple is truly the next big platform, it’s cheap when you adjust MSFT’s peak market cap for inflation.

    Other businesses I’m interested in: WalMart, Costco, Visa (although I don’t understand financial stocks so will probably avoid).

    Keep in mind I’m taking a 18+ month view on these companies and to me a 10% annual return would be spectacular considering a 2 year CD will give you 1.2% if you’re lucky. I’m also comfortable losing the principle – I have a strong stomach for risk.

    Disclosure: I’m currently long Intel and Amazon and will probably go long on Apple as soon as the current rally dies.

  • Guns, lots of guns

    So for my xmass present I got a gun handling course from my wife for the two of us. I wouldn’t normally write about this, but the course was so impressive that I thought I”d say something.

    It was at BlueCore in Denver which is run by a handful of ex special forces folks including former Navy SEAL Eric who took our booking and who we chatted to on arrival. [No jarhead, he rocks long blonde hair.]

    Our trainer was Tom who is a competitive shooter and has competed on a national level. His teaching style is awesome – totally relaxed and he knows his subject very well.

    We played with two 9mm handguns and an AR-15 assault rifle.

    The course was a full 2 hours one-on-one instruction starting with half an hour classroom instruction. Much of their approach can be applied to rifles or handguns so you don’t have to re-learn when you switch. e.g. Their rapid load and fire technique applies to both rifles and handguns.

    After 1.5 hours of instruction we were starting with hands flat on the table, target starts moving towards you, pick up assault rifle, load magazine, cock, empty 5 rounds until mag is empty, put down, pick up 9mm, load mag, cock, empty 10 rounds in rapid succession all while the target keeps coming towards you.

    After 2 hours we walked out there and couldn’t believe how much there is to gun handling. We could both just spend a year at the range working on our 9mm accuracy with the knowledge Tom gave us.

    So if you want to learn about guns and are in Colorado or passing through, check out http://blucoreshootingcenter.com/

    Disclosure: I don’t own any guns and don’t have a gun license.

  • WordPress Security: Which is more secure? A VPS or a VHost?

    Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

    In web server admin parlance, a VPS is a Virtual Private Server and a VHost is a virtually hosted website. There were a few questions regarding security on VPS’s and VHosts in my previous post on “Seven ways I could hack into your WordPress website“, so I thought I’d clarify what the difference is between WordPress hosted on a Virtual Private Server (VPS) vs WordPress on a Virtual Host (VHost) and what the security implications are of each configuration.

    A Virtually Hosted Website (VHost)

    In the early days of the web, you would have a single physical machine running a single operating system running a single web server. That web server would serve up a single website.

    HTTP 1.0 introduced the optional “Host:” header and HTTP 1.1 made it mandatory with any web request that a browser sends. The effect of this is that when a web browser sends a request to any web server, it lets the server know which website it wants to see. Because web servers know what website a browser expects, they can now host an unlimited number of websites. This is called virtual hosting.

    When you have a virtually hosted website, you are sharing a single server and operating system with many other websites. Your files and the files of other websites are stored on the same operating system. You all share the same web server and the server chooses which of your websites it needs to serve based on what a web browser requests when it connects to that web server.

    Usually on a virtually hosted website, you won’t have access to other website files and they won’t have access to yours. This is usually done by giving you a unique username that you use to sign in and your username only has permissions to view your files.

    A Virtual Private Server (VPS)

    A VPS is a little different. Normally when you install any operating system, you install it directly on a machine like a server or workstation. With a VPS, you first install a base operating system like Windows or Linux. Then you install a virtual machine hosting platform called a Hypervisor. Examples of Hypervisor’s are VMWare and Xen.

    Within the Hypervisor you can then install multiple virtual machines. These pretend to be physical hardware and when you boot them up you get a BIOS message similar to when you boot up a physical machine.

    Within these virtual machines you can then install an operating system like Linux or Windows. Using this config you can have potentially hundreds of virtual machines running on a single physical machine.

    So to summarize, you have a physical machine running an operating which runs a hypervisor which runs multiple virtual machines and each virtual machine runs its own operating system. Within these operating systems you run your own web server, have the files for your website and do anything else you feel like doing. It’s impossible for someone on another virtual machine to access your virtual machine.

    Linode is one of the most popular virtual machine hosting providers and they use the Xen Hypervisor to host Linux virtual machines.

    So which is more secure?

    By now you’ve probably already figured it out: Running your own virtual machine that is completely segmented from everyone else is usually the more secure option. Here are a few reasons why:

    1. If your web host messed up the machine configuration or permissions, then other users may be able to access your files.
    2. If another user’s WordPress installation gets hacked, it may be possible for the hacker to gain read or in rare cases read and write access to your files.

    Another thing I like about having a VPS instead of a VHost is that you have your own IP address. On the Internet, IP addresses can get blacklisted, particularly if you’re sending email. If your web application sends email e.g. if you’re using the WordPress “Subscribe to Comments” plugin, then your emails may be flagged as spam if another user on the same server is sending a lot of spam.

    With a VPS you have your own IP address, so as long as the IP address wasn’t already black-listed when you got it from your web host (I’ve seen it happen) then only you are responsible for how that IP address is perceived on the Net.

    In conclusion: While VPS’s tend to cost slightly more (about $20/month from Linode), they are well worth the extra cost when it comes to protecting your website and your reputation. As always please post any questions in the comments and I’ll either answer them directly or in a future post.

    Caveat: I have generalized greatly when it comes to VPS and VHost configurations. There are many variants including Type I and Type II Hypervisors, shared hosting where a single OS hosts one web server instance per website and many more. I’ve described two common VPS and VHost configs above for illustrative purposes, however the VPS config I describe is probably the most common configuration used by VPS providers.