I've been having a good root around for info on this topic.
What's surprising is that there doesn't seem to be a collation of advice, so it's quite hard work, particularly when considering the date of the info.
Here's what I found:
1. Physical servers
Couldn't find mention of security implications, only speed.
2. Server maintenance staff
Surprisingly not a great deal of discussion; perhaps because there's nowt you can do about it.... but views were expressed that they could get at your data.
I used to be a trouble shooter in the uk, and got a contract to fix a treasury vault door system..... the door was amazing - massive in the true sense.
The sys was crap - I asked for the code to (maintain the charade), but when they didn't give it to me (what?) I simply bypassed the code to open & close the door.
I just hope its a little bit harder for server admin chaps.
3. The O/S
Berkley Software Distribution is considered the most secure server os.
They claim Only two remote holes in the default install (in 15 years to date).
I see rackspace provide BSD hosting
4. How the O/S is coded to create the domain
I'm not sure about this re: rnd me's statement 'pre-set actions you defined in the private server's http interface'.
Is this accomplished using htaccess file?
If so this is available in Godaddy so presumably its the norm.
5. Provided Software
The advice here is pretty obvious - that latest versions are key.
Set PHP register_globals OFF: PHP6, there will not even be a Register Globals setting
6. How the developer codes instructions
Lots of info on this, but it comes down to using best practice
7. The no choice - 'this is how you code it' elements
Same here - it does seem that PHP contains a good deal of risk.
Escape the input using the function mysql_real_escape_string before sending the SQL query - was mentioned. Presumably it is just lazy programming if you don't.
(points 6 & 7 are the same thing)
8. Encryption of transmitted data
Recommended is both SSL encryption between DB & client and similar encryption when saving to the DB. I noted with interest that:
'having only a certain page that contains sensitive information (such as a log-in page) of a website loaded over HTTPS, while having the rest of the website loaded over plain HTTP will expose the user to attacks'.
Presumably the drawback could be painfully slow page delivery.
9. Dual servers 'public and private'
This was interesting - I was searching for something like secure server hosting and this came up: www. 1freehosting. com/
A totally free server, whose blurb talks more about security than any of the server hosts I've looked at - see their FAQ & Features.
Perhaps a server where the DB could be hosted, and it's free... for ever...
There has to be a catch.
But even if it is speed - the DB comms would typically be just a few bytes.
What do you think?
10. Other measures to increase security
Nothing further here.
Overall: a few snippets of useful info, but probably an improved focus on what areas to delve deeper into, whilst eliminating others.