When you see a question like the one I’ve posed here, chances are the first thing that comes to mind is the concept of a bad neighborhood. I’m going to talk about that, but there’s more to the story that you might be interested in. Let’s dig deep.
Let’s start off with the bad neighborhoods, since I’ve already mentioned it as a concept. It’s pretty simple as a concept as well. The idea is that when you’re on shared hosting, you have one IP address that is shared amongst all the sites on that shared server. For some hosts, that might be five sites, ten sites, twenty sites. For other web hosts, particularly the cheaper hosts that have lax terms of service, that could be 100 sites, or 1,000 sites, or in one cited example from Google that I’ll link to later, 26,000 sites.
Now, if there are 1,000 sites on your shared server, and 999 of them are spammy blogs, porn sites, thin affiliates, and other black hat abusers, it seems like an easy thing for Google to just solve the problem by delisting or demoting everything on that IP address. 999 bad sites removed, 1 good site removed, it’s just a little bit of collateral damage.
Of course, the problem here is that an IP address is pretty easy to change. Just about every web host, in their documentation, has an entry like this one giving you instructions on how to change your IP for your site. It’ll take a couple days to propagate, probably, but spammers don’t care about that. A day or two of downtime in between months of making money through their low-effort sites is an easy decision.
Google doesn’t really pay attention to IP address as a factor for SEO or for spam on it’s own for exactly this reason. If they were to blacklist IP addresses, they run into all sorts of problems. Good sites removed with the bad is probably their number one concern, but there’s also the possibility of the spam sites disappearing and people buying up space when the web host recycles it. If they ban an IP that had 100 bad sites on it, those 100 sites disappear, and 100 good sites take their place, they would have to repeatedly check to relist those sites. It’s a lot of work for a very temporary benefit.
The word from Google’s mouth directly is the same. Matt Cutts posted on his blog when people asked a question about shared IPs versus dedicated IPs.
His post is from 2006 and refers to a post from 2003, an interview with Google’s then-director of technology.
The myth that he’s talking about is that shared IP addresses are worse than unique or dedicated IP addresses. Now, if you’re like me and figure an answer from 2006 isn’t likely to still be valid eleven years later, I found a slightly more recent version. This is where the mention of a shared server with 26K websites comes in; this video from Matt Cutts from 2010.
He does mention that being the one single “good” site on a server full of exclusively bad sites will tend to invite more scrutiny. Google will take a closer look at that site to see if it’s just some goober who registered on a server they had no idea about, or if it’s a spammer trying to use that page as the money site for a private blog network, or something of the sort. Basically, by being the one good site in a bad neighborhood, you’re inviting deeper investigation.
That said, if Google doesn’t find a reason to actually penalize your site, being in a bad neighborhood alone won’t do it. It’s only if you’re using gray hat techniques or a few minor black hat techniques that they’ll take a harsher look at you. Basically, consider it a tiebreaker, but nothing more.
If you want yet another opinion, one that might matter to you is Cloudflare. The way Cloudflare works is by inserting itself between the user and your server, which means your IP is shown as a Cloudflare IP shared between a wide variety of sites, some of which are definitely not the type you want to associate with. They say in their FAQ that generally speaking you won’t be penalized for using that kind of shared IP address.
That said, you aren’t going completely without risk when you’re using a shared server on a web host. For one thing, it’s possible that your web host doesn’t have your server configured properly, as mentioned in that interview up above. If your host configuration is wrong, you might eat penalties meant for other sites. More likely you simply won’t gain benefits you otherwise would, but there are potential issues at hand.
More importantly, you run risks of malware and of being the target of spoofing.
As far as malware is concerned, you’re on a shared server with who knows how many other websites. Now, the typical way to do this is to have every website segregated from each other by using sandboxed virtual machines. This way even if a hacker breaches one site, they find what looks like a dedicated server to wreak havoc on. That one site gets wrecked, but other sites on that server don’t see a problem. However, if your web host isn’t using proper segregation, security, and sandboxing, a breach of the server could be a breach of all sites using that shared hosting.
Even if sandboxing is in place and hackers can’t directly hurt your site, they can use up server resources. This can mean there are fewer resources available for your site. Load times will be slower, or you could be a victim of a DDoS attack aimed at someone else.
There are also potential issues with email spoofing. Email addresses are similar to domain names in that they are largely used to mask IP addresses. If you know the IP address of a site, you can often visit that site without using the domain name.
I’m not an expert in the technical processes behind email, but it’s possible that someone who knows the relevant IP address can make legitimate-looking spoofed emails to phish people, either within your company or within your customer base. It’s also possible that someone could be using your IP address for a spam email campaign. If that IP address is added to a blacklist for spam, your company would be caught up in it.
You can solve this – companies get themselves blacklisted all the time – but it generally becomes a couple of days worth of hassle and restricted email usage within the company. If nothing else, it wastes a lot of time.
One of the biggest benefits of a dedicated IP address is that it’s a lot easier to set up SSL. In fact, prior to around 2007 or so, it was actually impossible to set up an SSL security certificate on a site with shared hosting. SSL used to require a unique IP address, because the certificate was for that IP address. If you were on a shared host and got a certificate, you would be essentially adding security for everyone on the server, which would be like vouching for the trustworthiness of neighbors you’ve never met before. “I’m sure they’re great people” isn’t a good argument when they’re caught eating human flesh or something.
The solution to the problem is called SNI, or Server Name Indication. It was initially implemented in 2004 as a patch to OpenSSL. It was added to active edevelopment in 2006 and back-ported to a broader audience in 2007. Most browsers and servers have supported SNI since 2006, though some didn’t start supporting it until later. Blackberry’s browser didn’t support it until 2013, Apache didn’t adopt it until 2009, and Microsoft’s IIS picked it up in 2012. At least, that’s what I’m getting out of this table.
You also have the site speed concern. As I mentioned above, being on a shared server means sharing server resources with an unknown number of other websites. If some of those sites are using an excessive amount of resources, it can squeeze out other sites. If a post on some site goes viral and it crashes the server that your site is also on, well, your site is down too.
Most servers get around this by putting resource caps on the sites sharing a host. The caps tend to be flexible, but still low enough to prevent running out of resources for the other sites. Generally, that means a site will go down under the strain before it takes down the server, and the server will throttle that traffic to protect the other sites.
Of course, not all servers are configured properly, and there’s no way of knowing that until something breaks.
With a dedicated server and a dedicated IP address, you don’t have to worry about someone else squeezing you out of your bandwidth or CPU processing power. You just have to worry about going too viral and crashing yourself.
The reverse is true as well. If you go too viral, or are the subject of a DDoS attack, your web host is likely to throttle or restrict access to your site until things quiet down. This is true even on a dedicated server, but the thresholds are much lower on a shared server, because they have other sites to protect. One post going viral on a dedicated server will work fine, but on shared hosting might take your site down for hours.
There are other benefits to running a dedicated IP address. Occasionally, for example, you’ll find a handful of scripts or old programs that require a dedicated IP to function. If your IP address is shared, the script might not know how to proceed to the right site.
Many of the associated problems with shared servers are easier to mitigate on a dedicated server. If you’re on a shared IP and your email stops working, you have to wonder first if you were blacklisted due to something you did or the actions of someone else on your server. If you’re on a dedicated IP address, you already know that it’s something you did, and you can fix it right away.
Basically, you can get away with using a shared server if the costs of a dedicated host and IP are too much for your budget, but you might encounter a bunch of problems you wouldn’t otherwise have. It comes down to the host, of course, and how much they enforce their ToS against black hat actions.
The only way that a “bad neighborhood” is likely to come back to bite you, though, is if you’re already toeing the line. It’s harder to hide your black hat actions when there’s already scrutiny on you; you lose security through obscurity. If you’re sticking to white hat trends, though, you’re probably fine either way.