There are definitely many webhosting companies around, some of them good and most bad :) How to choose between them in terms of security?
You will always probably need to ask for a trial account so be able to see more information. But first - is the webhosting overselling it's resources? Will you get 100GB or even more space? No hosting can offer you that for typical $5-10/month. They just don't have that capacity, hoping you majority of customers will not use it. Avoid them.
What access methods does the hosting provide? Simple FTP? Avoid at all cost! Make sure at least encrypted FTP is provided, it is always better to use SCP/SSH though. I don't expect most providers to provide SSH access but if they do, good for you, because you will be able to use Drush and versioning systems then.
If the hosting doesn't provide public PHP Info page, simply create an empty file and put this code inside:
Upload it and browse it at it's URL. PHP information will pop up.
What PHP version is used at the hosting?
Disable your FTP account, turn your computer off, bury it 2 metres deep and wait at least a month. No seriously, avoid PHP4 at all cost. Not only it's insecure, it's also unsupported in Drupal.
PHP 5.1 is pretty recent and used in Red Hat Enterprise Linux 5 / CentOS 5 distributions, that's why it is used on a lot of webhosting servers. It is, however, unsufficient for modules like Date. You should prefer hosts with PHP 5.2 (for Drupal 6) or require PHP 5.2 for Drupal 7.
PHP 5.2 is minimum required version for Drupal 7 and preferred version for Drupal 6.
Again, check PHP info page:
Look for Server API line in the output. If it reports "Apache ... handler", it is running as mod_php, if it reports "CGI", it is running as CGI/FastCGI. I would consider FastCGI a bit more secure for shared hosts since it allows separating the users more easily. That doesn't mean that mod_php is generally insecure - there is no problem with it on dedicated hosts or almost none when configured properly - see below.
Suhosin is a great PHP security extension (see our blogpost on installing Suhosin). It protects against various buffer overflows and other insecurities in PHP.
Serious webhosts should have Suhosin installed, especially with mod_php.
Even if open_basedir directive is considered a flawed concept, it still helps a lot. Check for the directive. Does it have something like /var/www/mydomain.com? Good. You shouldn't be allowed access outside your home directory, not even to /tmp.
What disabled_functions does the installation have? This is a list of all functions that you should have disabled:
proc_nice,popen,proc_get_status,dl, pcntl_exec, pcntl_fork, pcntl_signal,
pcntl_waitpid, pcntl_wexitstatus, pcntl_wifexited, pcntl_wifsignaled,
pcntl_wifstopped, pcntl_wstopsig, pcntl_wtermsig, socket_accept,
socket_bind, socket_connect, socket_create, socket_create_listen,
Directive allow_url_fopen disables or enabled opening URLs in fopen() function. That is usually very insecure due to programming errors. My opinion: avoid hosting providers that leave this directive enabled.
Safe mode currently does more harm than good. It doesn't matter if enabled or not. I prefer disabling it.
Register globals directive is Off by default. Again, bury your laptop 2 metres deep if you find a host with this directive On.
This is it for now. There are few more things to check with a safe hosting provider but these are the main ones. You can always contact the host and ask them "What exactly do you do for safety of your customers?".
Jakub is owner and founder of Dynamite Heads. Jakub is a member of Drupal Security Team and supports Czech Drupal community at Drupal.cz