Ok, I am thinking of not running my own webserver and have a web hosting company do it. They probably do a better job.
Anyone know if my site's contents would be safe from even the web host's snooping administrator? I wouldn't want them seeing my database's login and password. Nor do I want them seeing all my codes.
Pretty hard to achieve total security if you are using a cheap shared hosting site.
If you are running a dedicated server, a virtual server, or a virtual server on Amazon EC2, it may be possible to get close to total security.
What it would take would be first, you need to be running a https:// site with SSL/TLS encryption and a SSL certificate, so anyone capturing the data stream out of the computer cannot interpret it. If your site is an unencrypted port 80 website, then the host can capture and view everything you send.
Secondly, the website and database could be mounted on a truecrypt drive with only the httpd (apache) server with rights to access it.
Last, you would have to lock down the password of the httpd server and mysql user so that only you can access it, and you might have to manually mount the truecrypt drive and start the httpd via a SSH terminal, so you can avoid putting the password on the server. That would mean that if the hosting company ever restarts the server, the site would be down till you restart it.
In spite of all the precautions, it may still be possible for a hacker in the hosting company to find a way into your httpd user account and to see the data.
So yes, a server that you physically control is more secure - as long as someone doesn't break in and pinch it.
And if they do regular backup. Is the backups for my eyes only?
The Truecrypt drive will look like random noise to anyone without the login credentials, so the hosting company can back up your server and it doesn't matter who sees it.
I am having the impression, for the most part, that web hosts are locked out of my site. I believe they can shut my site down, but they don't have access to go in an change stuffs inside my web's htdoc directory. Is that true?
No, it is not true.
Richard.