My site has received 1 High and 2 Medium security vulnerability issues. We are a non-profit and as such do not an IT person on staff. The HIGH vulnerability states that SSH version 1 should be disabled. The first MEDIUM issue references "OPENSSH x 11 Hijacking vulnerability" and calls for "instructing OpenSSH to use only IPv4 or IPv6 by adding "address family inet or address family inet6 to sshd_config." and the other MEDIUM issue states "Apache Username Probing" and calls for disabling the UserDir directive in the Apache config file. I would be grateful for any help anyone can suggest.

On one hand:
If you're needing to edit httpd.conf and sshd.conf on your server etc. etc. You'll need to get a dedicated server, those types of edits can't be carried out on bluehost, because it is a shared host, thus all of the actions on those files effects everyone on your server, and BH won't allow you to edit them.

Dedicated servers run about $140/month on the dirt cheap side (and you get what you pay for.. dirt cheep = downtime, slowness (most of the time))..

On the other hand:
Bluehost has some of the best system administrators i've ever seen anywhere. Even if your 'security scan' is returning positives, it could be a false positive.. It is perfectly possible (providing the code you're running is secure), for you can't have a secure website.
Check this out: http://helpdesk.bluehost.com/kb/index.php/kb/article/000511
for some great tips on securing your website.. If you've taken steps to secure your code, I would say you are perfectly fine. But that is just my opinion.

I'll confess up front that I don't know much about this subject, but a key question comes to mind. Are you actually processing credit card payments on your site, or are you using a typical gateway (like PayPal or Authorize.net)? If the former, it may not be possible to alter the shared hosting environment enough to satisfy the requirements of something like Trust Keeper. If the latter, I think it may simply not be necessary, since your site isn't actually dealing with sensitive financial information.

I think it may simply not be necessary, since your site isn't actually dealing with sensitive financial information.There has been quite a bit of confusion regarding when a site does or does not need PCI Compliance. What it boils down to is if any scripts that run on your site are exposed to any sensitive customer data, then you need to be PCI Compliant.

You can avoid the need for PCI Compliance by implementing your credit card processing so that it utilizes a third party, PCI Compliant, site for gathering the sensitive data from the customer and then authorizing the transaction, returning only a success indicator to your site. There are many examples of such a third party processor, PayPal is but one.

Moreover, you may be able to get a passing PCI Compliance scan from a one approved vendor even though another approved vendor won't give you a passing scan. Much depends on how they perform the scanning and how they handle the false positives.