The question is in the subject. If I am running a Bitcoin website, how do I ensure that the webhost doesn't steal bitcoins on the server or replace an address displayed on my website with their own? I know I can encrypt the wallet, but that would prevent the server from automatically paying out. Multisig helps (since the buyer or seller need to agree with what is happening to the money) but the multisig information can still be replaced with that of the webhost.
What is the solution? Do websites like localbitcoins.com do something special?
If you just want to receive money then you can minimize your risk to "what if the host changes my addresses." Meaning you don't have to store bitcoins on the server. You can just generate addresses off a master public key or extended public key of a deterministic wallet.
Edit: Oh and you can setup a watchdog script on a second server hosted by another company. This script will periodically check your site to make sure that the addresses generated are ones you own.