Security. It’s probably one of the most hotly discussed topics in the WordPress ecosystem – if not the computing world, full stop. Sadly, it’s probably also one of the least intelligently understood, certainly where WordPress is concerned. You’ve probably heard the spiel before, “I’d like to use WordPress to power my website, but it isn’t secure”, or, “I keep hearing about hacked WordPress websites, I need something more secure for my business.”
Let’s be very clear up front, WordPress deploys as a highly secure and robust piece of software. In fact, the WordPress core team do an amazing job of keeping such a widely used platform as secure as can be. Once WordPress is installed though, and put in the hands of the end user, the resulting entropy can result in all manner of usability and security concerns.
Which is why we built our managed WordPress hosting platform with security in mind. This post covers the essentials of our security policy for our latest plan.
Updates, updates, updates
You’ve probably heard about keeping your site updated. You’ve probably heard about it until you’ve fallen asleep, woke up, and still found yourself being lectured. The importance of updates cannot be underscored enough. As I mentioned, the WordPress core team do a fantastic job of keeping the main WordPress engine secure. New holes are patched quickly, and security fixes are routinely issued. These are not to be ignored. Then there are all the other elements that comprise your site, such as the plugins and themes; not to mention the server itself and the various moving parts such as Apache and MySQL.
Keeping on top of the myriad patches, fixes and updates can be challenging even for the most focused of users, which is why our WordPress hosting comes with updates completely managed and maintained by 34SP.com.
We manage all of this with a proprietary in house system that also has granular user control should you ever need a setting different to what we think is sensible. As standard the following settings are applied:
Server and OS: automatic updates enabled and performed on a daily basis
WordPress core: automatically updates with a one week delay from the release date
WordPress plugins: automatic updates enabled and update daily
WordPress themes: automatic updates disabled
In each of these instances, the user can enable or disable updates; add a delay from when the update is released to when we apply it (hey, testing is good sometimes!); and fine tune the email notifications they receive from 34SP.com when updates are applied, or updates are ready.
WP Simple Firewall
One of the joys of WordPress is not having to re-invent the wheel and being able to quickly deploy world class features from the open source community. WP Simple Firewall is just that – a fabulous security system that we deploy as standard on each account. This plugin adds a number of important and useful security components to your WordPress website including:
- Blocking malicious URLs and requests to your site with a specialized WordPress firewall
- Blocking automated spambot comments
- Hiding your login page
- Preventing brute force attacks on your login and also any attempted automatic bot logins
- Support for Two-Factor Authentication
- Monitoring of login activity and restriction of username sharing
- Detailed audit trail logging
We don’t install this plugin as a MU plugin, so you’re free to enable/disable as your own security needs see fit.
What’s better than one layer of security? Many layers! In addition to protecting WordPress at the application level, we also deploy a secondary firewall to protect your account at the network level too. For this we use the CloudFlare firewall, which blocks threats and malicious traffic before it even hits your WordPress container.
One benefit of relying on CloudFlare is their network intelligence derived from powering millions of websites. If they see a threat among that vast installation of sites they can apply that knowledge to every other site. Extra bonus points: using CloudFlare also reduces load and strain on your server as WP Simple Firewall never even has to kick in – the threat is neutralized by CloudFlare long before it sees your server or uses its resources.
It goes without saying that there are super simple practices that can prevent the majority of attacks. Hacked sites are rarely comprised by the Hollywood-esque lone hacker in a darkened room, maniacally laughing as they delete your site line by line. Security intrusions are mostly the result of automated computer systems probing the web for simple exploits. Much like a burglar targeting a home, it’s far easier to just check for the odd forgetfully-unlocked back door, than it is to smash the front windows and draw attention. It’s these low hanging fruit targets that hackers focus on in the vast majority of attacks.
With this in mind, at sign up we automatically create a random username and password for your site – there’s no default ‘admin’ user for hackers to prod away at. We also offer a secure WordPress dashboard launcher from within our own control panel, so you don’t even need to remember the login.
FTP is banned in favour of SFTP access only; plus we also enable our proprietary FTP lock tool that prevents any and all SFTP/FTP upload access to a 34SP.com account until you dictate otherwise via the 34SP.com control panel.
It goes without saying that the end user can also get involved with security here too. If you must change our randomized password – strong passwords are key. Make them long, make them random, and make them different to any other password you use. While you’re at it, make sure any machines you use to access your WordPress account are virus and trojan free and only ever access your WordPress dashboard over SSL.
Just in case the odd weak password does get employed we also use Fail2Ban on every account which monitors login attempts. If the software spots an IP address supplying invalid login credentials 5 times in a row, the IP address is blocked at the firewall level. This prevents brute force login attacks, where a computerised system attempts to log into a website at furious pace with tens of thousands of password attempts per hour. Just in case the failed login was a genuine user error – the lockout only lasts for an hour. Enough to stop hack-bots, but sensible enough to let a real user back in.
Just in case something does get through those layers of security, we run daily scans using WPscan which in turn relies on the exhaustive WordPress Vulnerability Database. If our scanning tool ever detects anything that might be of concern, we will send you an automated email with the details. Feel free to then get in touch with our support team and we can review it together.
No system connected to the Internet is ever going to be 100% secure from hackers. Don’t believe anyone who tells you otherwise. Amongst the millions of lines of code that comprise the OS, WordPress, plugins and themes there will always be undetected exploits and security holes just waiting to be uncovered. You can take every single precaution and still end up with a hacked site.
In these cases, there might be nothing left but to restore from a clean backup. With our managed WordPress hosting accounts we take weekly backups of all your site data, and retain at least the last 30 days’ worth, ready for you to restore from. We also strongly encourage you to take offline copies too, because even backups can fail.
If you take sensible precautions, use best in class plugins/themes and stay on top of updates you’ll likely never see a hacked site, and never need to rely on your backups. The chances of a well maintained site being hacked are very low; again, hackers tend to go after the easy targets.
Next up, I’ll talk about the advanced feature set of our new WordPress hosting plan. Stay tuned.
* – during beta some features are not yet build out 100%, items marked as such are still being rolled out.