WordPress Security
Sensible layered security for peace of mind.
Installation
When your account is first created we install WordPress directly from the latest stable and secure release at WordPress.org. Your login credentials are never transmitted through insecure email. This ensures that your site is built on the most solid of foundations from day one.
Hardening
Most attacks focus on the low hanging fruit of security vulnerabilities. With this in mind your account is configured using a number of best practice approaches.
- FTP is disabled by default in favour of the more secure SFTP. We also operate our own SFTP lock mechanism that disables upload activity until you approve otherwise in your control panel.
- You will note that our install paths are slightly different to vanilla installations of WordPress. For both our own management purposes and for security purposes core files are locked down preventing unauthorised modifications, and the upload folder is setup to prevent certain file types being run from a web browser.
- We manage most of the updates on your WordPress account too. By default your account is set to automatically update on a daily basis when new plugin versions are released. The only thing we don't update are themes, you will need to review these yourself.
Aegis
Aegis is the collective name for a range of components that come together to provide layered, real time, adaptive security to your WordPress website.
Web application firewall
We run a unique instance of mod_security on your WordPress VPS, dedicated to protecting your hosted sites. The mod_security WAF is enabled with our own in house curated rule set based on OWASP. mod_security itself works with fail2ban and also firewalld to provide comprehensive protection against common hacks and attacks.
Brute force login protection
To protect against automated login attacks we detect and protect against these hack attempts in real time. Repeated login failures result in temporary IP bans via fail2ban with increasingly longer bans for repeated failed attempts.
Brute force XML RPC
Packet flooding is controlled via fail2ban; bursts of multiple packets in quick succession will trigger a fail2ban rule and temporarily block the offending IP address. mod_security also will trigger on unusually sized packets and incorrectly formatted packets.
Scanning and proactive protection
We run daily scans of all our managed WordPress hosting accounts and check plugins which have been opted out or are unable to be automatically updated against https://wpvulndb.com. If we detect anything listed as a potential security hole, our system will automatically notify you. Our support team are available 365 days a year should you have any queries at all.
SSL/TLS/Let's Encrypt
We provide every managed WordPress account with free SSL security and encryption as standard. Every new domain on our platform can with one click from the WordPress admin control panel generate an SSL certificate. Once the SSL certificate is generated, port 443 is used for all traffic to take advantage of HTTP/2.