Was your WordPress hacked before or even worse, is it under attack? We are always learning and applying new security methods to make sure our hosting environment is safe. Everybody knows that servers need to be as safe as possible in order to keep websites up and running and to protect the data of website owners and their clients alike. But at the same time, many hosting companies don’t take care of server security properly. We are not one of them.
Ports are used for communication between server and the end user through various apps. But sometimes this communication can be malicious if some “bad” data is sent through the ports by the attacker.
To make sure we prevent that, some ports which can be exploited but are not actually used, are blocked.
“Host-based intrusion detection system” (also known as “HIDS”) is a system that monitors and analyzes the internals of a computing system as well as the network packets on its network interfaces.
One of such systems is “OSSEC” and we use it on our server. It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response.
Getting spam messages to your email or WordPress comment section will not only annoy you and your users, there is also a great chance some of the users will accidentally click on some of the links from those messages. Links which are very often malicious in nature.
We are using two different levels of spam protection:
1. Server level – our server firewall is connected to the most popular anti-spam tools which collect data on spam activities world-wide and share it with us in real-time – “The Spamhaus Project”, “Project Honey Pot” and “DShield”.
2. Website level – each WordPress installation on our server has multiple levels of spam protection:
1. Cloudflare firewall – Your website joins network of sites that reports and protects against IPs and methods involved in spam activities
2. Spam protection plugins
3. Spam protection tweaks
Server firewall is the first line of defense against bad activities on every server. That is why we constantly work on improving our firewall’s features and performance.
We are using two different firewalls:
1. Server firewall – it provides multi-level protection for our server, including advanced brute-force and spam protection.
2. Web application firewall (WAF) – every website we host uses Cloudflare firewall. It protects your site users from common malicious activities like SQL injection attacks, cross-site scripting, cross-site forgery requests, DDoS attacks, brute-force attacks and spam. It also provides cache and content delivery network (CDN) services which improve the performance of your website significantly.
“Brute-force attack” consists of an attacker trying many passwords or passphrases with the hope of eventually guessing correctly.
This type of attack can be prevented by limiting the number of password entering attempts allowed, by blocking the IP addresses which are participating in way too many password entering attempts or by blocking/limiting any service which attackers can exploit to brute-force (example: XML-RPC).
We are using two different levels of brute-force protection:
1. Server level – local brute-force protection system connected to the server’s firewall. It limits password entering attempts for server-side services such as FTP, SSH, emails etc. When the user is blacklisted due to too many attempts, he is prevented from making any requests to the server.
2. Website level – each WordPress installation on our server has multiple levels of brute-force protection:
1. Local Brute Force Protection – Your WordPress limits password entering attempts and blocks repeat offenders
2. Network Brute Force Protection – Your website joins networks of sites that report and protect against IPs and methods involved in brute-force activities (“iThemes Brute Force Protection Network” and “Cloudflare” )
3. Hide Backend – Prevents access to default WordPress login pages, wp-login and wp-admin
4. Strong Password Enforcement (optional) – Forces users to use strong passwords (as rated by the WordPress password meter)
5. XML-RPC block (optional) – Blocks XML-RPC requests that contain multiple login attempts
Server or website malware can create many different problems. Redirecting users to malicious websites, making users download malicious content without even knowing, sending spam messages across the internet or attacking other servers/websites. This type of behavior very often ends up with websites being blacklisted by Google and other search engines, de-listing them completely from search result pages.
To prevent all of this, we use both free and premium malware scanning and cleanup tools and we scan our server daily. Tools we use are ConfigServer eXploit Scanner (CXS), Linux Malware Detect (Maldet) and Sucuri Malware Scanner.
Common mistake a lot of WordPress owners and developers make is a lack of core, theme and plugin updating. The fact everything works without updating does not mean your website is more stable. In fact, it can cause a lot of security issues and sometimes even stability issues if updates are only done for some plugins or only for the core (while plugins remain outdated).
We provide our clients with auto-updating for all the WordPress installations they host on our server, while users using ELITE hosting package can choose between auto and manual updating we do for them.
We apply the same rule to our server as we update all the software it uses. That way we make sure our clients get the best server stability, compatibility, security and the latest features the software brings.
SSL is short for Secure Sockets Layer and it is a cryptographic protocol. The purpose of it is to protect the privacy of sensitive data (like passwords and credit card numbers) being transferred between server and user’s browser.
We are providing FREE A-rated SSL certificates and their installation for ALL of our hosting package users. Also, the certificates will be auto-renewed each year, free of charge.
Users with STARTER hosting package will also get free A-rated SSL certificate with auto-renewal but will have to pay a fee for the certificate installation.