WordPress is by far the most popular content management system (CMS), used by millions of people around the world. While the platform is well-designed and secure, it is vulnerable to security threats if not properly maintained. We will walk you through the essential steps that we take to ensure that every WordPress site we host or maintain is protected from malicious attacks.
During the initial setup or migration, each website is 'hardened’, to be less susceptible to brute force attacks, malware and hacks. This includes implementing the latest security recommendations and best practices, including implementation of the most important security headers, including:
Our server security solution, deployed on all host servers, provides comprehensive protection against malware, brute force attacks and other security threats, recognizing dangerous behaviors and stopping them instantly. We also configure a second WordPress-specific Web Application Firewall on each individual website, which provides a higher level of visibility into WordPress than is possible at the server level.
Finally, the best available Comment and Contact Form spam filtering is used on every website, saving clients precious time and removing irrelevant or malicious content before it can hurt the website's credibility.
The most important of all security measures, servers are updated daily and WordPress plugins and themes are updated weekly. Security updates to patch vulnerabilities are updated in real-time.
Our systems detect and blocks malicious execution flow in runtime by analyzing the behavior of the code and preventing it from causing any harm by either blocking the entire script execution or just the malicious flow.
Our malware scanner scans file systems and databases. If malware is detected, it is automatically cleaned up. On-demand scanning allows for scanning of any site at any time.
The Web Shield determines the attackers’ real IP addresses, then differentiates those IP addresses from those of legitimate users. It temporarily blocks suspicious IPs then provides splash screens and CAPTCHA challenges that prevent malicious requests.
Our Linux servers are kept secure by automatically patching the kernel, without the need to reboot servers. Checks are made for new patches every four hours and automatically applied to the running server without any performance impact.
Our servers utilize an advanced brute-force protection technique based on the combination of Pluggable Authentication Modules (PAM) module authorization, realtime blacklist checks and IP blacklisting.
Everything that happens on the sites we maintain is recorded and stored separate from the site to prevent logs being manipulated by a malicious user to cover their tracks. We can search, filter, and manage activity logs and configure alerts for important events.
We implement several HTTP Security Headers as part of the website setup and migration process, including: HTTP Strict Transport Security (HSTS) , Content Security Policy (CSP) , X-Frame-Options, X-Content-Type-Options and X-XSS-Protection.
Every day we analyze the domains of all hosted websites to determine if any are blocked by any blacklists. If they are, we investigate the problem, fix it and have the domain removed from the blacklist.
When users try to use a weak password to log into their WordPress account account passwords, they are taken to a special page with an alert message that forces a password reset to prevent unauthorized account use.
HTTPS connections provide encryption between your website and visitors’ browsers, helping to protect data transmission. We secure all websites with Let's Encrypt SSL/TLS certificates, which helps to prevent man-in-the-middle attacks.
Our servers feature an excellent Intrusion Prevention System (IPS) that includes a comprehensive collection of “deny” policy rules that block all attacks. And are effective against those who use custom or well-known exploit tools.