Complete WordPress Security

WordPress is by far the most popular content management system (CMS), used by millions of people around the world. While the platform is well-designed and secure, it is vulnerable to security threats if not properly maintained. We will walk you through the essential steps that we take to ensure that every WordPress site we host or maintain is protected from malicious attacks.

During the initial setup or migration, each website is 'hardened’, to be less susceptible to brute force attacks, malware and hacks. This includes implementing the latest security recommendations and best practices, including implementation of the most important security headers, including:

  • Content Security Policy (CSP): This header tells the browser what sources of content are allowed to be loaded on the page. This can help prevent cross-site scripting (XSS) attacks, which are one of the most common types of web attacks.
  • HTTP Strict Transport Security (HSTS): This header tells the browser to always load the website over HTTPS, even if the user types in the URL without the "https://" prefix. This can help prevent man-in-the-middle attacks, which can be used to steal user credentials or inject malicious code into the website.
  • X-Frame-Options: This header tells the browser whether or not the page can be embedded in a frame. This can help prevent clickjacking attacks, which are used to trick users into clicking on malicious links.
  • X-XSS-Protection: This header tells the browser to block XSS attacks.

Our server security solution, deployed on all host servers, provides comprehensive protection against malware, brute force attacks and other security threats, recognizing dangerous behaviors and stopping them instantly. We also configure a second WordPress-specific Web Application Firewall on each individual website, which provides a higher level of visibility into WordPress than is possible at the server level. 

Finally, the best available Comment and Contact Form spam filtering is used on every website, saving clients precious time and removing irrelevant or malicious content before it can hurt the website's credibility.

Multi-Layered Protection
Software Updates and Patching

The most important of all security measures, servers are updated daily and WordPress plugins and themes are updated weekly. Security updates to patch vulnerabilities are updated in real-time.

Malware Detection and Blocking

Our systems detect and blocks malicious execution flow in runtime by analyzing the behavior of the code and preventing it from causing any harm by either blocking the entire script execution or just the malicious flow.

File System Scanning

Our malware scanner scans file systems and databases. If malware is detected, it is automatically cleaned up. On-demand scanning allows for scanning of any site at any time.

Web Shield

The Web Shield determines the attackers’ real IP addresses, then differentiates those IP addresses from those of legitimate users. It temporarily blocks suspicious IPs then provides splash screens and CAPTCHA challenges that prevent malicious requests.

Linux kernel patching

Our Linux servers are kept secure by automatically patching the kernel, without the need to reboot servers. Checks are made for new patches every four hours and automatically applied to the running server without any performance impact.

Brute force and denial of service attack prevention

Our servers utilize an advanced brute-force protection technique based on the combination of Pluggable Authentication Modules (PAM) module authorization, realtime blacklist checks and IP blacklisting.

Monitoring and Alerts

Everything that happens on the sites we maintain is recorded and stored separate from the site to prevent logs being manipulated by a malicious user to cover their tracks. We can search, filter, and manage activity logs and configure alerts for important events.

HTTP Security Headers

We implement several HTTP Security Headers as part of the website setup and migration process, including: HTTP Strict Transport Security (HSTS) , Content Security Policy (CSP) , X-Frame-Options, X-Content-Type-Options and X-XSS-Protection.

Reputation Management & Blacklist Removal

Every day we analyze the domains of all hosted websites to determine if any are blocked by any blacklists. If they are, we investigate the problem, fix it and have the domain removed from the blacklist.

WordPress Account Compromise Prevention

When users try to use a weak password to log into their WordPress account account passwords, they are taken to a special page with an alert message that forces a password reset to prevent unauthorized account use.

HTTPS Everywhere

HTTPS connections provide encryption between your website and visitors’ browsers, helping to protect data transmission. We secure all websites with Let's Encrypt SSL/TLS certificates, which helps to prevent man-in-the-middle attacks.

Intrusion Prevention System (IPS)

Our servers feature an excellent Intrusion Prevention System (IPS) that includes a comprehensive collection of “deny” policy rules that block all attacks. And are effective against those who use custom or well-known exploit tools.

Frequently Asked Questions
How is WordPress patch and upgrade management performed (including plugins)?
While it is possible for our clients to perform updates themselves at any time, we assume full responsibility for updating WordPress Core, Themes and Plugins. To achieve this we connect to all sites remotely, which allows us to quickly review available updates, read change logs and install updates on one, some or all websites. After updates, sites are either checked manually or automatically for issues, depending on what is running on the site. Over the years we’ve learnt (the hard way) which themes/plugins and combinations thereof are likely to cause issues and how to overcome them. Most importantly, if there is a problem, we are able to quickly roll back to a previous version of the theme or plugin.
How are user roles and permissions in WordPress being managed?
We are actively involved in how users and roles are managed on every site and emphasize to my clients the importance of not carelessly creating Administrator users. It is one of the most important aspects of our business and we monitor everything Administrators do on the sites on behalf of my clients, particularly as it relates to creating other Administrators. While users who do not need to have Administrator access are not given that role, it is still important to provide users with full access to do what they need to do, without compromising security and data privacy. To achieve this, we clients take advantage of the precise control over user capabilities and roles provided by the User Role Editor Pro plugin, one of the many best-in-class premium agency licenses we maintain and make available to clients to use on hosted websites.
How are users logged and monitored e.g. if someone were to make changes they should not?
We use Logtivity, a unified platform for monitoring activity on WordPress sites. The plugin records all user activity and saves them to logs that can be viewed and searched in the WordPress admin area.We receive alerts for important events, such as when a user is created, an error occurs or when a plugin or theme is updated. Logs can be exported to CSV files, allowing us to generate useful charts and track even the biggest WordPress sites with millions of logs.
Peace of Mind is a Click Away
Concerned about website security or have a site already infected with malware? Just get in touch and we’ll get right back to you with a quote or to schedule a call to discuss.

Get in Touch
WordPress
UpCloud
Plesk
LiteSpeed
Imunify360
New Relic
Quic.Cloud
WooCommerce
Complianz
MailPoet
WPML
Copyright © 2023 WebOps Hosting. All Rights Reserved.