From a security perspective, WordPress is great – it handles around 40% of the web sites on the Internet, and it does so securely and efficiently.
Plugins, on the other hand, are a risk. The use of plugins on WordPress isn’t really optional as plugins are what give WordPress its flexibility and power, but each plugin is produced by a different company (or person for niche plugins), and each one presents an additional risk of compromise.
Plugins must be updated regularly in order for your WordPress site to remain secure.
Automated Updates
Basic, security-only updates
We leverage our server-based firewall software to identify plugins and WordPress installations that have known risks, and those ranks are categorized by the CVE ranking system. If a plugin in your site is identified as at-risk, and that risk is above our risk threshold, then we wait a short while after the plugin update is available and then apply it automatically to all affected sites.
Plugin updates present a small risk of breaking things, and waiting a short period before installing an update greatly reduces the risk that your web site’s functionality will be affected, as these updates are automatic and unmonitored.
All WordPress web sites we host are protected at this basic level at a minimum.
Personalized updates for Elite Packages
If you purchase our Elite Package, you are added to the same management system that we use for Concierge clients on our parent hosting company. This means we will test updates on other sites before updating your site, and a human is involved in the update process to insure updates of all your plugins are managed in a timely manner, and your site is tested after the plugin updates to insure everything is running as expected.
How about Backups?
We’ve been providing hosting since the last century, and over that period we’ve hosted using a variety of control panels: H-Sphere, C-Panel, DirectAdmin, Virtualmin, and a few others that didn’t meet our needs after testing.
We migrated our clients to Enhance after 11 months of testing, to a large degree because it is exceptional at handling backups (and migrations, but that’s in another article.)
All web sites we host are backed up twice daily to our internal infrastructure, and those backups are replicated to other backup devices as well. We have never lost web site data in our more than 20 years of hosting web sites, but that’s no guarantee about the future.
Elite Packages
In addition to the automated backups provided by our hosting software, Elite packages include a backup plugin that we install and manage that creates an additional encrypted off-site backup to a cloud storage provider daily. Should all of our infrastructure be compromised, this encrypted off-site backup will still exist and allow you to recover your WordPress web site quickly.
Additionally, we will help you configure our backup plugin to backup up your data to the cloud provider of your choice, including One Drive or Google Drive. That way should something inconceivable happen to us you will still maintain a recent copy of all your data that is backed up automatically with no actions required by you.
Recommendations
We do everything we can to protect your data, but at the end of the day it’s your data, and you are ultimately responsible for maintaining your data. There are multiple high-quality backup plugins you can install – many of them free for smaller and simpler sites – and we encourage you to install one. Then, set an alarm every week/month on your phone as appropriate, and when that alarm goes off log in and download a copy of your web site.
Firewall and Security
I’m going to be vague here, as one should always be when discussing defensive security measures, but we have a thorough firewall configuration that is designed to protect our customers.
Features include (but are not limited to):
- Regular malware scanning. Files are checked against known threats, and AI is used to detect unknown threats. Threats are cleaned automatically.
- WordPress Scanning. Every version of WordPress is a compilation of nearly 2,000 files, but these files are unmodified until the next upgrade. Our software checks the “fingerprint” of each file against the source, recognizes when even a change of a single character has been made, and restores the original automatically.
- Content checks. If your website has been compromised and malicious links or redirects have been inserted, these will be detected and may be cleaned automatically depending on the issue. If manual intervention is required to clean a web site, this is included in our Elite package.
- Real-time Protection: PHP files are monitored closely for behavior. ModSecurity is enabled on all web servers to track incoming connections, and malicious connections (even those that are exploiting bugs in plugins that haven’t been corrected by the developer) are blocked. IP addresses known to be hostile are blocked. Real-time intrusion detection and protection is enabled.
- Protection against denial of service attacks, bot attacks, brute force attacks including automatic captcha deployment where suspected abuse is happening.
- Suspicious process and rootkit monitoring.
This is more of a feature of our hosting panel and not directly related to security, but Enhance protects against many threats other shared hosting solutions are subject to. For instance: a threat on most shared hosting platforms is when a neighboring site gets compromised, the hacker can work to spread the compromise to other web sites hosted on the same machine. On our platform, every web site is running in its own container – if your neighbor is compromised they may consume resources that makes your site slow, but they are unable to spread to infect your web site.