WordPress Security on Server Layer

Do you know what will happen once the traffic gets passed to the server?

On the server, things are getting a lot more complicated. This complication is also one of the reasons why we have “Managed Hosting” services in the first place.

Most of the people just want to put their stuff in the server, so it would be online. Nothing else.

Servers are just computers, and computers are a combination of hardware and software. Both of which need maintenance, configuration, and monitoring. Just to save everyone from pain, let’s not talk about hardware.

What to focus on at the server?

First of all, you would need to know what your server is made of.

Exactly like on a WordPress site, it’s as important to keep the server operation system and any of the installed programs up to date and correctly configured.

The latter is very important! Luckily, this is what you pay for when you’re using a managed hosting service.

If you’re self-hosting, then make sure you know the system well. Keep an eye on the software releases and look out for security updates.

If you’re not entirely sure what runs on the server, look into security solutions that do SCA (Software Composition Analysis).

If you’re not interested in being a part-time sysadmin, don’t self-host.

Server configuration and isolation

The most important thing you would want to make sure of , is that the filesystem, database and entire server environment are properly configured.

Back in the day, it was common that cheap shared hosting providers had security incidents where hackers were able to move from one customer website to another, because they were not properly isolated or “caged”.

I’ve personally seen cases where the same server is also used for emails, so the hackers can not just access website files, logs, and database contents, but also read all of the emails being sent in and out.

This has luckily changed, and hosts do much better now… but users don’t change that easily.

People want to save money, so they go for the cheapest host, purchase a single server, and then add a large number of sites into different folders.

As soon as one of the sites gets hacked, all of them go with it. We see that all the time.

If that happens, you’re in for a treat! You can’t clean up the sites one by one, because they are all infecting each other.

You would need to make every site publicly inaccessible until all of them are cleaned up. If you don’t, you’ll be stuck in an infinite loop of reinfections.

Malware scanning

Once a hack goes through and your site gets infected, it’s important to know where to look. Whatever you use for malware scanning should not rely on anything that is already compromised.

Never just rely on WordPress malware scanning plugins.

While they are great tools that you can just quickly install to scan for potentially malicious code, they are also the first target of malware itself.

Again, just last week, we saw malware being spread that first turns off both WordFence and Sucuri and then moves on.

Relying on plugin-based malware scanners can provide a false sense of security (which makes the incident even worse) and is also a very inefficient way of scanning through files and databases, and therefore also slows down your website and hinders performance.

If you’re choosing a hosting provider, ask them if they do regular malware scanning.

Today, most of the hosting companies do, some better than others. Just ask how fast you’ll be notified and if they provide a report.

If you’re self-hosting, then first look into some of the open source malware scanners such as ClamAV and Maldet.

Additionally, set up an integrity scanning for WordPress core files, it’s actually a very effective way to detect malware. You can do that with WP CLI.

If you’re stuck with a host that is not helpful, and don’t have full control over your server, then reach out to companies who provide malware scanning and incident response services

One popular provider is: https://wewatchyourwebsite.com/

Backups

The best-case scenario is that your site never gets compromised.

The second-best case scenario is that:
a) Malware gets immediately detected;
b) You can just restore a clean backup.

However, for this to happen, you’ll need to make sure you have backups stored at a regular interval and then stored over a longer period of time.

In case the malware is not immediately detected, then you have a risk that the backups are also compromised. So, bonus points to hosts that separately scan backups for malware as well.

As probably expected, similarly to malware scanning, backups should also be done in a way that doesn’t rely on the compromised site to do so.

Try to avoid backup plugins and go for a hosting provider that does the backups on the server side.

Conclusion

If you’re just hosting a few sites and are not into becoming a sysadmin, choosing a great managed hosting company is incredibly important.

When you do that, put an emphasis on “managed” and ask what is really getting managed. Unfortunately, “Managed WordPress Hosting” is a buzzword, so it’s often also used just for marketing purposes.

Well configured server that is tailored to your application (WordPress) makes a big difference.

Regular server-side malware scanning and reliable backups are a must-have. Before you go with a host, make sure they offer both.

Resources:

• Example of malware used in mass-attacks turning off WordFence and Sucuri: https://gist.github.com/lynt-smitka/1eef476aed934fd3bc0be0813ea82f39
• WordPress core integrity scanning with WP CLI: https://developer.wordpress.org/cli/commands/core/verify-checksums/