Secure WordPress Hosting: 7 Things Your Hosting Provider Must Do

Secure WordPress Hosting: 7 Things Your Hosting Provider Must Do


shared hosting security

Your WordPress site’s performance and security is dependent on good hosting. How can you tell if your hosting provider is providing a rock-solid foundation for your site? The Wordfence Live team is going to go over 7 things every hosting provider must do to ensure your site is as safe as possible. Site security requires more than just a solid password. To keep your site safe, you need to take a multi-faceted, layered approach to keep attackers at bay. Let’s see how your hosting provider measures up!

We’re going to be looking at all aspects of secure WordPress hosting, live on October 27 at noon eastern, 9 am pacific.

#wordpress #wordfence #wordpresshosting

Some people are looking for cheap web hosting, and other people are looking for the best web hosting. But what about the most secure web hosting? WordPress security plugins are a great way to ensure that your site stays safe from malicious actors and hackers looking to take over your site. Wordfence security plugin is the number one choice of most WordPress users who are concerned with site security.

———————————————————
Have you tried Wordfence Central? Manage all of your site’s security in one easy-to-use interface.

Now, with Wordfence Central Teams! You can use Wordfence Central with your Premium AND Wordfence free sites, all for free.

———————————————————
Check out Fast or Slow, the only free website speed profiler that tests your site from 18 locations worldwide.

———————————————————
Sign up for the Wordfence WordPress Security mailing list. Be the first to know when there is a vulnerability in a plugin or theme you might be using.

———————————————————
The Wordfence Learning Center has all you need to brush up on WordPress security and more:

———————————————————
Wordfence is the most popular choice of WordPress professionals for WordPress security. We have a number of security tutorials on our YouTube channel, including Wordfence tutorials. Wordfence security plugin is the number one choice in WordPress security plugins.
———————————————————

10 thoughts on “Secure WordPress Hosting: 7 Things Your Hosting Provider Must Do

  1. DDoS means Distributed Denial of Service. Why would an attacker do this? They may want to deflect attention away from their real target. They then use this distraction as an opportunity to create secondary attacks on other areas of your server network.

  2. @49:50 it's worth remembering that iptables (legacy)/nftables are not firewalls in that they don't scan for threats. They're packet filters – a set of rules for what happens to incoming/outgoing/passing network traffic based on conditions (like: if it's coming from a specific IP, block it). Think of them like a tool to specify what sort of traffic you expect, and then cutting out everything you don't expect. They do not monitor for threats, and don't come pre-configured for even rudimentary-level protection – it's entirely up to the user/administrator to set up sane rules.

    Also, iptables/nftables do not inspect packet contents – they work on packet routing information (from/to addresses, sequence numbers, counters), but not on the data that's actually being sent. A "proper" firewall will perform packet payload inspection as well, in order to detect possible threats (like malicious executable code) which it should have signatures for (much like an anti-virus). I'm not saying "don't use them" – in fact, having sensible rules set up will prevent a very good number of attacks from even reaching possibly vulnerable spots in your network – but don't treat them as be-all-end-all security. Any traffic that passes iptables/nftables will still reach its destination – regardless of the payload being a harmless HTTP request, or a maliciously-crafted wp-login.php attack.

    With the increase in encryption all over the place, it's becoming increasingly difficult – even outright impossible – to have third-party payload inspection happen without introducing security vulnerabilities (like stripping end-to-end encryption) — so the responsibility of filtering out malicious activity is shifting from network gateways to specific endpoints themselves. This is where Wordfence really does a great job, and is located exactly where it needs to be (especially if you set up the always-prepend directive for it).

  3. As far as FTPS vs SFTP… Due to various constraints, SSH is definitely slower by default than FTPS (I've seen some as slow as 2 MiB/s sustained; this is due to OS configuration), so that's something to consider if you're going to be moving a lot of data on the regular and have a fast connection. FTPS uses TLS, which is also employed for HTTPS – so it should be plenty secure (I'm aware FTPS used to use SSL, but I'm not aware how to check for this situation; modern clients should, anyway). If you want to be sure, always set your client to "Require explicit FTP over TLS" (or "Require explicit encryption" etc.) when setting a new connection up — this should make it abort if encryption is not available.

  4. Heh… Could you guys maybe reach out to companies like Ubisoft, Rockstar, Microsoft, Apple… Some of them probably fixed their password policies, but in an age where everyone's and their aunt's (and the aunt's dog's) website allows you to set a ridiculously complex passwords like name-number-object-smell-todays-weather, some really big names in the industry still enforce stuff like "8-16 characters, letters and numbers only"… And this sort of thing is all around. For example, did you know that some LTE devices will truncate the passwords you set to 16 characters? As in, you can input however many you want – the device will accept it, and your password manager will happily remember it for you – but the device will only store the first 16, so good luck logging in if you don't know this… The way we treat passwords and password-based auth… is horrible.

  5. Hosting multiple sites in the same control panel doesn't inherent the same risk if all sites are jailed which essentially makes everything operating in them, including PHP itself (if set up correctly), run with permissions for just that one site. The only exception would be someone running a subdirectory installation, but a hosting provider should warn about this behavior.

Leave a Reply

Your email address will not be published. Required fields are marked *